SlideShare a Scribd company logo

Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF

Mark Stanton
Mark Stanton

This document discusses common JavaScript security vulnerabilities like cross-site scripting (XSS), cross-site request forgery (CSRF), and clickjacking. It defines these issues and provides examples of real attacks. The document also outlines solutions for developers, including sanitizing input, escaping output, minimizing the attack surface, and designing with the assumption of breaches. Overall it stresses the importance of a holistic, multi-layered approach to JavaScript security.

Technology
1 of 53
Be Afraid, Be Very Afraid JavaScript Security, XSS, CSRF and Clickjacking Mark Stanton - Gruden
Definitions •  XSS – Cross Site Scripting •  CSRF – Cross Site Request Forgery
Cross Site Scripting
Cross Site Scripting: MySpace How Samy became very popular Samy’s script made everyone who viewed his profile: •  Add him as a friend •  Embed the script in their profiles
Cross Site Scripting: MySpace
Cross Site Scripting: MySpace
Cross Site Scripting: MySpace
Cross Site Scripting: MySpace
Cross Site Scripting: MySpace
Cross Site Scripting: MySpace How did it work? <div id=quot;mycodequot; style=quot;background:url('java script:eval(document.all.mycode.expr)')quot; expr=quot;...lots of JS here...quot; > •  JS inside CSS URL •  Line break in the word “javascript” •  Evaluation of a expression
Cross Site Scripting What is Cross Site Scripting? •  Untrusted data enters the system –  URL, Form or Cookie data –  HTTP Header –  Syndicated feed –  other offline system •  Data then presented to the user & executed in their browser •  Interferes with the intended interaction between a user and a site
Cross Site Scripting How is it possible? •  Browser environment is insecure by design –  Multiple contexts, multiple parsers –  XML, HTML, CSS, JavaScript, DOM, Cookie, URI, VBScript –  All interacting in semi-structured ways •  This makes AJAX and Web 2.0 Mash ups so powerful
Cross Site Scripting Context Switching •  HTML to JS <script>alert(‘XSS’)</script> <body onload=alert(‘XSS’)> •  URL to JS <iframe src=javascript:alert(‘XSS’)> •  CSS to JS background:url(javascript:alert(‘XSS’))
Cross Site Scripting Same-origin Policy •  Prevents document from one site setting or getting properties of a document from another •  Same origin means same protocol, port and host •  So if I frame another site - I can’t modify or read it
Cross Site Scripting But... •  Included JS runs in the context of the current page •  Scripts running in the page context have “root” access to a site
Cross Site Scripting What can happen if an attacker gets a script on your page? •  Perform action against website as if they are the user •  Read the contents of pages and cookies •  Control the display & show fake content to user •  Send information to any server in the world •  Request additional scripts from anywhere
Cross Site Scripting What can happen if an attacker gets a script on your page? •  SSL is no protection •  Logins are no protection
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo What happened? •  Cookies stolen •  Interface vandalised •  Users prompted to download malware •  DB poisoned - other users affected
Cross Site Request Forgery
Cross Site Request Forgery: GMail GMail vulnerability used to steal a domain •  Visits evil site while logged into GMail •  Evil site POSTs to GMail creating a new filter •  Filter forwards all mail to attacker and deletes mail •  Attacker initiates domain transfer process
Cross Site Request Forgery Session riding •  Uses persistent sessions to execute actions against a service •  Many Web 2.0 services are vulnerable
