Your SlideShare is downloading. ×
Cross-Site ScriptingGetting Developers to Take XSS Seriously       Use Social Engineering to Enhance Your Vulnerability Re...
XSS                          Contact Information                            Jason PubalWebsite                            ...
XSSCross-Site Scripting         Outline   What is XSS?           XSS History   Detecting XSS       Preventing XSS   Report...
XSS                                    Cross-Site ScriptingCross Site Scripting (XSS) is an attack against the user of a w...
XSS
XSSPersistent Cross-Site Scripting
XSSReflected Cross-Site Scripting
XSSWebsites with Cross-Site Scripting     WhiteHat Website Security Statistic Report, Winter 2011
XSSAttacks Using Cross-Site Scripting          Web Hacking Incident Database
XSS                               Real World ExamplesHacker Redirects Barack Obama’s site to hillaryclinton.comDuring the ...
XSSHistory of Cross-Site Scripting
XSSSamy       “I’m sorry MySpace and FOX. I love you guys, all       the great things MySpace provides, and all the       ...
XSS          SamyFastest Spreading Worm in History
XSS                                    JavaScript MalwareCross Site Scripting (XSS) is an attack against the user of a web...
XSS                                                  Manual Testing                                                   <SCR...
XSSBrowser Plugins
XSSWeb Application Vulnerability Scanners
XSSWeb Application Vulnerability Scanners
XSS                         Preventing Cross-Site Scripting                   https://www.owasp.org/index.php/XSS_(Cross_S...
XSS Preventing Cross-Site Scripting                   Use LibrariesESAPI – https://www.owasp.org/index.php/ESAPIMS Anti-XS...
XSSCross-Site Scripting Reporting            Seriously?                         The value of the search_txt request parame...
XSSBrowser Exploitation Framework (BeEF)              http://beefproject.com/
XSSCross-Site Scripting Exploitation
XSSSocially Engineering your Report      Exploit the Vulnerability! Report the Impact!
XSSSocially Engineering your Report      Exploit the Vulnerability! Report the Impact!
XSSSocially Engineering your Report      Exploit the Vulnerability! Report the Impact!
XSSCopy Machine Experiment       The Power of “Because”      “May I use the Xerox machine?”      Giving no reason - 60%   ...
XSSCommander’s Intent     Give Them a Reason!
XSSBystander Apathy   Assign a JIRA Ticket!
XSS                                   Contrast Frame                                          NLPThe Ponemon Institute put...
XSS                                      Herd Effect                                            You‟re all sheep.Best Prac...
XSSPygmalion EffectClearly Communicate Expectations
XSS                                 Metrics                    If you want to improve something, measure it.Measure to see...
THANK YOU   Questions?!
Upcoming SlideShare
Loading in...5
×

Convincing Developers to take Cross-Site Scripting Seriously

3,179

Published on

Cross-site scripting vulnerabilities are often given a low priority or simply ignored all together. Meanwhile, JavaScript malware has gotten progressively more sophisticated and malicious. JavaScript traveling over HTTP gets inside of your perimeter with ease, and everything inside is web enabled. XSS vulnerabilities are the enabler that allows this malware to be injected into any web application, making it so there is no such thing as a trusted website. XSS can lead to website defacement, session hijacking, user impersonation, worms, phishing scams, browser trojans, Intranet attacks, and more!

This talk will educate the listener to the woes of XSS. At the intersection of web application security and pop psychology, it will arm you with the tools to raise awareness among your application developers and socially engineer them into fixing those pesky web app bugs.

1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
3,179
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Convincing Developers to take Cross-Site Scripting Seriously"

