Blog: https://bitsensor.io/blog/jfall-2016-in-depth-secure-coding-patterns
We're going deep into XSS attacks with actual examples from LinkedIn, eBay and IndieGoGo. Starting with an attack that uses CSS selectors to fool users, then going into building XSS with interactions, such as local portscans, using BeEF.
After showing why XSS is dangerous, I'm suggesting that we should take our coding paradigms such as Unit Testing, Integration Testing, Design Patterns, Clean Code, Logging and Paging, and apply that to security vulnerabilities.
We finish with a maturity level in our security where we don't even have to get up at night when we're paged, we've just automated the response and mitigated the risk using HAProxy and isolated the attacker to a sandboxed version of our container. We will do this by only using opensource components on the Vamp platform, with ElastAlert and the opensource BitSensor plugin.
7. WTF? XSS!
Eehm, whats the deal?
Hunting bugs: case study
How to not become the next casestudy
Security equivalents for
- tests
- code patterns
- clean code
- logging
- self healing
29. <a href=“ javascript:payload ”
width=“100%”
height=“100%”
class=“dropdown-backdrop
navbar-fixed-top”>
</a>
http://output.jsbin.com/zoqipeloca/1/
BEEF HOOK
Capture window
Set position
Set full window
Set full window
Z-index
IndieGogo is a very open company, allows me to teach about security vulnerabilities
Here we see the indiegogo password form on secure connection, that sends credentials to my webserver. What happened??? How did this work???
What type of attack is this?
Basic XSS examples
Demo with Alert
Demo with BEEF (Browser Exploitation Framework)
Quick how does it work from high level. We’re developers right ;)
Now we have seen dangers of XSS and know why and how it works
First step in fundation
How do we trigger it in practice?
Improve previous demo!
Now we have a button that spawns the whole page
Improve previous demo!
Now we have a button that spawns the whole page
Easy to understand with the foundation of previous knowledge
More interesting: what did I try that did not succeed?