Clickjacking
Clickjacking UI Redressing •  User is tricked into inadvertent actions –  A dummy button is shown, then target page is loaded over the top in a transparent iframe –  User thinks they are clicking the dummy button, but are interacting with a site they can’t see
Clickjacking: Twitter Don’t Click •  Mischievous page loads transparent iframe containing Twitter post •  User shown a button saying “Don’t Click” •  Click takes place in iframe and results in tweet being sent •  Grows exponentially •  Twitter implements frame buster
Solutions
Solutions Sanitise Input •  Whitelists –  Allow <strong>, <em> and <br> only –  Does help, but not 100% •  Blacklists –  Block <script> and friends –  Extremely common attack vector –  Extremely difficult to block most attacks –  Coldfusion’s XSS protection = FAIL!
Solutions Escape Output •  HTML Entity Encoding - HTMLEditFormat() •  Doesn’t always work –  In <script> –  In onmouseover= –  In CSS –  In URLs •  Need to be aware of your context
Solutions The OWASP ESAPI •  5 Rules for escaping output #1 - HTML Escape before inserting into element content #2 - Attribute Escape before inserting into attributes #3 - JavaScript Escape before inserting into JavaScript data values #4 - CSS Escape before inserting into style property values #5 - URL Escape before inserting into URL attributes •  Java API that implements these rules •  100% safe?
Solutions The OWASP ESAPI <cfset ESAPI = createObject('Java','org.owasp.esapi.ESAPI')> <cfsavecontent variable=quot;evilStringquot;> <div id=quot;mycodequot; style=quot;background:url('java script:eval(document.all.mycode.expr)')quot; expr=quot;alert('XSSed')quot;> </cfsavecontent> <cfoutput> #evilString# #ESAPI.encoder().encodeForHTML(evilString)# #ESAPI.encoder().encodeForHTMLAttribute(evilString)# #ESAPI.encoder().encodeForCSS(evilString)# #ESAPI.encoder().encodeForJavascript(evilString)# #ESAPI.encoder().encodeForURL(evilString)# </cfoutput>
Solutions Minimise Attack Surface •  Don’t allow GET to modify data •  Strict server-side validation of all input •  Check referrer •  Use transaction tokens or “crumbs” - derived from timestamp & user id •  Double submit cookies •  Use frame busting scripts •  Short session timeouts / in-memory cookies
Solutions Design for a breach •  Assume some portion of your users’ accounts will be hijacked at some point •  What if a users email account is hacked? •  Forgotten password functions should use secret question •  Two factor authentication where appropriate •  Can you rollback or recover? •  Do you have an audit trail?
Solutions Think very carefully about 3rd party scripts •  Google Analytics •  Hosted Libraries •  Digg •  AddThis Would you give Telstra the keys to your house? What about your cleaner?
Solutions Must allow untrusted 3rd party JavaScript? Use safe sub-sets: •  Adsafe •  Caja
Solutions Browsers are getting better •  Many exploits depend on bugs in browser parsers •  Holes are being rapidly closed •  IE6 is still horribly broken and has market share
Using Flash and PDF? They each have their own issues to consider •  Certain version of the Acrobat Reader have serious vulnerabilities http://path/to/pdf/file.pdf#foo=javascript:code_here •  Flash is also some potential weak points: <cross-domain-policy> <allow-access-from domain=quot;*quot;/> </cross-domain-policy>
Conclusion •  A lot of responsibility lies with developers •  Use a holistic, multi-pronged approach
Thanks Links •  http://blog.gruden.com/category/js-security •  http://delicious.com/markstanton/js-security •  http://twitter.com/MarkStanto Thanks to pierre_tourigny (http://www.flickr.com/photos/pierre_tourigny/367078204/)

