• Like
Xss.e xopresentation from eXo SEA
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Xss.e xopresentation from eXo SEA

  • 566 views
Published

Here is the presentation of Khoi- Portal team and VHa CPT team from eXo Platform SEA.

Here is the presentation of Khoi- Portal team and VHa CPT team from eXo Platform SEA.

Published in News & Politics , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
566
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
8
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. XSS and eXo Products Portal & TQA teams Oct 2011
  • 2. Agenda
    • Introduction to XSS
    • XSS sample cases
    • Preventing XSS Attacks
    • XSS in eXo products
  • 3. Introduction to XSS
  • 4. What is XSS?
    • XSS stand for Cross Site Scripting
    • Allows execution of arbitrary code
    • Often involves tricking the end user
    • Over 70% of websites may be vulnerable
  • 5. How Does XSS Work?
    • Scenario 1:
        • You get an email with an URL looks like
        • http://example.com?username=%3C%53%43%52%49%50%54%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3B%3C%2F%53%43%52%49%50%54%3E
        • Click on it and the web page display the username with result as
  • 6. How Does XSS Work?
    • Scenario 2:
        • There is a comment form on a web page. You paste the String into the form
        • This is my comment <SCRIPT>alert(“XSS”);</SCRIPT>
        • Every user who visit the page will get the alert
  • 7. XSS Sample Cases
  • 8. XSS Cases Sample video
  • 9. XSS types
    • Non-persistent (reflected)‏
        • The most common type of XSS injection
        • Requires server side interpretation of the query
        • Third-party required
    • Persistent (stored)‏
        • The most dangerous type of XSS injection
        • Requires server side interpretation of the query and data storing
        • Third-party may not be required
    • DOM-Based
        • The newest type of XSS injection
        • Requires client side interpretation
        • Usually non-persistent
  • 10. The Impact of XSS
    • Redirection
    • Clickjacking
    • URL Spoofing
    • Session Hijacking
    • Cookie Stuffing
    • Ad Hijacking
    • History stealling
    • Key & Mouse logging
  • 11. The Impact of XSS
    • Redirection
      • Redirect your victim. Ex, document.localtion = http://xxxsite.com
      • Create fake traffic
      • Popular
    • Clickjacking
      • Describes one websites that poses as another
      • Used in phishing, gives high credibility
      • Extremely popular
  • 12. The Impact of XSS
    • Session Hijacking
      • Also known as ‘Cookie Stealling’
      • Usually use with document.cookie
      • Help you to gain control over other logged session
      • Needs a cookie grabber
    • Cookie Stuffing
      • Also known as ‘Cookie Dropping’
      • Used in black hat online marketing
      • Generates illegitimate affiliate sellings by hijacking cookies
      • Uses popups, frames and iframes, images, js, css or flash for accomplising cookie dropping
  • 13. The Impact of XSS
    • Key & Mouse logging
      • Log all keystrokes or mouse moves and send remotely
      • document.onkeypress / document.onmousemove event
  • 14. The Impact of XSS
    • And many, many dangerous thing come from XSS issue......
  • 15. Preventing XSS attacks
  • 16. Preventing XSS attacks
    • Filtering
      • Never trust user input and always filter metacharacters
      • This method is less effective on the input side because content can be entered into a DB via methods other than HTTP.
      •  Filtering should be done as part of the data output process, just before it’s rendered
    • Encoding
      • It’s recommended because it does not require dev to make a decision about what characters could legitimately be entered and need to be pass through
      • May be a performance impact on some web servers
      • Rely on org.exoplatform.commons.utils.HTMLEntityEncoder# encodeHTML(String) or
          • org.exoplatform.commons.utils.HTMLEntityEncoder# encodeHTMLAttribute(String)‏
  • 17. Preventing XSS attacks
    • Secure cookies using the HttpOnly attribute
    • Associate session with IP addresses
    • Install an application firewall
    • Educate users
  • 18. XSS in eXo Products Examples of how to detect XSS vulnerabilities
  • 19. Use case of Reflected XSS Package: WCM 2.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-1773 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  • 20. Use case of Stored XSS Package: Social 1.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/SOC-1532 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  • 21. Use case of DOM-based XSS Package: ECMS 2.3.x Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2791 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  • 22. XSS exploit basing on logic vulnerability Package: PLF 3.5.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2723 https://jira.exoplatform.org/browse/ECMS-2736 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more Question for listeners: what is the best solution for this situation?
  • 23. References for audiences 1. Guideline of Secure coding standards http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6-1 2. EXOWiki security links EXO-RedHat Collaboration Study https://wiki-int.exoplatform.org/display/rhcollab/XSS TQA Security Test https://wiki-int.exoplatform.org/display/TQA/SECURITY Deployment & Configuration rules (ITOP)‏ https://wiki-int.exoplatform.org/display/ITOP/eXo+Applications+and+security
  • 24. DISCUSSION