Your SlideShare is downloading. ×
Cross site scripting
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cross site scripting

1,066

Published on

Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application …

Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,066
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. CROSS SITE Scripting HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE…Dilan Warnakulasooriya Asanka FernandopulleInformation Security Engineer Senior Software Engineer99X Technology 99X Technology
  • 2. What is it? Script is injected into page  Script can come from URL, Database, Cookie, Form Types:  Reflected  Persistent  DOM Based What can it do?  Create or access any DOM element  Hijack click, cookies, credentials  Limited JavaScript port scanning  Send information to remote sites (think credentials)  And many more…January 1, 2013 99X Technology(c) 2
  • 3. How is it exploited? Attacker injects script into user’s experience Can happen from server side code (beware ASP.NET code) Can happen from client side code (beware JavaScript/Jquery Code)January 1, 2013 99X Technology(c) 3
  • 4. Exploiting DemosReflectedJanuary 1, 2013 99X Technology(c) 4
  • 5. Exploiting DemosPersistentJanuary 1, 2013 99X Technology(c) 5
  • 6. Exploiting DemosOlder style IE6 Content typeSniffingJanuary 1, 2013 99X Technology(c) 6
  • 7. Exploiting DemosDOM based + JSON +JQUERYJanuary 1, 2013 99X Technology(c) 7
  • 8. Exploiting DemosDATA URI – Link HijackJanuary 1, 2013 99X Technology(c) 8
  • 9. Exploiting DemosDangling markupJanuary 1, 2013 99X Technology(c) 9
  • 10. How do you prevent it? Relected/Persisted not used _anywhere_ in JavaScript is the easiest way to prevent  Html Encode – specify encoder for AntiXss  Avoid user inputs in any attribute or regex to a-z only  Consider stripping out anything not a-z,0-9 Json.Encode() or Encoder.JavascriptEncode() all data supplied to JavaScript  Still vulnerable if this text is read from an element and used incorrectly More complex scenarios require serious investigation into code sections  Audit anywhere DOM elements are created/altered for user supplied inputs Some past vulnerabilities were hard to control (flash, pdf, etc)January 1, 2013 99X Technology(c) 10
  • 11. How do you prevent it?(cont’d) Do not store data encoded, but sanitized Encoding & Storing can lead to double encoding:  < &lt &amp;lt; &amp;amp;lt AntiXss Sanitizer’s GetSafeHtml()/ GetSafeHtmlFragment() Specify Page Encoding in the web.config Content Security Policies  Firefox OK  Chrome/Safari(WebKit) OK  IE 10 – Partially implemented – As expected Don’t expect blacklists to work (ie searching for <script>)  Have been bypassed in many ways  Replacing “script” with “” can end up making <script>! Consider removing all data: from all stored URI’s to exclude data Only allow local URL redirects that start with “/uri”January 1, 2013 99X Technology(c) 11
  • 12. How do you prevent it?(Last but notleast) Audit every location data is assigned, output, and used since lots of data can be affected by user  Ensure its not used in JavaScript, or Highly sanitized  ASP.NET Textbox HtmlEncodes(), Label does not ○ KNOW YOUR CONTROL’s BEHAVIOUR!!! EVERY ONE!  Test by injecting script, special characters (ex <) into app – use Fiddler if you must, to change incoming data Be Concerned with any place that DOM elements are created/modified  Use functions such as setAttribute and var y = document.createElement(“div”); rather than document.writeln, $(x).html(), element.innerHTML, eval Deprecate IE6 (and all older browsers)  Use Request.Browser, ie6update.com, etc… Don’t turn off EnableRequestValidation or ValidateRequest!  MVC apps use [AllowHtml], Web forms more difficult (Until 4.5!!)January 1, 2013 99X Technology(c) 12
  • 13. Know your encoding optionsEncoding option Code/ConfigWeb forms/ Web forms View Engine <%= Server.HtmlEncode(data) %>Web Forms v4.0+ <%:data %>MVC3+Razor View Engine @dataData bindings in web forms v4 & below <%# Server.HtmlEncode(Eval(“property”)) %>Data binding v4.5 <%#: Item.Property %>Better: ASP.Net 3.5 below use AntiXss library Microsoft.Security.Application.Encoder.HtmlEncodedirectly (data)ASP.Net 4(Web Forms & MVC) <httpRuntime encoderType=“Microsoft.Security.Application.AntiX ssEncoder.AntiXssLibrary” />ASP.Net 4.5(AntiXss included in this version) <httpRuntime encoderType=“System.Web.SecurityAntiXss..AntiX ssEncoder, System.Web, version=4.5.00,…” />JSON(MVC) Json.Encode(Model)Javascript encoding using AntiXss Encoder.JavascriptEncoder(Model.comment)January 1, 2013 99X Technology(c) 13
  • 14. Tools Development tools  Microsoft’s Anti-Xss tools  FxCop rules Testting tools  Dominator  jsFiddle.net  DomSnitch – Chrome plugin  Fiddler ○ Remember you can set breakpoints and change incoming data  Scanners (SAINTexploit) Keep on top of current Xss types of attacks  OWASP is a great resource  @wascwhild  http://we.nvd.nist.goc/view/vuln/seach- results?query=xss&search_type=all&cves=onJanuary 1, 2013 99X Technology(c) 14

×