Recommended

Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 
Revisited
RevisitedRevisited
Revisited
Shunsaku Kudo
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
Understanding Web Services
Understanding Web ServicesUnderstanding Web Services
Understanding Web Servicesaru85
 
Understanding Web Services
Understanding Web ServicesUnderstanding Web Services
Understanding Web Servicesaru85
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
Eric Steele
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 

Recommended

Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 
Revisited
RevisitedRevisited
Revisited
Shunsaku Kudo
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
Understanding Web Services
Understanding Web ServicesUnderstanding Web Services
Understanding Web Servicesaru85
 
Understanding Web Services
Understanding Web ServicesUnderstanding Web Services
Understanding Web Servicesaru85
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
Eric Steele
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
C E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N EC E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N Eguest70f0f3dc
 
Web Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance TechniquesWeb Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Paul Calvano
 
Real howto vbs
Real howto vbsReal howto vbs
Real howto vbs
Chris x-MS
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008mvitor
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackers
JSFestUA
 
2009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 20092009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 2009
IWATA Susumu
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
DouglasPickett
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
Sasha Goldshtein
 
AWS IoT Greengrass V2 の紹介
AWS IoT Greengrass V2 の紹介AWS IoT Greengrass V2 の紹介
AWS IoT Greengrass V2 の紹介
Amazon Web Services Japan
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Makezine
MakezineMakezine
MakezineKelly Thejitternews
 
Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介
Amazon Web Services Japan
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
Saumil Shah
 
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Nicholas Zakas
 
High-Quality JavaScript
High-Quality JavaScriptHigh-Quality JavaScript
High-Quality JavaScript
Marc Bächinger
 
Augmの裏側
Augmの裏側Augmの裏側
Augmの裏側
Tomohiko Himura
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
hannob
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 

More Related Content

What's hot

C E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N EC E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N Eguest70f0f3dc
 
Web Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance TechniquesWeb Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Paul Calvano
 
Real howto vbs
Real howto vbsReal howto vbs
Real howto vbs
Chris x-MS
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008mvitor
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackers
JSFestUA
 
2009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 20092009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 2009
IWATA Susumu
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
DouglasPickett
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
Sasha Goldshtein
 
AWS IoT Greengrass V2 の紹介
AWS IoT Greengrass V2 の紹介AWS IoT Greengrass V2 の紹介
AWS IoT Greengrass V2 の紹介
Amazon Web Services Japan
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介
Amazon Web Services Japan
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
Saumil Shah
 
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Nicholas Zakas
 
High-Quality JavaScript
High-Quality JavaScriptHigh-Quality JavaScript
High-Quality JavaScript
Marc Bächinger
 
Augmの裏側
Augmの裏側Augmの裏側
Augmの裏側
Tomohiko Himura
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
hannob
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 

What's hot (19)

C E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N EC E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N E
 
Web Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance TechniquesWeb Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance Techniques
 
Real howto vbs
Real howto vbsReal howto vbs
Real howto vbs
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackers
 
2009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 20092009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 2009
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
AWS IoT Greengrass V2 の紹介
AWS IoT Greengrass V2 の紹介AWS IoT Greengrass V2 の紹介
AWS IoT Greengrass V2 の紹介
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Makezine
MakezineMakezine
Makezine
 
Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
 
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
 
High-Quality JavaScript
High-Quality JavaScriptHigh-Quality JavaScript
High-Quality JavaScript
 
Augmの裏側
Augmの裏側Augmの裏側
Augmの裏側
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handouts
 

Viewers also liked

[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
Surya Subhash
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Marios Siganos
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRF
Potato
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
Valency Networks
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 

Viewers also liked (14)

[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRF
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 

Similar to Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF

High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)
Stoyan Stefanov
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Joe Walker
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
msobiegraj
 
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendWide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendMySQLConference
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
johnwilander
 
Performance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScriptPerformance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScript
jeresig
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
Yusuf Motiwala
 
Basics of Rich Internet Applications
Basics of Rich Internet ApplicationsBasics of Rich Internet Applications
Basics of Rich Internet Applications
Subramanyan Murali
 
Jazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript librariesJazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Simon Willison
 
yusukebe in Yokohama.pm 090909
yusukebe in Yokohama.pm 090909yusukebe in Yokohama.pm 090909
yusukebe in Yokohama.pm 090909Yusuke Wada
 
Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)
Dirk Haun
 
Comet: an Overview and a New Solution Called Jabbify
Comet: an Overview and a New Solution Called JabbifyComet: an Overview and a New Solution Called Jabbify
Comet: an Overview and a New Solution Called Jabbify
Brian Moschel
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
SecurityTube.Net
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
Nate Lawson
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Rails Deployment with NginX
Rails Deployment with NginXRails Deployment with NginX
Rails Deployment with NginX
Stoyan Zhekov
 

