SlideShare a Scribd company logo

XSS Countermeasures in Grails

OSOCO
OSOCO

XSS Countermeasures in Grails talk at Madrid Groovy User Group.

1 of 114
Download to read offline
XSS Countermeasures in
Grails
Rafael Luque @rafael_luque — OSOCO
José San Leandro @rydnr — Ventura24
http://goo.gl/UGdJ0I
XSS Intro
XSS concepts
• What’s a XSS
• XSS Types: Reflected, stored, DOM-based.
• Famous XSS attacks: Samy worm, MrBean defacement, ...
XSS threats
• Interface defacement
• Session hijacking
• Click hijacking
• Malware infection
• Your PC may be joined to the horde of zombies in a BotNet.
Following
the
white
rabbit. . .
Ad

Recommended

XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grailstheratpack
 
Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attackstheratpack
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 ||  “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 ||  “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1ITAS VIETNAM
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 

More Related Content

What's hot

Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client BackdoorMichael Scovetta
 
[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] Injections[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] InjectionsDavid Barroso
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesMichael Scovetta
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsMasabi
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 

What's hot (20)

Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] Injections[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] Injections
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade Machines
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile Applications
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 

Viewers also liked

Arduino based intelligent greenhouse Project
Arduino based intelligent greenhouse ProjectArduino based intelligent greenhouse Project
Arduino based intelligent greenhouse ProjectAmit Saini
 
All about INCOTERMS latest revision
All about INCOTERMS latest revision All about INCOTERMS latest revision
All about INCOTERMS latest revision Mihai Guta
 
Data Encoding
Data EncodingData Encoding
Data EncodingLuka M G
 
Test driven development in C
Test driven development in CTest driven development in C
Test driven development in CAmritayan Nayak
 
Global Snapshots from a Changing Climate
Global Snapshots from a Changing ClimateGlobal Snapshots from a Changing Climate
Global Snapshots from a Changing Climateron mader
 
Thai tech startup ecosystem report 2017
Thai tech startup ecosystem report 2017Thai tech startup ecosystem report 2017
Thai tech startup ecosystem report 2017Techsauce Media
 
New product marketing (perfume)
New product marketing (perfume)New product marketing (perfume)
New product marketing (perfume)Shajar Ali
 
Operating Systems - File Management
Operating Systems -  File ManagementOperating Systems -  File Management
Operating Systems - File ManagementDamian T. Gordon
 
wireless sensor network
wireless sensor networkwireless sensor network
wireless sensor networkA. Shamel
 
Consumer Physics SCiO Molecular Sensor Patent-to-Product Mapping Sample
Consumer Physics SCiO Molecular Sensor Patent-to-Product Mapping SampleConsumer Physics SCiO Molecular Sensor Patent-to-Product Mapping Sample
Consumer Physics SCiO Molecular Sensor Patent-to-Product Mapping SampleKnowmade
 
fan speed control by using temperature sensor
fan speed control by using temperature sensorfan speed control by using temperature sensor
fan speed control by using temperature sensorNandeesh Boya
 
Instructions aeon labs door window sensor gen5
Instructions   aeon labs door window sensor gen5Instructions   aeon labs door window sensor gen5
Instructions aeon labs door window sensor gen5Domotica daVinci
 
Structural health monitoring
Structural health monitoringStructural health monitoring
Structural health monitoringRashmi Bharadwaj
 
SCiO Molecular Sensor from Consumer Physics: Mobile Spectrometer Dongle - tea...
SCiO Molecular Sensor from Consumer Physics: Mobile Spectrometer Dongle - tea...SCiO Molecular Sensor from Consumer Physics: Mobile Spectrometer Dongle - tea...
SCiO Molecular Sensor from Consumer Physics: Mobile Spectrometer Dongle - tea...Yole Developpement
 
Icinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
Icinga Camp Berlin 2017 - 10 Tips for better Hardware MonitoringIcinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
Icinga Camp Berlin 2017 - 10 Tips for better Hardware MonitoringIcinga
 
