Xss talk, attack and defense


Published on

XSS? Sure, we all have heard about - XSS, stands for Cross Site Scripting, but XSS sounds lot more cool, huh?

Have your account or website been hacked? Or you sure might have heard about such a compromised account or site from someone? Have you been ever tricked by a website? Have you ever noticed your everyday trusted site behaving abnormally, throwing weird content at you?

Nowadays, these are very common incidents.


Pentagon XSS Hack

Facebook XSS Hack

How hackers do it all? Why the hell do they do it? Would you like to check it out live, do some hands-on? And focus on how to secure against this nasty vulnerability.


Published in: Education, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Xss talk, attack and defense

  1. 1. Hacking and Information Security GroupOrganised with TechNext
  2. 2. Mr. Sandip Chaudhari•13+ years experience in Software and Information Security Industry•6+ years worked as a Professional Software Security Analyst and Secure CodeAuditor•100+ in-house vulnerabilities discovered and reported•Presented Security Research Paper at various security conferences around theglobe including New York, USA, Luxembourg, Luxembourg, Tokyo, Japan, Bangalore,India•Undertook multiple responsibilities in various roles like – Security Analyst,Application Developer, Project Manager, Software Application Architect,Information Security Researcher, CTO•Proud to have worked along with, and be part of group that included – Dino DaiZovi, Shane Macaulay, Adam Green, Jonathan Leonard and Jeremy JethroOrganizer and Mentor
  3. 3. We Are…The Speakers…Sudarshan PawarCertified Security Expert(C.S.E.)Certified Information Security Specialist (C.I.S.S.)Security Xplained (TechNext Speaker)Pursuing B.E.(Computer)& a Security ProfessionalPrakashchandra SutharCisco Certified Network AssociateRed Hat Linux CertifiedSecurity Xplained (TechNext Speaker)Computer EnggSecurity Researcher
  4. 4. WHY are we in this room on weekend rather thanenjoying hot beverage on a rainy day?
  5. 5. Today’s Agenda1. XSS: What does it mean?2. Birth3. Stats4. Working5. The Havoc it Created6. Reason of attack7. Causes8. Types of XSS9. Vulnerabilities in web programming10. Solutions11. Prevention MechanismsBlah blah….CAPTURE THE FLAGD.I.Y. (Do it yourself andexperience the dark side of theForce...!!!)Session 1 Session 2
  6. 6. BIRTH OF XSS• Netscape introduced JavaScript in 1995. Soonafter, hackers realize that when someone surfstheir website they can force load any website(webmail, banks, auction sites) in a frame anduse JavaScript to cross boundaries between thetwo sites hence the name “cross site scripting.”• The XSS explosion came in 2005 when the Samyworm took down MySpace.
  7. 7. STATS
  10. 10. Myspace Samy attack
  11. 11. PayPal
  12. 12. Annauniversity
  13. 13. Avast.
  14. 14. XSS Attack Scenario
  15. 15. www.sometrustedwebsite.comAsia America EuropeBEFORE ATTACK…
  16. 16. www.sometrustedwebsite.comAsia America EuropeAFTER ATTACK(Injects script)Injected Script can be:• Malicious page•Explicit Images•Bots(to make zombies)•Redirecting links•Fake Login Pages•Etc. etc.(NOTE: Names of Continents is JUST used as an example representing users accessing atrusted website)
  17. 17. How much financial loss it costs?How much it will cost if your online bankaccount is attacked ?(Big Hint: Please be bold, take the lead,stand-up and share how much money yougot in your bank right now)
  19. 19. CAUSES•A XSS vulnerability is majorly caused bythe failure of a site to sanitize user inputbefore returning it to the client’s web-browser
  20. 20. REASON OF ATTACK• Change Settings• Cookie theft• False Advertising• Steal Form Tokens to make XSRF Easier• And more, you have to be creative to exploit XSS
  21. 21. There are Three Types of XSS• Persistent (Stored) XSS : Attack is stored on thewebsite server• Non Persistent (reflected) XSS: user has to go througha special link to be exposed• DOM-based XSS: problem exists within the client-side scriptXSS Types
  22. 22. UNSANITIZED CODE: STORED XSS<?php?>if(isset($_POST[btnSign])){$message = trim($_POST[mtxMessage]);$name = trim($_POST[txtName]);// Sanitize message input$message = stripslashes($message);$message = mysql_real_escape_string($message);// Sanitize name input$name = mysql_real_escape_string($name);$query = "INSERT INTO guestbook (comment,name) VALUES ($message,$name);";$result = mysql_query($query) or die(<pre> . mysql_error() . </pre> );}
