Xss.e xopresentation from eXo SEA

802 views
729 views

Published on

Here is the presentation of Khoi- Portal team and VHa CPT team from eXo Platform SEA.

Published in: News & Politics, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
802
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Xss.e xopresentation from eXo SEA

  1. 1. XSS and eXo Products Portal & TQA teams Oct 2011
  2. 2. Agenda <ul><li>Introduction to XSS </li></ul><ul><li>XSS sample cases </li></ul><ul><li>Preventing XSS Attacks </li></ul><ul><li>XSS in eXo products </li></ul>
  3. 3. Introduction to XSS
  4. 4. What is XSS? <ul><li>XSS stand for Cross Site Scripting </li></ul><ul><li>Allows execution of arbitrary code </li></ul><ul><li>Often involves tricking the end user </li></ul><ul><li>Over 70% of websites may be vulnerable </li></ul>
  5. 5. How Does XSS Work? <ul><li>Scenario 1: </li></ul><ul><ul><ul><li>You get an email with an URL looks like </li></ul></ul></ul><ul><ul><ul><li>http://example.com?username=%3C%53%43%52%49%50%54%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3B%3C%2F%53%43%52%49%50%54%3E </li></ul></ul></ul><ul><ul><ul><li>Click on it and the web page display the username with result as </li></ul></ul></ul>
  6. 6. How Does XSS Work? <ul><li>Scenario 2: </li></ul><ul><ul><ul><li>There is a comment form on a web page. You paste the String into the form </li></ul></ul></ul><ul><ul><ul><li>This is my comment <SCRIPT>alert(“XSS”);</SCRIPT> </li></ul></ul></ul><ul><ul><ul><li>Every user who visit the page will get the alert </li></ul></ul></ul>
  7. 7. XSS Sample Cases
  8. 8. XSS Cases Sample video
  9. 9. XSS types <ul><li>Non-persistent (reflected)‏ </li></ul><ul><ul><ul><li>The most common type of XSS injection </li></ul></ul></ul><ul><ul><ul><li>Requires server side interpretation of the query </li></ul></ul></ul><ul><ul><ul><li>Third-party required </li></ul></ul></ul><ul><li>Persistent (stored)‏ </li></ul><ul><ul><ul><li>The most dangerous type of XSS injection </li></ul></ul></ul><ul><ul><ul><li>Requires server side interpretation of the query and data storing </li></ul></ul></ul><ul><ul><ul><li>Third-party may not be required </li></ul></ul></ul><ul><li>DOM-Based </li></ul><ul><ul><ul><li>The newest type of XSS injection </li></ul></ul></ul><ul><ul><ul><li>Requires client side interpretation </li></ul></ul></ul><ul><ul><ul><li>Usually non-persistent </li></ul></ul></ul>
  10. 10. The Impact of XSS <ul><li>Redirection </li></ul><ul><li>Clickjacking </li></ul><ul><li>URL Spoofing </li></ul><ul><li>Session Hijacking </li></ul><ul><li>Cookie Stuffing </li></ul><ul><li>Ad Hijacking </li></ul><ul><li>History stealling </li></ul><ul><li>Key & Mouse logging </li></ul>
  11. 11. The Impact of XSS <ul><li>Redirection </li></ul><ul><ul><li>Redirect your victim. Ex, document.localtion = http://xxxsite.com </li></ul></ul><ul><ul><li>Create fake traffic </li></ul></ul><ul><ul><li>Popular </li></ul></ul><ul><li>Clickjacking </li></ul><ul><ul><li>Describes one websites that poses as another </li></ul></ul><ul><ul><li>Used in phishing, gives high credibility </li></ul></ul><ul><ul><li>Extremely popular </li></ul></ul>
  12. 12. The Impact of XSS <ul><li>Session Hijacking </li></ul><ul><ul><li>Also known as ‘Cookie Stealling’ </li></ul></ul><ul><ul><li>Usually use with document.cookie </li></ul></ul><ul><ul><li>Help you to gain control over other logged session </li></ul></ul><ul><ul><li>Needs a cookie grabber </li></ul></ul><ul><li>Cookie Stuffing </li></ul><ul><ul><li>Also known as ‘Cookie Dropping’ </li></ul></ul><ul><ul><li>Used in black hat online marketing </li></ul></ul><ul><ul><li>Generates illegitimate affiliate sellings by hijacking cookies </li></ul></ul><ul><ul><li>Uses popups, frames and iframes, images, js, css or flash for accomplising cookie dropping </li></ul></ul>
  13. 13. The Impact of XSS <ul><li>Key & Mouse logging </li></ul><ul><ul><li>Log all keystrokes or mouse moves and send remotely </li></ul></ul><ul><ul><li>document.onkeypress / document.onmousemove event </li></ul></ul>
  14. 14. The Impact of XSS <ul><li>And many, many dangerous thing come from XSS issue...... </li></ul>
  15. 15. Preventing XSS attacks
  16. 16. Preventing XSS attacks <ul><li>Filtering </li></ul><ul><ul><li>Never trust user input and always filter metacharacters </li></ul></ul><ul><ul><li>This method is less effective on the input side because content can be entered into a DB via methods other than HTTP. </li></ul></ul><ul><ul><li> Filtering should be done as part of the data output process, just before it’s rendered </li></ul></ul><ul><li>Encoding </li></ul><ul><ul><li>It’s recommended because it does not require dev to make a decision about what characters could legitimately be entered and need to be pass through </li></ul></ul><ul><ul><li>May be a performance impact on some web servers </li></ul></ul><ul><ul><li>Rely on org.exoplatform.commons.utils.HTMLEntityEncoder# encodeHTML(String) or </li></ul></ul><ul><ul><ul><ul><li>org.exoplatform.commons.utils.HTMLEntityEncoder# encodeHTMLAttribute(String)‏ </li></ul></ul></ul></ul>
  17. 17. Preventing XSS attacks <ul><li>Secure cookies using the HttpOnly attribute </li></ul><ul><li>Associate session with IP addresses </li></ul><ul><li>Install an application firewall </li></ul><ul><li>Educate users </li></ul>
  18. 18. XSS in eXo Products Examples of how to detect XSS vulnerabilities
  19. 19. Use case of Reflected XSS Package: WCM 2.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-1773 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  20. 20. Use case of Stored XSS Package: Social 1.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/SOC-1532 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  21. 21. Use case of DOM-based XSS Package: ECMS 2.3.x Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2791 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  22. 22. XSS exploit basing on logic vulnerability Package: PLF 3.5.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2723 https://jira.exoplatform.org/browse/ECMS-2736 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more Question for listeners: what is the best solution for this situation?
  23. 23. References for audiences 1. Guideline of Secure coding standards http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6-1 2. EXOWiki security links EXO-RedHat Collaboration Study https://wiki-int.exoplatform.org/display/rhcollab/XSS TQA Security Test https://wiki-int.exoplatform.org/display/TQA/SECURITY Deployment & Configuration rules (ITOP)‏ https://wiki-int.exoplatform.org/display/ITOP/eXo+Applications+and+security
  24. 24. DISCUSSION

×