Mit Vision-Sensoren Objekte und Szenarien erkennen und bewerten
Mit Vision-Sensoren Objekte und Szenarien erkennen und bewertenMit Vision-Sensoren Objekte und Szenarien erkennen und bewerten
Mit Vision-Sensoren Objekte und Szenarien erkennen und bewertenifm electronic gmbh
 
DCMS AKCP Product Presentation
DCMS AKCP Product PresentationDCMS AKCP Product Presentation
DCMS AKCP Product PresentationFanky Christian
 
8279 in microprocessor
8279 in microprocessor8279 in microprocessor
8279 in microprocessorAisu
 

Viewers also liked (20)

Arduino based intelligent greenhouse Project
Arduino based intelligent greenhouse ProjectArduino based intelligent greenhouse Project
Arduino based intelligent greenhouse Project
 
All about INCOTERMS latest revision
All about INCOTERMS latest revision All about INCOTERMS latest revision
All about INCOTERMS latest revision
 
Data Encoding
Data EncodingData Encoding
Data Encoding
 
Test driven development in C
Test driven development in CTest driven development in C
Test driven development in C
 
Global Snapshots from a Changing Climate
Global Snapshots from a Changing ClimateGlobal Snapshots from a Changing Climate
Global Snapshots from a Changing Climate
 
Thai tech startup ecosystem report 2017
Thai tech startup ecosystem report 2017Thai tech startup ecosystem report 2017
Thai tech startup ecosystem report 2017
 
Mri brain anatomy Dr Muhammad Bin Zulfiqar
Mri brain anatomy Dr Muhammad Bin ZulfiqarMri brain anatomy Dr Muhammad Bin Zulfiqar
Mri brain anatomy Dr Muhammad Bin Zulfiqar
 
New product marketing (perfume)
New product marketing (perfume)New product marketing (perfume)
New product marketing (perfume)
 
Operating Systems - File Management
Operating Systems -  File ManagementOperating Systems -  File Management
Operating Systems - File Management
 
wireless sensor network
wireless sensor networkwireless sensor network
wireless sensor network
 
Consumer Physics SCiO Molecular Sensor Patent-to-Product Mapping Sample
Consumer Physics SCiO Molecular Sensor Patent-to-Product Mapping SampleConsumer Physics SCiO Molecular Sensor Patent-to-Product Mapping Sample
Consumer Physics SCiO Molecular Sensor Patent-to-Product Mapping Sample
 
fan speed control by using temperature sensor
fan speed control by using temperature sensorfan speed control by using temperature sensor
fan speed control by using temperature sensor
 
Instructions aeon labs door window sensor gen5
Instructions   aeon labs door window sensor gen5Instructions   aeon labs door window sensor gen5
Instructions aeon labs door window sensor gen5
 
Structural health monitoring
Structural health monitoringStructural health monitoring
Structural health monitoring
 
SCiO Molecular Sensor from Consumer Physics: Mobile Spectrometer Dongle - tea...
SCiO Molecular Sensor from Consumer Physics: Mobile Spectrometer Dongle - tea...SCiO Molecular Sensor from Consumer Physics: Mobile Spectrometer Dongle - tea...
SCiO Molecular Sensor from Consumer Physics: Mobile Spectrometer Dongle - tea...
 
The Role Of The Risk Manager
The Role Of The Risk ManagerThe Role Of The Risk Manager
The Role Of The Risk Manager
 
Icinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
Icinga Camp Berlin 2017 - 10 Tips for better Hardware MonitoringIcinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
Icinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
 
Mit Vision-Sensoren Objekte und Szenarien erkennen und bewerten
Mit Vision-Sensoren Objekte und Szenarien erkennen und bewertenMit Vision-Sensoren Objekte und Szenarien erkennen und bewerten
Mit Vision-Sensoren Objekte und Szenarien erkennen und bewerten
 
DCMS AKCP Product Presentation
DCMS AKCP Product PresentationDCMS AKCP Product Presentation
DCMS AKCP Product Presentation
 