  23. 23. UNSANITIZED CODE: REFLECTED XSS<?php{Else // else generates HTML page on user input{echo <pre>;echo Hello . $_GET[name];echo </pre>;}?>$isempty = true;}if(!array_key_exists ("name", $_GET) || $_GET[name] == NULL || $_GET[name] == ) //checks for empty text...
  24. 24. DOM-Based XSSVar html=[ ‘<form class = “config”>’, ‘<fieldset>’ ,‘<label for=“appSuite”>enter url:</label>’,‘<input type=“text” name=“appSuite”id=“appSuite”value=“ ‘ ,options.appendUrl || ”,’ “/>’‘</fieldset>’, </form>].join(‘ ’),dlg=$((html)appendTo($body));
  25. 25. Solutions Fast TrackFiltering1.Filtering can deliver unexpected results if youaren’t careful to monitor the output.2.Using a loop can reduce the risks associated withfiltering out content.3.Filtering alone can introduce new risks bycreating new types of attacks. Therefore, it iscritical to understand the order in which filters areapplied and how they interact with one another.
  26. 26. Input Encoding1. Input encoding can create a single choke point forall encoding.2.Things like SQL injection and command injectioncan also be checked prior to storing information in adatabase.3. Input encoding cannot stop persistent XSS oncestored.Output Encoding1. Output encoding is more granular and can takecontext into account.2. Developers must perform output encodingpotentially many times for each location theinformation is outputted.
  27. 27. Web Browser’s Security1. Beware of long or overly complex URLs. Oftenthese are the most likely to contain vulnerabilities.2. Do not click on unknown URLs in e-mail if at allpossible.3. Choose a secure browser and customize yoursecurity settings to reduce the risk of exploitation.
  28. 28. CODE SOLUTION: Stored xss<?phpif(isset($_POST[btnSign])){$message = trim($_POST[mtxMessage]);$name = trim($_POST[txtName]);// Sanitize message input$message = stripslashes($message);$message = mysql_real_escape_string($message);$message = htmlspecialchars($message); // Sanitize name input$name = stripslashes($name);$name = mysql_real_escape_string($name);$name = htmlspecialchars($name); $query = "INSERT INTO guestbook (comment,name) VALUES ($message,$name);";$result = mysql_query($query) or die(<pre> . mysql_error() . </pre> );}
  29. 29. SOLUTION:Reflected XSS<?phpif(!array_key_exists ("name", $_GET) || $_GET[name] == NULL ||$_GET[name] == ){$isempty = true;}Else{echo <pre>;echo Hello . htmlspecialchars($_GET[name]);echo </pre>;}?>
  30. 30. DOM-BasedVar html=‘<form class = “config”>’, ‘<fieldset>’ ,‘<label for=“appSuite”>enter url:</label>’,‘<input type=“text” name=“appSuite” id=“appSuite”value=“ ‘ ,options.appendUrl || ”,’ “/>’‘</fieldset>’, </form>.join(‘ ’),dlg=$(html)appendTo($(‘body’));appSuite.val(options.appSuiteUrl || ‘ ‘);
  31. 31. Rebels?Tinkering?Go beyond programmingAttack attacker’s attackAttitude! Matters. But beware of the Dark SideAbout You…
  32. 32. Any Doubts….
  33. 33. FAQ’s1.Is there a safe browser?2. Are you safe if you turn off JavaScript?3. How can I stop myself from becominga victim of a JavaScript worm?4.It’s hopeless. I can’t trust a single Web application.Why did you do this to me?5. I think I am infected. What can I do?
  34. 34. 6. Does my anti-virus software protect me from XSSattacks?7. Can XSS worm propagate on my system?8. XSS attacks can compromise my online account butnot my network.Is that true?9. What is the best technique to evade XSS filters?10. Are persistent XSS vulnerabilities more severethan non-persistent ones?
  35. 35. 11. How many URL’s can be tested in the varioushistory stealing hacks?12. I run XYZ program that creates an HTML report.How can I determine if it is vulnerable?13. Is the browser-hijacking feature in XSS-proxy persistent?
  36. 36. XSS Lab• Now is your chance to try somehands on!• Experience the thrill of hacking• You’ve got to hack a blogger webapplication using XSS• For site URL refer the white-board
  37. 37. XSS Lab - Goal• Goal of the lab is to steal the sessioncookie of the logged in user (demo)on the blogger application• Use that cookie locally and login asthe demo user• Demo user has an un-publishedsecret post, saved as draft, that hassome secret content• All posts – published and drafts areaccessible after logging in, usingmenu link – Manage Posts• Call us as soon as you are able toaccess the secret post!
  38. 38. XSS Lab – Code Review:Vulnerability & Fix
  39. 39. Questions?• What you want to ask, many already have that samequestion on their mind. Be bold and lead• OK, if you don’t want to speak and keep shut and keepthinking about it in your mind and take those questionshome, make sure you email those to us and sleep well atnight!
  40. 40. What should be our topic for the next meet?I hate to ask but, how can we make this better?