Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
UF Student InfoSec Team
September 8, 2015
#ufsit on Freenode
XSS | Andrew Kerr 1
Announcements
XSS | Andrew Kerr 2
Upcoming CTF: CSAW
XSS | Andrew Kerr 3
CSAW CTF (Qualifiers)
• September 18 @ 6pm - September 20 @ 6pm
XSS | Andrew Kerr 4
CSAW CTF (Qualifiers)
• September 18 @ 6pm - September 20 @ 6pm
• If we qualify, we get to send a team of undergrads to
na...
MMA CTF Recap
XSS | Andrew Kerr 6
MMA CTF Recap
• Lots of people there on Friday!
• Left Friday night in top 15%
XSS | Andrew Kerr 7
We want your writeups!
XSS | Andrew Kerr 8
Cross-site Scripting
(Also known as XSS)
Andrew Kerr | Sept 8, 2015
me@andrewjkerr.com
XSS | Andrew Kerr 9
whoami
XSS | Andrew Kerr 10
whoami
• Fifth year Software Engineering @ UF
XSS | Andrew Kerr 11
whoami
• Fifth year Software Engineering @ UF
• Secretary of UFSIT for > 2yrs
XSS | Andrew Kerr 12
whoami
• Fifth year Software Engineering @ UF
• Secretary of UFSIT for > 2yrs
• Full stack web developer
XSS | Andrew Kerr...
whoami
• Fifth year Software Engineering @
UF
• Secretary of UFSIT for > 2yrs
• Full stack web developer
• Former security...
whoami
• Fifth year Software Engineering @
UF
• Secretary of UFSIT for > 2yrs
• Full stack web developer
• Former security...
Cross-site Scripting
(Also known as XSS)
XSS | Andrew Kerr 16
XSS
Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise ben...
Ok... what does that mean?
XSS | Andrew Kerr 18
XSS | Andrew Kerr 19
XSS | Andrew Kerr 20
XSS | Andrew Kerr 21
Why does this work?
XSS | Andrew Kerr 22
Why does this work?
• Browser is tricked into thinking the code is part of the site
XSS | Andrew Kerr 23
Why does this work?
• Browser is tricked into thinking the code is part of the site
• Backend server does not sanitize inp...
Why does this work?
• Browser is tricked into thinking the code is part of the site
• Backend server does not sanitize inp...
Why do it?
XSS | Andrew Kerr 26
Why do it?
• Steal session cookies
XSS | Andrew Kerr 27
Why do it?
• Steal session cookies
• Steal logins by defacing
XSS | Andrew Kerr 28
Why do it?
• Steal session cookies
• Steal logins by defacing
• Exploit the browser/plugins
XSS | Andrew Kerr 29
Why do it?
• Steal session cookies
• Steal logins by defacing
• Exploit the browser/plugins
• For the lulz
XSS | Andrew Ke...
XSS | Andrew Kerr 31
Remember this?
• ❤ emoji broke XSS sanitization on
TweetDeck
XSS | Andrew Kerr 32
Remember this?
• ❤ emoji broke XSS sanitization on
TweetDeck
• Auto-magically retweeted itself
70,000+ times
XSS | Andrew ...
Remember this?
• ❤ emoji broke XSS sanitization on
TweetDeck
• Auto-magically retweeted itself
70,000+ times
• Good thing ...
Ok, but it's Twitter... why does it
matter?
XSS | Andrew Kerr 35
XSS | Andrew Kerr 36
XSS Payloads
XSS | Andrew Kerr 37
XSS Payloads
• A TON of possible XSS payloads
XSS | Andrew Kerr 38
XSS Payloads
• A TON of possible XSS payloads
• <script>alert(1)</script>
• <img src="x" onerror="alert(1)" />
• <a href="...
Types of XSS
XSS | Andrew Kerr 40
Types of XSS
1. Reflected
XSS | Andrew Kerr 41
Types of XSS
1. Reflected
2. Stored
XSS | Andrew Kerr 42
Types of XSS
1. Reflected
2. Stored
3. DOM-based
XSS | Andrew Kerr 43
Reflected XSS
XSS | Andrew Kerr 44
Reflected XSS
• Ability to inject code and have the server return it back,
unsanitized
• Not stored on the server/in a dat...
Reflected XSS
• Ability to inject code and have the server return it back,
unsanitized
• Not stored on the server/in a dat...
Reflected XSS
• Ability to inject code and have the server return it back,
unsanitized
• Not stored on the server/in a dat...
Reflected XSS Vulnerable Code Example
// www.site.com/search.php?q=search+query
$search_query = $_GET['q'];
echo '<h1>Sear...
www.site.com/search.php?
q=<script>alert(1)</script>
XSS | Andrew Kerr 49
XSS | Andrew Kerr 50
Reflected XSS Vulnerable Code Example
// www.site.com/search.php?q=search+query
$search_query = $_GET['q'];
echo '<h1>Sear...
Reflected XSS Vulnerable Code Example
// www.site.com/search.php?q=search+query
$search_query = $_GET['q'];
echo '<h1>Sear...
Stored XSS
XSS | Andrew Kerr 53
Stored XSS
• Ability to inject code and have the server store it and return
it without sanitizing it in either case
XSS | ...
Stored XSS
