Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Xss what the heck-!

286 views

Published on

Cross Site Scripting

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Xss what the heck-!

  1. 1. Cross Site Scripting(XSS) What the heck?! Harinee Muralinath Karthik Krishnan
  2. 2. Agenda ❏What is our intent? ❏What is XSS? ❏Prevention techniques ❏Testing tools
  3. 3. What is our intent? ❏security-related jargons - one at a time ❏generate interest ❏give you a guided, hands-on experience ❏apply on projects ❏take your time to learn
  4. 4. What this session will NOT be ❏Make you security experts ❏Tool-oriented
  5. 5. Source: owasp.org
  6. 6. What is Cross-site Scripting (XSS)? ❏ Concept of planting scripts by misusing the powers of HTML, CSS, javascript etc. ❏ When web applications take data from users and dynamically include it in Web pages without first properly validating the data ❏ The victim of XSS is usually another user, instead of the host server itself (which is just a medium)
  7. 7. Demo
  8. 8. Forms of XSS ❏Reflective XSS ❏Persistent XSS
  9. 9. Reflective XSS
  10. 10. Persistent XSS
  11. 11. Demo
  12. 12. Prevention Techniques ❏Input validation ❏Output encoding
  13. 13. Possible Solutions?
  14. 14. Solution #1 Validate Input for HTML tag characters (< >)
  15. 15. Solution #2 Blacklist script Tags
  16. 16. Solution #3 Output encode HTML Tags
  17. 17. Solution #4 Content Security Policy
  18. 18. Content Security Policy No inline scripts or JS event handlers Before: <head> <script>alert(“Hi, I’m an inline script”);</script> </head> Now: <head> <script src=”non-inline-script.js”></script> </head>
  19. 19. Content Security Policy Whitelist domains Before: <head> <script src=”http://attacker.com/evil.js”></script> </head> Now: <head> <script src=”https://trusted.com/safe.js”></script> </head> Content-Security-Policy:script-src https://trusted.com
  20. 20. Tools to identify obvious XSS ❏ XSS Me :: Add-ons for Firefox ❏ ZAProxy - OWASP ZAP ❏ Burp Suite ❏ ...and others
  21. 21. Demo
  22. 22. Future references ❏XSS Cheat Sheet https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet ❏XSS Prevention Cheat Sheet https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Shee t
  23. 23. Thank you! Please reach out to Harinee Muralinath - harineem@thoughtworks.com Karthik Krishnan - karthik.krishnan@thoughtworks.com

×