  1. 1. Cross-Site ScriptingGetting Developers to Take XSS Seriously Use Social Engineering to Enhance Your Vulnerability Reporting XSS
  2. 2. XSS Contact Information Jason PubalWebsite Socialwww.intellavis.com/blog http://www.linkedin.com/in/pubalE-mail http://www.twitter.com/pubaljpubal@gmail.com
  3. 3. XSSCross-Site Scripting Outline What is XSS? XSS History Detecting XSS Preventing XSS Reporting Tricks
  4. 4. XSS Cross-Site ScriptingCross Site Scripting (XSS) is an attack against the user of a website. It •account hijackingis a technique that forces a website to display malicious code, which •rewrite portions of the pagethen executes in the user’s web browser. The attacker uses a •log keystrokesvulnerable website to send malicious code to another end user of thesite. The vulnerability arises when the website takes data in some •steal browser informationway from a user and dynamically includes it in a web page without •Steal client machine datafirst validating that data. •attack the user’s network
  5. 5. XSS
  6. 6. XSSPersistent Cross-Site Scripting
  7. 7. XSSReflected Cross-Site Scripting
  8. 8. XSSWebsites with Cross-Site Scripting WhiteHat Website Security Statistic Report, Winter 2011
  9. 9. XSSAttacks Using Cross-Site Scripting Web Hacking Incident Database
  10. 10. XSS Real World ExamplesHacker Redirects Barack Obama’s site to hillaryclinton.comDuring the 2008 democratic primaries, XSS in Obama’s website was exploited to redirectvisitors to Hillary Clinton’s website. Users who went to Obama’s community blog were insteadtaken to www.hillaryclinton.com.Apache.org hit by targeted XSS attack, passwords compromisedA targeted attack against JIRA admins used XSS to steal administrative cookies. Using thoseprivileges, they installed backdoors and scripts to collect passwords at login. Thanks to people’stendency to use the same password on several websites and applications, the attacker was ableto use those credentials get root access to other servers.New XSS Facebook Worm Allows Automatic Wall PostsAn XSS in the Facebook’s mobile API allowed a maliciously prepared iframe element containingJavaScript to post to user’s walls.
  11. 11. XSSHistory of Cross-Site Scripting
  12. 12. XSSSamy “I’m sorry MySpace and FOX. I love you guys, all the great things MySpace provides, and all the great shows FOX has, my favorite being Nip/Tuck. Oh wait, Nip/Tuck is FX? My bad, but FOX, I’m sure you still have some good stuff. But maybe you should start picking up Nip/Tuck reruns? Just a thought. I’m kidding! Please don’t sue me.”
  13. 13. XSS SamyFastest Spreading Worm in History
  14. 14. XSS JavaScript MalwareCross Site Scripting (XSS) is an attack against the user of a website. It •account hijackingis a technique that forces a website to display malicious code, which •rewrite portions of the pagethen executes in the user’s web browser. The attacker uses a •log keystrokesvulnerable website to send malicious code to another end user of thesite. The vulnerability arises when the website takes data in some •steal browser informationway from a user and dynamically includes it in a web page without •Steal client machine datafirst validating that data. •attack the user’s network •ANYTHING A USER CAN DO OR ACCESS FROM THE BROWSER!
  15. 15. XSS Manual Testing <SCRIPT>alert(„XSS‟)</SCRIPT> XSS Cheat-Sheet: http://ha.ckers.org/xss.htmlOWASP Broken Web Applications (Vulnerable Applications to Hack): https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
  16. 16. XSSBrowser Plugins
  17. 17. XSSWeb Application Vulnerability Scanners
  18. 18. XSSWeb Application Vulnerability Scanners
  19. 19. XSS Preventing Cross-Site Scripting https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_SheetInput Validation Output Encoding / EscapingAccept known good (whitelist) Characters will still render in a browserReject known bad (blacklist) correctly; escaping simply lets the interpreterSanitize (change input to acceptable format) know the data is not meant to be executed. &  &amp; <  &lt; >  &gt; "  &quot;  ' /  /
  20. 20. XSS Preventing Cross-Site Scripting Use LibrariesESAPI – https://www.owasp.org/index.php/ESAPIMS Anti-XSS Library - http://wpl.codeplex.com
  21. 21. XSSCross-Site Scripting Reporting Seriously? The value of the search_txt request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload <script>alert(XSS)</script> was submitted in the search_txt parameter. This input was echoed unmodified in the applications response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the applications response.
  22. 22. XSSBrowser Exploitation Framework (BeEF) http://beefproject.com/
  23. 23. XSSCross-Site Scripting Exploitation
  24. 24. XSSSocially Engineering your Report Exploit the Vulnerability! Report the Impact!
  25. 25. XSSSocially Engineering your Report Exploit the Vulnerability! Report the Impact!
  26. 26. XSSSocially Engineering your Report Exploit the Vulnerability! Report the Impact!
  27. 27. XSSCopy Machine Experiment The Power of “Because” “May I use the Xerox machine?” Giving no reason - 60% “May I use the Xerox machine, because I have to make copies?” Giving no real reason - 93% “May I use the Xerox machine, because I’m in a rush?” Giving a reason - 94%
  28. 28. XSSCommander’s Intent Give Them a Reason!
  29. 29. XSSBystander Apathy Assign a JIRA Ticket!
  30. 30. XSS Contrast Frame NLPThe Ponemon Institute puts the cost perrecord of a breach at $214, with anaverage cost of 7.2 million dollars. Bycontrast, a week of development timeseems cheap.Options1 - $5,000 95% Effective2 - $500 80% Effective
  31. 31. XSS Herd Effect You‟re all sheep.Best PracticesAmazon and Facebook employ CAPTCHA93% of Websites in our Industry use InputValidation
  32. 32. XSSPygmalion EffectClearly Communicate Expectations
  33. 33. XSS Metrics If you want to improve something, measure it.Measure to see if what youre doing is working. If not, try something else.
  34. 34. THANK YOU Questions?!

×