Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cross-site Scripting

850 views

Published on

Introduction to Cross-site Scripting (XSS).

Deckset file available at https://github.com/andrewjkerr/xss-presentation.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Cross-site Scripting

  1. 1. UF Student InfoSec Team September 8, 2015 #ufsit on Freenode XSS | Andrew Kerr 1
  2. 2. Announcements XSS | Andrew Kerr 2
  3. 3. Upcoming CTF: CSAW XSS | Andrew Kerr 3
  4. 4. CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm XSS | Andrew Kerr 4
  5. 5. CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm • If we qualify, we get to send a team of undergrads to national CTF XSS | Andrew Kerr 5
  6. 6. MMA CTF Recap XSS | Andrew Kerr 6
  7. 7. MMA CTF Recap • Lots of people there on Friday! • Left Friday night in top 15% XSS | Andrew Kerr 7
  8. 8. We want your writeups! XSS | Andrew Kerr 8
  9. 9. Cross-site Scripting (Also known as XSS) Andrew Kerr | Sept 8, 2015 me@andrewjkerr.com XSS | Andrew Kerr 9
  10. 10. whoami XSS | Andrew Kerr 10
  11. 11. whoami • Fifth year Software Engineering @ UF XSS | Andrew Kerr 11
  12. 12. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs XSS | Andrew Kerr 12
  13. 13. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer XSS | Andrew Kerr 13
  14. 14. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr XSS | Andrew Kerr 14
  15. 15. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr • Former intern at BlockScore XSS | Andrew Kerr 15
  16. 16. Cross-site Scripting (Also known as XSS) XSS | Andrew Kerr 16
  17. 17. XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. — OWASP XSS | Andrew Kerr 17
  18. 18. Ok... what does that mean? XSS | Andrew Kerr 18
  19. 19. XSS | Andrew Kerr 19
  20. 20. XSS | Andrew Kerr 20
  21. 21. XSS | Andrew Kerr 21
  22. 22. Why does this work? XSS | Andrew Kerr 22
  23. 23. Why does this work? • Browser is tricked into thinking the code is part of the site XSS | Andrew Kerr 23
  24. 24. Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly XSS | Andrew Kerr 24
  25. 25. Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly • Poor client-side JavaScript executes given parameters XSS | Andrew Kerr 25
  26. 26. Why do it? XSS | Andrew Kerr 26
  27. 27. Why do it? • Steal session cookies XSS | Andrew Kerr 27
  28. 28. Why do it? • Steal session cookies • Steal logins by defacing XSS | Andrew Kerr 28
  29. 29. Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins XSS | Andrew Kerr 29
  30. 30. Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins • For the lulz XSS | Andrew Kerr 30
  31. 31. XSS | Andrew Kerr 31
  32. 32. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck XSS | Andrew Kerr 32
  33. 33. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times XSS | Andrew Kerr 33
  34. 34. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times • Good thing it wasn't malicious! XSS | Andrew Kerr 34
  35. 35. Ok, but it's Twitter... why does it matter? XSS | Andrew Kerr 35
  36. 36. XSS | Andrew Kerr 36
  37. 37. XSS Payloads XSS | Andrew Kerr 37
  38. 38. XSS Payloads • A TON of possible XSS payloads XSS | Andrew Kerr 38
  39. 39. XSS Payloads • A TON of possible XSS payloads • <script>alert(1)</script> • <img src="x" onerror="alert(1)" /> • <a href="javascript: alert(1)">Click me!</a> • and more! XSS | Andrew Kerr 39
  40. 40. Types of XSS XSS | Andrew Kerr 40
  41. 41. Types of XSS 1. Reflected XSS | Andrew Kerr 41
  42. 42. Types of XSS 1. Reflected 2. Stored XSS | Andrew Kerr 42
  43. 43. Types of XSS 1. Reflected 2. Stored 3. DOM-based XSS | Andrew Kerr 43
  44. 44. Reflected XSS XSS | Andrew Kerr 44
  45. 45. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! XSS | Andrew Kerr 45
  46. 46. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! XSS | Andrew Kerr 46
  47. 47. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! • Example: search forms showing input on results page after submission XSS | Andrew Kerr 47
  48. 48. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; XSS | Andrew Kerr 48
  49. 49. www.site.com/search.php? q=<script>alert(1)</script> XSS | Andrew Kerr 49
  50. 50. XSS | Andrew Kerr 50
  51. 51. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? XSS | Andrew Kerr 51
  52. 52. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 52
  53. 53. Stored XSS XSS | Andrew Kerr 53
  54. 54. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case XSS | Andrew Kerr 54
