Xss 101 by-sai-shanthan


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Xss 101 by-sai-shanthan

  1. 1. Cross Site Scripting (XSS)
  2. 2. What is XSS ? Cross Site Scripting lXSS is a vulnerability which when present in websites or web applications, allows malicious users (Hackers) to insert their client side code (normally JavaScript) in those web pages. lWhen this malicious code along with the original webpage gets displayed in the web client (browsers like IE, Mozilla etc), allows Hackers to gain greater access of that page.
  3. 3. XSS (-ve) effects stealing other user’s cookies l stealing their private information l performing actions on behalf of other users l redirecting to other websites l lShowing ads in hidden IFRAMES and pop-ups
  4. 4. Type of XSS attacks lNon-persistent (Reflected) lPersistent (Stored) lDOM Based
  5. 5. Non-persistent lWhen XSS code only gets displayed in the next page to the same user and not gets saved into persistent storage like database. lThis type of attack is less harmful, because Hacker can see only their own cookies and can make modifications in their own current opened pages.
  6. 6. Vector : %u3008script%u3009alert(document.domain);%u3008/script%u3009
  7. 7. Persistent XSS l In persistent type of XSS attack, XSS code gets saved into persistent storage like database with other data and then it is visible to other users also. l This type of attack is more vulnerable, because Hacker can steal cookies and can make modifications in the page.
  8. 8. Vector: <b onmouseover=alert(/000/);>Click me!</b>
  9. 9. DOM based attack lDOM Based XSS (or type-0 XSS) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim s browser used by the original client side script, so that the client side code runs in an unexpected manner. l That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment. l
  10. 10. Vector: #”><img src=x onerror=prompt(1);>
  11. 11. Prevention Never trust the user input data No matter where it’s coming from ( GET, POST, COOKIE etc.
  12. 12. Validation at server lBy sanitizing the input data, we can prevent the malicious code to enter in the system. lChecking the proper data types helps in cleaning the data. First of all we should restrict numeric data for numeric fields and only alphanumeric characters for text fields l lWhite lists – Allow <strong>, <em> and <br> only – Does help, but not 100% l lBlacklists – Block <script> and other attributes such as onload, onclick, onmouseover etc.
  13. 13. Demo:Bypassing Blacklist WAF
  14. 14. Validation at client side lBy performing client side (JavaScript) validation, before submitting the data to server, helps only in usability aspect of the website. lIt can’t provide any actual security, because user can disable the JavaScript. Many JavaScript libraries and frameworks are available for this.
  15. 15. Escaping output at server Problem characters can include < > " &.These characters can be replaced with HTML character entities. For example, < can be replaced with &lt;. 5 Rules for escaping output #1 - HTML Escape before inserting into element content #2 - Attribute Escape before inserting into attributes #3 - JavaScript Escape before inserting into JavaScript data values #4 - CSS Escape before inserting into style property values #5 - URL Escape before inserting into URL attributes
  16. 16. XSS vectors l<IMG SRC=javascript:alert('XSS')> l<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> l<IMG SRC=javascript:alert(&quot;XSS&quot;)> l<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> l<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> l<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> l<IMG SRC=javascri&#11 2;t:alert('& #88;SS')> l
  17. 17. References http://en.wikipedia.org http://ha.ckers.org/xss.html http://www.bugsheet.com/cheat-sheets/100-xss-vectors-by- ashar-javed http://www.acsa- admin.org/openconf2008/modules/request.php?module=oc_pr ogram&action=view.php&id=104
  18. 18. Thank you