• Ability to inject code and have the server store it and return
it without sanitizing it in either case
• HOLY...
Stored XSS
• Ability to inject code and have the server store it and return
it without sanitizing it in either case
• HOLY...
XSS | Andrew Kerr 57
Samy MySpace worm
XSS | Andrew Kerr 58
Samy MySpace worm
• Posted 'but most of all, samy is my hero' to victims
XSS | Andrew Kerr 59
Samy MySpace worm
• Posted 'but most of all, samy is my hero' to victims
• Fastest spreading virus of all time
• 1+ millio...
Stored XSS Vulnerable Code Example
// Storing posts
$post = $_POST['post'];
$query = $mysql_conn->prepare("INSERT INTO pos...
Stored XSS Vulnerable Code Example
// Storing posts
$post = $_POST['post'];
$query = $mysql_conn->prepare("INSERT INTO pos...
Stored XSS Vulnerable Code Example
// Storing posts
$post = $_POST['post'];
$query = $mysql_conn->prepare("INSERT INTO pos...
DOM-based XSS
XSS | Andrew Kerr 64
DOM-based XSS
• Similar to Reflected, but is not rendered from the server.
XSS | Andrew Kerr 65
DOM-based XSS
• Similar to Reflected, but is not rendered from the server.
• Normally due to bad JavaScript code
XSS | Andr...
DOM-based XSS
• Similar to Reflected, but is not rendered from the server.
• Normally due to bad JavaScript code
• Also cra...
DOM-based XSS Vulnerable Code Example
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title')...
DOM-based XSS Vulnerable Code Example
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title')...
DOM-based XSS Vulnerable Code Example
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title')...
DOM-based XSS Vulnerable Code Example
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title')...
DOM-based XSS Vulnerable Code Example
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title')...
Protecting Against XSS
XSS | Andrew Kerr 73
Protecting Against XSS
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-head...
Protecting Against XSS
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-head...
Protecting Against XSS
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-head...
Let's look at the documentation!
XSS | Andrew Kerr 77
Let's look at the documentation!
(Aka RTFM)
XSS | Andrew Kerr 78
Protecting Against XSS
Set the text contents of the matched elements.
— .text()
Set the HTML contents of each element in t...
Protecting Against XSS
<html>
<head>
<title>Test Page</title>
<script type="text/javascript" src="jquery.min.js"></script>...
Protecting Against XSS
1. Know your framework/library/language!
XSS | Andrew Kerr 81
Protecting Against XSS
1. Know your framework/library/language!
2. SANITIZE!
XSS | Andrew Kerr 82
Protecting Against XSS
1. Know your framework/library/language!
2. SANITIZE!
3. Whitelist, not blacklist
XSS | Andrew Kerr...
Protecting Against XSS
1. Know your framework/library/language!
2. SANITIZE!
3. Whitelist, not blacklist
4. Headers
XSS | ...
Protecting Against XSS
• Or, ya know, read the NSA's
recommendations.
• https://www.nsa.gov/ia/files/
factsheets/
xssiadfac...
But most importantly...
XSS | Andrew Kerr 86
TEST YOUR
APPLICATION
XSS | Andrew Kerr 87
XSS | Andrew Kerr 88
Bypassing Filters
• Wonderful cheatsheet by OWASP: https://www.owasp.org/
index.php/XSSFilterEvasionCheatSheet
XSS | Andre...
Bypassing Filters
• Wonderful cheatsheet by OWASP: https://www.owasp.org/
index.php/XSSFilterEvasionCheatSheet
• Also, som...
Bypassing Filters Vulnerable Code
Example
$input = $_POST['input'];
$sanitized = str_replace('script', '', $input);
XSS | ...
Bypassing Filters Vulnerable Code
Example
$input = $_POST['input'];
$sanitized = str_replace('script', '', $input);
Q: How...
Bypassing Filters Vulnerable Code
Example
$input = $_POST['input'];
$sanitized = str_replace('script', '', $input);
Q: How...
Resources
XSS | Andrew Kerr 94
Resources
• OWASP
XSS | Andrew Kerr 95
Resources
• OWASP
• The Web Application Hackers Handbook
XSS | Andrew Kerr 96
Resources
• OWASP
• The Web Application Hackers Handbook
• Mutillidae Practice Application
XSS | Andrew Kerr 97
Ok, cool, onto challenges!
XSS | Andrew Kerr 98
104.236.76.214
Go here
XSS | Andrew Kerr 99
Challenges
• Server: 104.236.76.214
• Source: github.com/ufsit/xss-challenges
• Try not to use this!
• Cheatsheet: https:/...
Upcoming SlideShare
Loading in …5
×