  55. 55. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS XSS | Andrew Kerr 55
  56. 56. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS • Example: form post storing XSS XSS | Andrew Kerr 56
  57. 57. XSS | Andrew Kerr 57
  58. 58. Samy MySpace worm XSS | Andrew Kerr 58
  59. 59. Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims XSS | Andrew Kerr 59
  60. 60. Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims • Fastest spreading virus of all time • 1+ million runs in ~20hrs XSS | Andrew Kerr 60
  61. 61. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } XSS | Andrew Kerr 61
  62. 62. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? XSS | Andrew Kerr 62
  63. 63. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 63
  64. 64. DOM-based XSS XSS | Andrew Kerr 64
  65. 65. DOM-based XSS • Similar to Reflected, but is not rendered from the server. XSS | Andrew Kerr 65
  66. 66. DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code XSS | Andrew Kerr 66
  67. 67. DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code • Also crafted by a URL • Don't let users pass in JS via the URL! XSS | Andrew Kerr 67
  68. 68. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 68
  69. 69. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? XSS | Andrew Kerr 69
  70. 70. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 70
  71. 71. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? XSS | Andrew Kerr 71
  72. 72. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? A: Craft a URL like: www.site.com/page.html?title=<img src='x' onerror='alert(1)' /> XSS | Andrew Kerr 72
  73. 73. Protecting Against XSS XSS | Andrew Kerr 73
  74. 74. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 74
  75. 75. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. XSS | Andrew Kerr 75
  76. 76. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. • But, what's the difference? XSS | Andrew Kerr 76
  77. 77. Let's look at the documentation! XSS | Andrew Kerr 77
  78. 78. Let's look at the documentation! (Aka RTFM) XSS | Andrew Kerr 78
  79. 79. Protecting Against XSS Set the text contents of the matched elements. — .text() Set the HTML contents of each element in the set of matched elements. — .html() XSS | Andrew Kerr 79
  80. 80. Protecting Against XSS <html> <head> <title>Test Page</title> <script type="text/javascript" src="jquery.min.js"></script> <script type="text/javascript"> $(function(){ $("#div1").html('<a href="example.html">Link</a><b>hello</b>'); $("#div2").text('<a href="example.html">Link</a><b>hello</b>'); }); </script> </head> <body> <div id="div1"></div> <div id="div2"></div> </body> </html> XSS | Andrew Kerr 80
  81. 81. Protecting Against XSS 1. Know your framework/library/language! XSS | Andrew Kerr 81
  82. 82. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! XSS | Andrew Kerr 82
  83. 83. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist XSS | Andrew Kerr 83
  84. 84. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist 4. Headers XSS | Andrew Kerr 84
  85. 85. Protecting Against XSS • Or, ya know, read the NSA's recommendations. • https://www.nsa.gov/ia/files/ factsheets/ xssiadfactsheetfinal_web.pdf XSS | Andrew Kerr 85
  86. 86. But most importantly... XSS | Andrew Kerr 86
  87. 87. TEST YOUR APPLICATION XSS | Andrew Kerr 87
  88. 88. XSS | Andrew Kerr 88
  89. 89. Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet XSS | Andrew Kerr 89
  90. 90. Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet • Also, some guess work helps! XSS | Andrew Kerr 90
  91. 91. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); XSS | Andrew Kerr 91
  92. 92. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? XSS | Andrew Kerr 92
  93. 93. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? A: Think about it :) XSS | Andrew Kerr 93
  94. 94. Resources XSS | Andrew Kerr 94
  95. 95. Resources • OWASP XSS | Andrew Kerr 95
  96. 96. Resources • OWASP • The Web Application Hackers Handbook XSS | Andrew Kerr 96
  97. 97. Resources • OWASP • The Web Application Hackers Handbook • Mutillidae Practice Application XSS | Andrew Kerr 97
  98. 98. Ok, cool, onto challenges! XSS | Andrew Kerr 98
  99. 99. 104.236.76.214 Go here XSS | Andrew Kerr 99
  100. 100. Challenges • Server: 104.236.76.214 • Source: github.com/ufsit/xss-challenges • Try not to use this! • Cheatsheet: https://www.owasp.org/index.php/ XSSFilterEvasionCheatSheet XSS | Andrew Kerr 100

×