Similar to Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF (20)

High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)
 
Practical Web Attacks
Practical Web AttacksPractical Web Attacks
Practical Web Attacks
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
 
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendWide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 
Performance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScriptPerformance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScript
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
 
Basics of Rich Internet Applications
Basics of Rich Internet ApplicationsBasics of Rich Internet Applications
Basics of Rich Internet Applications
 
Jazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript librariesJazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
 
yusukebe in Yokohama.pm 090909
yusukebe in Yokohama.pm 090909yusukebe in Yokohama.pm 090909
yusukebe in Yokohama.pm 090909
 
SEASR Installation
SEASR InstallationSEASR Installation
SEASR Installation
 
Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)
 
Comet: an Overview and a New Solution Called Jabbify
Comet: an Overview and a New Solution Called JabbifyComet: an Overview and a New Solution Called Jabbify
Comet: an Overview and a New Solution Called Jabbify
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Rails Deployment with NginX
Rails Deployment with NginXRails Deployment with NginX
Rails Deployment with NginX
 
Javascript
JavascriptJavascript
Javascript
 

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 

Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF

  • 1. Be Afraid, Be Very Afraid JavaScript Security, XSS, CSRF and Clickjacking Mark Stanton - Gruden
  • 2. Definitions •  XSS – Cross Site Scripting •  CSRF – Cross Site Request Forgery
  • 4. Cross Site Scripting: MySpace How Samy became very popular Samy’s script made everyone who viewed his profile: •  Add him as a friend •  Embed the script in their profiles
  • 10. Cross Site Scripting: MySpace How did it work? <div id=quot;mycodequot; style=quot;background:url('java script:eval(document.all.mycode.expr)')quot; expr=quot;...lots of JS here...quot; > •  JS inside CSS URL •  Line break in the word “javascript” •  Evaluation of a expression
  • 11. Cross Site Scripting What is Cross Site Scripting? •  Untrusted data enters the system –  URL, Form or Cookie data –  HTTP Header –  Syndicated feed –  other offline system •  Data then presented to the user & executed in their browser •  Interferes with the intended interaction between a user and a site
  • 12. Cross Site Scripting How is it possible? •  Browser environment is insecure by design –  Multiple contexts, multiple parsers –  XML, HTML, CSS, JavaScript, DOM, Cookie, URI, VBScript –  All interacting in semi-structured ways •  This makes AJAX and Web 2.0 Mash ups so powerful
  • 13. Cross Site Scripting Context Switching •  HTML to JS <script>alert(‘XSS’)</script> <body onload=alert(‘XSS’)> •  URL to JS <iframe src=javascript:alert(‘XSS’)> •  CSS to JS background:url(javascript:alert(‘XSS’))
  • 14. Cross Site Scripting Same-origin Policy •  Prevents document from one site setting or getting properties of a document from another •  Same origin means same protocol, port and host •  So if I frame another site - I can’t modify or read it
  • 15. Cross Site Scripting But... •  Included JS runs in the context of the current page •  Scripts running in the page context have “root” access to a site
  • 16. Cross Site Scripting What can happen if an attacker gets a script on your page? •  Perform action against website as if they are the user •  Read the contents of pages and cookies •  Control the display & show fake content to user •  Send information to any server in the world •  Request additional scripts from anywhere
  • 17. Cross Site Scripting What can happen if an attacker gets a script on your page? •  SSL is no protection •  Logins are no protection
  • 34. Cross Site Scripting: Demo What happened? •  Cookies stolen •  Interface vandalised •  Users prompted to download malware •  DB poisoned - other users affected
