• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
A2 cross site scripting
 

A2 cross site scripting

on

  • 2,080 views

 

Statistics

Views

Total Views
2,080
Views on SlideShare
2,080
Embed Views
0

Actions

Likes
1
Downloads
9
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • http://www.youtube.com/watch?v=NKjomr1Afq0http://www.zdnet.com/blog/security/obama-site-hacked-redirected-to-hillary-clinton/1042
  • WM manager wrote in an email that they needed training on web vulnerabilities like "Cross-eye scripting". LOL
  • From wikipedia.org/wiki/Cross-Site_scriptingTODO: Add slides with attack examples from bottom of http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29The script can be used to send Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc.) without Alice's knowledge.
  • alert('hello');See all the OWASP rules at http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_SheetOther languages: Flash, vbscript,
  • Testing vulnerable sites: http://ha.ckers.org/xss.html which was referred by OWASP.http://www.vs-db.info/ - Vulnerable sites databasePeoplescourt.com – Ask a lawyerJustAnswer.comcatholic.org/politics/story.php?id=26539
  • TODO: Show output of ASP.NET web form with XSS injected. New slide.
  • TODO: Show Phil Haack's implementation: http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx Uses a whitelist instead of a blacklist.Allows innocuous HTML (, , etc)
  • If this video doesn't show, the WMV is in the same folder.

A2 cross site scripting A2 cross site scripting Presentation Transcript

  • A2 Cross-Site Scripting
    Problem and Protection
  • Senator Obama hacked by a Clinton supporter
    During the Democratic primary race of 2008, someone posted a "special" new comment into the user community forum of BarackObama's web site.
    The result was that as soon as anyone went to the forum, they were immediately redirected to http://HillaryClinton.com.
    The attacker, tagged "mox" later admitted that he did not access the server, he simply posted a new comment in the forum.
  • Cross-site Scripting
    Normally, JavaScript commands are sent from the server to the browser and executed.
    XSS happens when an attacker tricks a logged-in victim into entering JavaScript into his browser and submitting it to the server.
    The server then dutifully echoes them to the browser which, thinking they're commands, executes them.
    The attacker tricks the browser into buying things, transferring money, delivering cookies, et. al.
  • How attackers do a stored attack
    Bob hosts a website with a forum allowing users to post comments.
    Mallory posts a comment with JavaScript embedded in it. All users can now see this comment.
    Alice visits the site. Bob's site dutifully prints Mallory's comment which contains the JavaScript.
    Alice's browser, thinking that the JavaScript should be executed, does so.
  • How attackers do a reflected attack
    Alice visits Bob's website which stores sensitive data after Alice logs in.
    Mallory observes that Bob's website is vulnerable to an XSS attack.
    Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website, but will contain Mallory's malicious code.
    Alice clicks on Mallory's link while logged into Bob's website.
    The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability).
  • XSS: Not just for pages anymore
    XSS can be used for Ajax.
    Much more insidious since the user doesn't see the attack on the page.
    We also have to filter untrusted input to:
    Styles (CSS)
    HTML attributes
    JavaScript
    URL Parameters (querystrings)
    ... in addition to HTML elements.
    And please note that any scripting language that the browser can process is game.
  • XSS vs. CSRF
  • Finding vulnerable sites
    They enter text like this:
    ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
    If the site responds with an alert box saying "XSS", it is vulnerable.
    Automated testing tools can help.
    Nessus & Nikto are two
    Best practice: assume all input is tamperable and dangerous. Just protect all inputs!
  • How we protect ourselves
    Use ASP.NET
    Filter the incoming data
    Encode the outgoing data
    Use Microsoft's Anti-XSS Library
  • Use ASP.NET
    Out of the box, ASP.NET comes with XSS protection enabled.
    It can be turned off:
    In web.config
    <system.web>
    <httpRuntimerequestValidationMode="2.0" />
    </system.web>
    Top of every page:
    <% @Page validateRequest="false" ... %>
  • Filter input
    Scrub user's input to remove special characters.
    Very weak example showing how to strip out the word 'javascript':
    private string js = "([a-z]*)[x00-x20]*=[x00-x20]*([`'"]*)[x00-x20]*j[x00-x20]*a[x00-x20]*v[x0" + "0-x20]*a[x00-x20]*s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*";
    public string NoJavaScript(string strIn, string newChar)
    {
    Regexregex = new Regex(js, RegexOptions.IgnoreCase);
    return regex.Replace(strIn.ToLower(), newChar);
    }
    To use in the code:
    string userInput = NoJavaScript(txtTextBox.Text,"&#");
  • Encode output
    First, note that using the innerText property rather than innerHtml will take care of many problems.
    innerText encodes.
    innerHtml renders.
    But more is required.
    Use the HttpUtility class's static methods:
    string output = HttpUtility.HtmlEncode(inputString);
    string url = HttpUtility.UrlEncode(inputString);
  • Libraries are more robust
    DIY filtering and encoding is porous.
    You may filter out "<script" but the attacker uses ...
    %3C%53%43%52%49%50%54
    &#x3C;&#x53;&#x43;&#x52;&#x49;&#x50;&#x54;
    &#60&#83&#67&#82&#73&#80&#84
    We forget about:
    <img>, <style>, <iframe>, <layer>, <meta>, <object>
    Many examples like that!
    Two libraries:
    OWASP's ESAPI
    Microsoft's Anti-XSS Library
  • Use Microsoft's Anti-XSS Library
    A free download from Microsoft.
    Strips out harmful script tags in many forms.
    Simply change this
    lblOut.Text = txtIn.Text;
    Response.Write(strFromBrowser);
    To this
    lblOut.Text = AntiXSS.GetSafeHtmlFragment(txtIn.Text);
    Response.Write(
    AntiXSS.GetSafeHtmlFragment(strFromBrowser));
  • Anti-XSS Demo
  • Summary
    Cross-site scripting (XSS) is a serious problem that can allow identity theft and financial loss.
    Sites have the responsibility to protect visitors by either filtering the input or encoding the output.
    ASP.NET WebForms provides some protection right out of the box.
    Microsoft's Anti-XSS Library makes handling that much easier and abstract.
  • Further study
    Microsoft Anti-XSS Library download:
    http://bit.ly/AntiXSSDownload
    OWASP's XSS prevention cheat sheet:
    • http://bit.ly/XSSCheatSheet
    OWASP's Cross-site scripting page:
    • http://bit.ly/OWASPXSS
    • Nice tutorial on the Anti-XSS library:
    • http://bit.ly/XSSTutorial