8279 in microprocessor
8279 in microprocessor8279 in microprocessor
8279 in microprocessor
 

Similar to XSS Countermeasures in Grails

Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksRafael Luque Leiva
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandboxNephi Johnson
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Tinashe Makuti
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4Aditya Kamat
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Protractor: The Hacker way (NG-MY 2019)
Protractor: The Hacker way (NG-MY 2019)Protractor: The Hacker way (NG-MY 2019)
Protractor: The Hacker way (NG-MY 2019)Will Huang
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)Sam Bowne
 

Similar to XSS Countermeasures in Grails (20)

Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacks
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Protractor: The Hacker way (NG-MY 2019)
Protractor: The Hacker way (NG-MY 2019)Protractor: The Hacker way (NG-MY 2019)
Protractor: The Hacker way (NG-MY 2019)
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
 

More from OSOCO

HackaTrips 2017 Team 10
HackaTrips 2017 Team 10HackaTrips 2017 Team 10
HackaTrips 2017 Team 10OSOCO
 
Take the Smalltalk Red Pill
Take the Smalltalk Red PillTake the Smalltalk Red Pill
Take the Smalltalk Red PillOSOCO
 
Dry-wit Overview
Dry-wit OverviewDry-wit Overview
Dry-wit OverviewOSOCO
 
Spring Annotations: Proxy
Spring Annotations: ProxySpring Annotations: Proxy
Spring Annotations: ProxyOSOCO
 
Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with MonitOSOCO
 
AWS CloudFormation en 5 Minutos
AWS CloudFormation en 5 MinutosAWS CloudFormation en 5 Minutos
AWS CloudFormation en 5 MinutosOSOCO
 
Understanding Java Dynamic Proxies
Understanding Java Dynamic ProxiesUnderstanding Java Dynamic Proxies
Understanding Java Dynamic ProxiesOSOCO
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 

More from OSOCO (8)

HackaTrips 2017 Team 10
HackaTrips 2017 Team 10HackaTrips 2017 Team 10
HackaTrips 2017 Team 10
 
Take the Smalltalk Red Pill
Take the Smalltalk Red PillTake the Smalltalk Red Pill
Take the Smalltalk Red Pill
 
Dry-wit Overview
Dry-wit OverviewDry-wit Overview
Dry-wit Overview
 
Spring Annotations: Proxy
Spring Annotations: ProxySpring Annotations: Proxy
Spring Annotations: Proxy
 
Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with Monit
 
AWS CloudFormation en 5 Minutos
AWS CloudFormation en 5 MinutosAWS CloudFormation en 5 Minutos
AWS CloudFormation en 5 Minutos
 
Understanding Java Dynamic Proxies
Understanding Java Dynamic ProxiesUnderstanding Java Dynamic Proxies
Understanding Java Dynamic Proxies
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
 

Recently uploaded

Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Product School
 
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro KozhevinFwdays
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxharimaxwell0712
 
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERNRonnelBaroc
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfDomotica daVinci
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor FesenkoFwdays
 
AI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementAI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementMimmo Squillace
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsInflectra
 
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...ISPMAIndia
 
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...Fwdays
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfkatalinjordans1
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsEvangelia Mitsopoulou
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura RochniakFwdays
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...htrindia
 

Recently uploaded (20)

Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
 
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptx
 
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdf
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko
 
AI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementAI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvement
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
 
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
 
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdf
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applications
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
 

