TechTalk - Cross Site Scripting XSS

2,488 views

Published on

Jürgen Kranz and Justice Nanhou (Architecture and Development Department at axxessio) focused on Cross Site Scripting XSS during this TechTalk.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,488
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

TechTalk - Cross Site Scripting XSS

  1. 1. Cross Site Scripting XSS TechTalk FEBRUARY 2014 DEPARTMENT: ARCHITECTURE AND DEVELOPMENT
  2. 2. Table of Contents » » » » » » ^ Introduction Stored XSS Reflected XSS DOM Based XSS XSS Attack Consequences How to Protect Yourself 2
  3. 3. Introduction https://www.owasp.org/index.php/Top_10_2013-Release_Notes ^ 3
  4. 4. Introduction ^ XSS flaws occur whenever » application takes untrusted data and sends it to a web browser without proper validation and escaping It allows » attackers to execute scripts in the victim’s browser which can: » hijack user sessions, » deface web sites, or » redirect the user to malicious sites. 4
  5. 5. Introduction https://www.youtube.com/watch?v=_Z9RQSnf8-g ^ 5
  6. 6. Stored XSS Attacks ^ » The injected code is permanently stored on the target servers: » » » » Database Message forum Visitor log Comment field. … » The victim then retrieves the malicious script from the server when it requests the stored information 6
  7. 7. Stored XSS Attacks ^ Test XSS, <script>alert(document.cookie)</script> 7
  8. 8. Stored XSS Attacks ^ Test XSS, <script>alert(document.cookie)</script> 8
  9. 9. Reflected XSS Attacks ^ » The injected code is reflected off the web server, such as in: » » » » An error message Search result An e-mail message Or any other response that includes some or all of the input sent to the server as part of the request 9
  10. 10. Reflected XSS Attacks ^ http://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a"); AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script> 10
  11. 11. Reflected XSS Attacks ^ Different syntax or enconding " onfocus="alert(document.cookie) "><script >alert(document.cookie)</script > "%3cscript%3ealert(document.cookie)%3c/script%3e "><ScRiPt>alert(document.cookie)</ScRiPt> 11
  12. 12. DOM Based XSS ^ » The DOM, or Document Object Model, » is the structural format used to represent documents in a browser. » is the de-facto name for XSS bugs <script> document.write("Site is at: " + document.location.href + "."); </script> 12
  13. 13. XSS Attack Consequences ^ » The consequence is the same regardless of whether it is stored, reflected or Dom based. » The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. » It can also include the disclosure of end user files » installation of Trojan horse programs » redirect the user to some other page or site » modify presentation of content. 13
  14. 14. How to Protect Yourself ^ » Escape Output Provided by Users HTML encode any <, >, &, ‘, “ or don’t allow it » Validate user data to make sure it meets your expectations Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) ); JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) ); 14
  15. 15. Thank you for your attention!
  16. 16. Additional Information ^ » OWASP YouTube Chanel https://www.youtube.com/watch?v=_Z9RQSnf8-g » OWASP https://www.owasp.org/index.php/XSS https://www.owasp.org/index.php/Testing_for_Cross_site_scripting » OWASP Protect ME https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevent ion_Cheat_Sheet » Obscurity by Security, and Other Techitudes by Adam Jon R. http://adamjonrichardson.com/2012/02/01/improving-xss-cross-site-scriptingprevention-in-four-simple-steps/ 16

×