  • 36. Cross Site Request Forgery: GMail GMail vulnerability used to steal a domain •  Visits evil site while logged into GMail •  Evil site POSTs to GMail creating a new filter •  Filter forwards all mail to attacker and deletes mail •  Attacker initiates domain transfer process
  • 37. Cross Site Request Forgery Session riding •  Uses persistent sessions to execute actions against a service •  Many Web 2.0 services are vulnerable
  • 39. Clickjacking UI Redressing •  User is tricked into inadvertent actions –  A dummy button is shown, then target page is loaded over the top in a transparent iframe –  User thinks they are clicking the dummy button, but are interacting with a site they can’t see
  • 40. Clickjacking: Twitter Don’t Click •  Mischievous page loads transparent iframe containing Twitter post •  User shown a button saying “Don’t Click” •  Click takes place in iframe and results in tweet being sent •  Grows exponentially •  Twitter implements frame buster
  • 42. Solutions Sanitise Input •  Whitelists –  Allow <strong>, <em> and <br> only –  Does help, but not 100% •  Blacklists –  Block <script> and friends –  Extremely common attack vector –  Extremely difficult to block most attacks –  Coldfusion’s XSS protection = FAIL!
  • 43. Solutions Escape Output •  HTML Entity Encoding - HTMLEditFormat() •  Doesn’t always work –  In <script> –  In onmouseover= –  In CSS –  In URLs •  Need to be aware of your context
  • 44. Solutions The OWASP ESAPI •  5 Rules for escaping output #1 - HTML Escape before inserting into element content #2 - Attribute Escape before inserting into attributes #3 - JavaScript Escape before inserting into JavaScript data values #4 - CSS Escape before inserting into style property values #5 - URL Escape before inserting into URL attributes •  Java API that implements these rules •  100% safe?
  • 45. Solutions The OWASP ESAPI <cfset ESAPI = createObject('Java','org.owasp.esapi.ESAPI')> <cfsavecontent variable=quot;evilStringquot;> <div id=quot;mycodequot; style=quot;background:url('java script:eval(document.all.mycode.expr)')quot; expr=quot;alert('XSSed')quot;> </cfsavecontent> <cfoutput> #evilString# #ESAPI.encoder().encodeForHTML(evilString)# #ESAPI.encoder().encodeForHTMLAttribute(evilString)# #ESAPI.encoder().encodeForCSS(evilString)# #ESAPI.encoder().encodeForJavascript(evilString)# #ESAPI.encoder().encodeForURL(evilString)# </cfoutput>
  • 46. Solutions Minimise Attack Surface •  Don’t allow GET to modify data •  Strict server-side validation of all input •  Check referrer •  Use transaction tokens or “crumbs” - derived from timestamp & user id •  Double submit cookies •  Use frame busting scripts •  Short session timeouts / in-memory cookies
  • 47. Solutions Design for a breach •  Assume some portion of your users’ accounts will be hijacked at some point •  What if a users email account is hacked? •  Forgotten password functions should use secret question •  Two factor authentication where appropriate •  Can you rollback or recover? •  Do you have an audit trail?
  • 48. Solutions Think very carefully about 3rd party scripts •  Google Analytics •  Hosted Libraries •  Digg •  AddThis Would you give Telstra the keys to your house? What about your cleaner?
  • 49. Solutions Must allow untrusted 3rd party JavaScript? Use safe sub-sets: •  Adsafe •  Caja
  • 50. Solutions Browsers are getting better •  Many exploits depend on bugs in browser parsers •  Holes are being rapidly closed •  IE6 is still horribly broken and has market share
  • 51. Using Flash and PDF? They each have their own issues to consider •  Certain version of the Acrobat Reader have serious vulnerabilities http://path/to/pdf/file.pdf#foo=javascript:code_here •  Flash is also some potential weak points: <cross-domain-policy> <allow-access-from domain=quot;*quot;/> </cross-domain-policy>
  • 52. Conclusion •  A lot of responsibility lies with developers •  Use a holistic, multi-pronged approach
  • 53. Thanks Links •  http://blog.gruden.com/category/js-security •  http://delicious.com/markstanton/js-security •  http://twitter.com/MarkStanto Thanks to pierre_tourigny (http://www.flickr.com/photos/pierre_tourigny/367078204/)