XSS Countermeasures in Grails

  • 1. XSS Countermeasures in Grails Rafael Luque @rafael_luque — OSOCO José San Leandro @rydnr — Ventura24
  • 4. XSS concepts • What’s a XSS • XSS Types: Reflected, stored, DOM-based. • Famous XSS attacks: Samy worm, MrBean defacement, ...
  • 5. XSS threats • Interface defacement • Session hijacking • Click hijacking • Malware infection • Your PC may be joined to the horde of zombies in a BotNet.
  • 7. Something more than a joke. . .
  • 11. Exploiting the browser 1. Preparing the exploit server. . .
  • 12. Exploiting the browser 2. Injecting an invisible frame pointing to the exploit server. . .
  • 13. Exploiting the browser 3. Exploit works and executes the payload. . .
  • 14. Exploiting the browser 4. Spawning notepad.exe process to migrate to. . .
  • 20. Welcome to the horde of zombies
  • 21. Joining to a botnet 1. Install the malware. . .
  • 22. Joining to a botnet 2. Welcome to my botnet C&C. . .
  • 23. Responsibilities: Why is this still an issue?
  • 24. Commercial software • XSS is not known for business stakeholders
  • 25. Commercial software • XSS is not known for business stakeholders • For most people, security means attacking your servers
  • 26. Commercial software • XSS is not known for business stakeholders • For most people, security means attacking your servers • Developers don’t pay enough attention
  • 27. Do your homework • Raise awareness
  • 28. Do your homework • Raise awareness • Practice with security tools
  • 29. Do your homework • Raise awareness • Practice with security tools • Promote defensive coding
  • 30. Do your homework • Raise awareness • Practice with security tools • Promote defensive coding • Improve monitoring
  • 34. #1: Built-in default codec grails.views.default.codec
  • 35. #1: Built-in default codec is none! grails.views.default.codec = ’’none’’
  • 36. #1: Built-in default codec is none! Problems You have to escape explicitly every untrusted data: encodeAsHTML() encodeAsJavaScript() encodeAsURL()
  • 37. #1: Built-in default codec is none! Problems High likelihood of XSS vulnerabilities in production. E.g. Grails.org website.
  • 38. #1: Built-in default codec is none! Problems Double-encoding prevention over Security by default.
  • 39. #1: Built-in default codec is none! Solution Change default codec to HTML: grails.views.default.codec = ’’html’’
  • 40. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...}
  • 41. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../>
  • 42. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/>
  • 43. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)}
  • 44. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)} • Scriptlets: <%= ... %>
  • 45. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)} • Scriptlets: <%= ... %>
  • 46. #3: Tag output is not escaped Problems Review the tags you use to make sure they encode their output or have options for this (e.g. encodeAs attribute).
  • 47. #3: Tag output is not escaped Problems Review the tags from plugins you use.
  • 48. #3: Tag output is not escaped Problems Review the tags you invoke as methods in Controllers.
  • 49. #3: Tag output is not escaped Problems Don’t trust Grails core tags, they have inconsistent behaviour. E.g: <g:fieldValue /> // HTML-encoded <g:message /> // NO HTML-encoded
  • 50. #3: Tag output is not escaped Solutions If tag implementation doesn’t encode, add it explicitly or invoke it as a method inside a GSP expression: <g:message ... encodeAs=’’HTML’’/> ${g.message(...)} g.message(...).encodeAsHTML()
  • 51. #4: g:message doesn’t escape arguments Problems With default codec set to HTML the following XSS attack vector works: <g:message code=’welcome’ args=’[params.user]’/> where: welcome = Hi {0}! params.user = <script>alert(’pwnd’)</script>
  • 52. #4: g:message doesn’t escape arguments Solutions Upgrade to a Grails version with the issue (GRAILS-7170) fixed: 2.0.5, 2.1.5, 2.2.2, 2.3-M1
  • 53. #4: g:message doesn’t escape arguments Solutions Escape explicitly or invoke the tag inside a GSP expression: <g:message code=’welcome’ args=’[params.user]’ encodeAs=’HTML’/> ${g.message(code:’welcome’, args:[params.user])}