0

Share

Download to read offline

Cross-site Scripting

Download to read offline

Introduction to Cross-site Scripting (XSS).

Deckset file available at https://github.com/andrewjkerr/xss-presentation.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Cross-site Scripting

  1. 1. UF Student InfoSec Team September 8, 2015 #ufsit on Freenode XSS | Andrew Kerr 1
  2. 2. Announcements XSS | Andrew Kerr 2
  3. 3. Upcoming CTF: CSAW XSS | Andrew Kerr 3
  4. 4. CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm XSS | Andrew Kerr 4
  5. 5. CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm • If we qualify, we get to send a team of undergrads to national CTF XSS | Andrew Kerr 5
  6. 6. MMA CTF Recap XSS | Andrew Kerr 6
  7. 7. MMA CTF Recap • Lots of people there on Friday! • Left Friday night in top 15% XSS | Andrew Kerr 7
  8. 8. We want your writeups! XSS | Andrew Kerr 8
  9. 9. Cross-site Scripting (Also known as XSS) Andrew Kerr | Sept 8, 2015 me@andrewjkerr.com XSS | Andrew Kerr 9
  10. 10. whoami XSS | Andrew Kerr 10
  11. 11. whoami • Fifth year Software Engineering @ UF XSS | Andrew Kerr 11
  12. 12. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs XSS | Andrew Kerr 12
  13. 13. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer XSS | Andrew Kerr 13
  14. 14. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr XSS | Andrew Kerr 14
  15. 15. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr • Former intern at BlockScore XSS | Andrew Kerr 15
  16. 16. Cross-site Scripting (Also known as XSS) XSS | Andrew Kerr 16
  17. 17. XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. — OWASP XSS | Andrew Kerr 17
  18. 18. Ok... what does that mean? XSS | Andrew Kerr 18
  19. 19. XSS | Andrew Kerr 19
  20. 20. XSS | Andrew Kerr 20
  21. 21. XSS | Andrew Kerr 21
  22. 22. Why does this work? XSS | Andrew Kerr 22
  23. 23. Why does this work? • Browser is tricked into thinking the code is part of the site XSS | Andrew Kerr 23
  24. 24. Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly XSS | Andrew Kerr 24
  25. 25. Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly • Poor client-side JavaScript executes given parameters XSS | Andrew Kerr 25
  26. 26. Why do it? XSS | Andrew Kerr 26
  27. 27. Why do it? • Steal session cookies XSS | Andrew Kerr 27
  28. 28. Why do it? • Steal session cookies • Steal logins by defacing XSS | Andrew Kerr 28
  29. 29. Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins XSS | Andrew Kerr 29
  30. 30. Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins • For the lulz XSS | Andrew Kerr 30
  31. 31. XSS | Andrew Kerr 31
  32. 32. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck XSS | Andrew Kerr 32
  33. 33. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times XSS | Andrew Kerr 33
  34. 34. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times • Good thing it wasn't malicious! XSS | Andrew Kerr 34
  35. 35. Ok, but it's Twitter... why does it matter? XSS | Andrew Kerr 35
  36. 36. XSS | Andrew Kerr 36
  37. 37. XSS Payloads XSS | Andrew Kerr 37
  38. 38. XSS Payloads • A TON of possible XSS payloads XSS | Andrew Kerr 38
  39. 39. XSS Payloads • A TON of possible XSS payloads • <script>alert(1)</script> • <img src="x" onerror="alert(1)" /> • <a href="javascript: alert(1)">Click me!</a> • and more! XSS | Andrew Kerr 39
  40. 40. Types of XSS XSS | Andrew Kerr 40
  41. 41. Types of XSS 1. Reflected XSS | Andrew Kerr 41
  42. 42. Types of XSS 1. Reflected 2. Stored XSS | Andrew Kerr 42
  43. 43. Types of XSS 1. Reflected 2. Stored 3. DOM-based XSS | Andrew Kerr 43
  44. 44. Reflected XSS XSS | Andrew Kerr 44
  45. 45. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! XSS | Andrew Kerr 45
  46. 46. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! XSS | Andrew Kerr 46
  47. 47. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! • Example: search forms showing input on results page after submission XSS | Andrew Kerr 47
  48. 48. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; XSS | Andrew Kerr 48
  49. 49. www.site.com/search.php? q=<script>alert(1)</script> XSS | Andrew Kerr 49
  50. 50. XSS | Andrew Kerr 50
  51. 51. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? XSS | Andrew Kerr 51
  52. 52. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 52
  53. 53. Stored XSS XSS | Andrew Kerr 53
  54. 54. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case XSS | Andrew Kerr 54
  55. 55. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS XSS | Andrew Kerr 55