  • 54. #5: One codec is not enough You MUST use the escape syntax for the context of the HTML document you’re putting untrusted data into: • HTML • JavaScript • URL • CSS
  • 55. #5: One codec is not enough HTML entity encoding doesn’t work if you’re using untrusted data inside a <script>, or an event handler attribute like onmouseover, or inside CSS, or in a URL.
  • 56. #5: One codec is not enough Problems You can override the default codec for a page, but not to switch the codec for each context: <%@page defaultCodec=’CODEC’ %>
  • 57. #5: One codec is not enough Problems How to manage GSPs with mixed encoding requirements?
  • 58. #5: One codec is not enough Solutions Turn off default codec for that page and use encodeAsJavaScript() and encodeAsHTML() explicitly everywhere.
  • 59. #5: One codec is not enough Solutions Extract the JavaScript fragment to a GSP tag encoding as JavaScript.
  • 61. #1: New configuration more secure by default
  • 62. #1: New configuration more security by default grails { views { gsp { encoding = ’UTF-8’ htmlcodec = ’xml’ // use xml escaping instead of HTML4 codecs { expression = ’html’ // escapes values inside ${} scriptlet = ’html’ // escapes output from scriptlets in GSPs taglib = ’none’ // escapes output from taglibs staticparts = ’none’ // escapes output from static templates } } // escapes all not-encoded output at final stage of outputting filteringCodecForContentType { //’text/html’ = ’html’ } } }
  • 63. #2: Finer-grained control of codecs Control the codecs used per plugin: pluginName.grails.views.gsp.codecs.expression = ’CODEC’
  • 64. #2: Finer-grained control of codecs Control the codecs used per page: <%@ expressionCodec=’CODEC’ %>
  • 65. #2: Finer-grained control of codecs Control the default codec used by a tag library: static defaultEncodeAs = ’HTML’ Or on a per tag basis: static encodeAsForTags = [tagName: ’HTML’]
  • 66. #2: Finer-grained control of codecs Add support for an optional encodeAs attribute to all tags automatically: <my:tag arg=’foo.bar’ encodeAs=’JavaScript’/>
  • 67. #3: Context-sensitive encoding switching Tag withCodec(’CODEC’, Closure) to switch the current default codec, pushing and popping a default codec stack. out.println ’<script type=’’text/javascript’’>’ withCodec(‘‘JavaScript’’) { out << body() } out.println() out.println ’</script>’
  • 68. #3: Context-sensitive encoding switching Core tags like <g:javascript/> and <r:script/> automatically set an appropriate codec.
  • 69. #4: Raw output When you do not wish to encode a value, you can use the raw() method. ${raw(book.title)} It’s available in GSPs, controllers and tag libraries.
  • 70. #5: Default encoding for all output You can configure Grails to encode all output at the end of a response.
  • 71. #5: Default encoding for all output grails { views { gsp { codecs { ... staticparts = ’raw’ // escapes output from static templates } } // escapes all not-encoded output at final stage of outputting filteringCodecForContentType { ’text/html’ = ’html’ } } } If activated, the staticparts codec needs to be set to raw so that static markup is not encoded.
  • 73. Plugins are also part of your application • Grails plugins are not security audited
  • 74. Plugins are also part of your application • Grails plugins are not security audited • Grails plugins are part of your application’s attack surface
  • 75. Plugins are also part of your application • Grails plugins are not security audited • Grails plugins are part of your application’s attack surface • Review plugins to make sure they encode, and if they don’t you should JIRA the authors immediately, and fork and patch to fix your app quickly.
  • 76. E.g. Javamelody vulnerability • CVE-2013-4378 vulnerability reported.
  • 77. E.g. Javamelody vulnerability • CVE-2013-4378 vulnerability reported. • Allows blind XSS attack via X-Forwarded-For header spoofing.
  • 78. E.g. Javamelody vulnerability • CVE-2013-4378 vulnerability reported. • Allows blind XSS attack via X-Forwarded-For header spoofing. • The attack target is the admin’s browser.
  • 79. E.g. Javamelody vulnerability • CVE-2013-4378 vulnerability reported. • Allows blind XSS attack via X-Forwarded-For header spoofing. • The attack target is the admin’s browser. • Fixed in the last release (1.47).