  56. 56. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS • Example: form post storing XSS XSS | Andrew Kerr 56
  57. 57. XSS | Andrew Kerr 57
  58. 58. Samy MySpace worm XSS | Andrew Kerr 58
  59. 59. Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims XSS | Andrew Kerr 59
  60. 60. Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims • Fastest spreading virus of all time • 1+ million runs in ~20hrs XSS | Andrew Kerr 60
  61. 61. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } XSS | Andrew Kerr 61
  62. 62. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? XSS | Andrew Kerr 62
  63. 63. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 63
  64. 64. DOM-based XSS XSS | Andrew Kerr 64
  65. 65. DOM-based XSS • Similar to Reflected, but is not rendered from the server. XSS | Andrew Kerr 65
  66. 66. DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code XSS | Andrew Kerr 66
  67. 67. DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code • Also crafted by a URL • Don't let users pass in JS via the URL! XSS | Andrew Kerr 67
  68. 68. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 68
  69. 69. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? XSS | Andrew Kerr 69
  70. 70. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 70
  71. 71. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? XSS | Andrew Kerr 71
  72. 72. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? A: Craft a URL like: www.site.com/page.html?title=<img src='x' onerror='alert(1)' /> XSS | Andrew Kerr 72
  73. 73. Protecting Against XSS XSS | Andrew Kerr 73
  74. 74. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 74
  75. 75. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. XSS | Andrew Kerr 75
  76. 76. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. • But, what's the difference? XSS | Andrew Kerr 76
  77. 77. Let's look at the documentation! XSS | Andrew Kerr 77
  78. 78. Let's look at the documentation! (Aka RTFM) XSS | Andrew Kerr 78
  79. 79. Protecting Against XSS Set the text contents of the matched elements. — .text() Set the HTML contents of each element in the set of matched elements. — .html() XSS | Andrew Kerr 79
  80. 80. Protecting Against XSS <html> <head> <title>Test Page</title> <script type="text/javascript" src="jquery.min.js"></script> <script type="text/javascript"> $(function(){ $("#div1").html('<a href="example.html">Link</a><b>hello</b>'); $("#div2").text('<a href="example.html">Link</a><b>hello</b>'); }); </script> </head> <body> <div id="div1"></div> <div id="div2"></div> </body> </html> XSS | Andrew Kerr 80
  81. 81. Protecting Against XSS 1. Know your framework/library/language! XSS | Andrew Kerr 81
  82. 82. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! XSS | Andrew Kerr 82
  83. 83. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist XSS | Andrew Kerr 83
  84. 84. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist 4. Headers XSS | Andrew Kerr 84
  85. 85. Protecting Against XSS • Or, ya know, read the NSA's recommendations. • https://www.nsa.gov/ia/files/ factsheets/ xssiadfactsheetfinal_web.pdf XSS | Andrew Kerr 85
  86. 86. But most importantly... XSS | Andrew Kerr 86
  87. 87. TEST YOUR APPLICATION XSS | Andrew Kerr 87
  88. 88. XSS | Andrew Kerr 88
  89. 89. Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet XSS | Andrew Kerr 89
  90. 90. Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet • Also, some guess work helps! XSS | Andrew Kerr 90
  91. 91. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); XSS | Andrew Kerr 91
  92. 92. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? XSS | Andrew Kerr 92
  93. 93. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? A: Think about it :) XSS | Andrew Kerr 93
  94. 94. Resources XSS | Andrew Kerr 94
  95. 95. Resources • OWASP XSS | Andrew Kerr 95
  96. 96. Resources • OWASP • The Web Application Hackers Handbook XSS | Andrew Kerr 96
  97. 97. Resources • OWASP • The Web Application Hackers Handbook • Mutillidae Practice Application XSS | Andrew Kerr 97
  98. 98. Ok, cool, onto challenges! XSS | Andrew Kerr 98
  99. 99. 104.236.76.214 Go here XSS | Andrew Kerr 99
  100. 100. Challenges • Server: 104.236.76.214 • Source: github.com/ufsit/xss-challenges • Try not to use this! • Cheatsheet: https://www.owasp.org/index.php/ XSSFilterEvasionCheatSheet XSS | Andrew Kerr 100

Introduction to Cross-site Scripting (XSS). Deckset file available at https://github.com/andrewjkerr/xss-presentation.

Views

Total views

1,257

On Slideshare

0

From embeds

0

Number of embeds

4

Actions

Downloads

6

Shares

0

Comments

0

Likes

0

×