  • 80. E.g. Javamelody vulnerability • CVE-2013-4378 vulnerability reported. • Allows blind XSS attack via X-Forwarded-For header spoofing. • The attack target is the admin’s browser. • Fixed in the last release (1.47). • You should upgrade ASAP.
  • 83. Think like an attacker • According to your grails version
  • 84. Think like an attacker • According to your grails version • Find unescaped values
  • 85. Think like an attacker • According to your grails version • Find unescaped values • Use fuzzers
  • 86. Think like an attacker • According to your grails version • Find unescaped values • Use fuzzers • Read and understand Samy code
  • 87. Think like an attacker • According to your grails version • Find unescaped values • Use fuzzers • Read and understand Samy code • Review OWASP XSS cheatsheets
  • 88. Be aware • Review your Grails app to double-check how all dynamic content gets escaped
  • 89. Be aware • Review your Grails app to double-check how all dynamic content gets escaped • Monitor for suspicious traffic
  • 90. Be aware • Review your Grails app to double-check how all dynamic content gets escaped • Monitor for suspicious traffic • Spread the knowledge
  • 91. Be aware • Review your Grails app to double-check how all dynamic content gets escaped • Monitor for suspicious traffic • Spread the knowledge • Adopt ZAP or similar fuzzers in your CI process
  • 92. Be aware • Review your Grails app to double-check how all dynamic content gets escaped • Monitor for suspicious traffic • Spread the knowledge • Adopt ZAP or similar fuzzers in your CI process • Review available security plugins for Grails
  • 93. Application firewalls • Enable common, safe rules
  • 94. Application firewalls • Enable common, safe rules • Log unexpected traffic
  • 95. Application firewalls • Enable common, safe rules • Log unexpected traffic • Don’t fool yourself
  • 96. Early-adopt CSP • CSP: Content Security Policy
  • 97. Early-adopt CSP • CSP: Content Security Policy • Adds headers to disable default behavior
  • 98. Early-adopt CSP • CSP: Content Security Policy • Adds headers to disable default behavior • inline Javascript
  • 99. Early-adopt CSP • CSP: Content Security Policy • Adds headers to disable default behavior • inline Javascript • dynamic code evaluation
  • 100. Early-adopt CSP • CSP: Content Security Policy • Adds headers to disable default behavior • inline Javascript • dynamic code evaluation • Still a Candidate Recommendation of W3C
  • 102. Grails • Is able to defend our application from XSS attacks
  • 103. Grails • Is able to defend our application from XSS attacks • But we need to pay attention to the details
  • 104. Grails • Is able to defend our application from XSS attacks • But we need to pay attention to the details • Upgrade to 2.3 ASAP
  • 105. Grails • Is able to defend our application from XSS attacks • But we need to pay attention to the details • Upgrade to 2.3 ASAP • Pay attention to XSS
  • 106. XSS • Is much more dangerous than defacement jokes
  • 107. XSS • Is much more dangerous than defacement jokes • The browsers are the actual target
  • 108. XSS • Is much more dangerous than defacement jokes • The browsers are the actual target • Difficult to monitor
  • 109. XSS • Is much more dangerous than defacement jokes • The browsers are the actual target • Difficult to monitor • Unconfortable counter-measures in the browser: NoScript, Request Policy
  • 110. Wake up • Write secure applications by default
  • 111. Wake up • Write secure applications by default • Get yourself used with Metasploit, Burp, ZAP
  • 112. Wake up • Write secure applications by default • Get yourself used with Metasploit, Burp, ZAP • Spread the word both horizontally and vertically
  • 113. Picture credits • Cover: http://www.flickr.com/photos/usairforce/ CC by-nc • White rabbit: http://www.flickr.com/photos/alles-banane/5849593440 CC by-sa-nc • Hieroglyphs: http://www.flickr.com/photos/59372146@N00 CC by-sa-nc • Zombies: http://www.flickr.com/photos/aeviin/4986897433 CC by-sa-nc
  • 114. XSS Countermeasures in Grails Rafael Luque @rafael_luque — OSOCO José San Leandro @rydnr — Ventura24