Uploaded byjpubal
3,351 views

Convincing Developers to take Cross-Site Scripting Seriously

This document discusses cross-site scripting (XSS) vulnerabilities. XSS allows attackers to inject malicious scripts into vulnerable websites that are then executed by users' browsers. The document outlines different types of XSS, provides examples of real-world attacks, and discusses techniques for detecting and preventing XSS like input validation, output encoding, and using security libraries. It also suggests ways to effectively report XSS vulnerabilities to developers, including exploiting the vulnerability to demonstrate impact and using social engineering strategies that appeal to developers' priorities and incentives.

Embed presentation

Cross-Site Scripting Getting Developers to Take XSS Seriously Use Social Engineering to Enhance Your Vulnerability Reporting XSS
XSS Contact Information Jason Pubal Website Social www.intellavis.com/blog http://www.linkedin.com/in/pubal E-mail http://www.twitter.com/pubal jpubal@gmail.com
XSS Cross-Site Scripting Outline What is XSS? XSS History Detecting XSS Preventing XSS Reporting Tricks
XSS Cross-Site Scripting Cross Site Scripting (XSS) is an attack against the user of a website. It •account hijacking is a technique that forces a website to display malicious code, which •rewrite portions of the page then executes in the user’s web browser. The attacker uses a •log keystrokes vulnerable website to send malicious code to another end user of the site. The vulnerability arises when the website takes data in some •steal browser information way from a user and dynamically includes it in a web page without •Steal client machine data first validating that data. •attack the user’s network
XSS
XSS Persistent Cross-Site Scripting
XSS Reflected Cross-Site Scripting
XSS Websites with Cross-Site Scripting WhiteHat Website Security Statistic Report, Winter 2011
XSS Attacks Using Cross-Site Scripting Web Hacking Incident Database
XSS Real World Examples Hacker Redirects Barack Obama’s site to hillaryclinton.com During the 2008 democratic primaries, XSS in Obama’s website was exploited to redirect visitors to Hillary Clinton’s website. Users who went to Obama’s community blog were instead taken to www.hillaryclinton.com. Apache.org hit by targeted XSS attack, passwords compromised A targeted attack against JIRA admins used XSS to steal administrative cookies. Using those privileges, they installed backdoors and scripts to collect passwords at login. Thanks to people’s tendency to use the same password on several websites and applications, the attacker was able to use those credentials get root access to other servers. New XSS Facebook Worm Allows Automatic Wall Posts An XSS in the Facebook’s mobile API allowed a maliciously prepared iframe element containing JavaScript to post to user’s walls.
XSS History of Cross-Site Scripting
XSS Samy “I’m sorry MySpace and FOX. I love you guys, all the great things MySpace provides, and all the great shows FOX has, my favorite being Nip/Tuck. Oh wait, Nip/Tuck is FX? My bad, but FOX, I’m sure you still have some good stuff. But maybe you should start picking up Nip/Tuck reruns? Just a thought. I’m kidding! Please don’t sue me.”
XSS Samy Fastest Spreading Worm in History
XSS JavaScript Malware Cross Site Scripting (XSS) is an attack against the user of a website. It •account hijacking is a technique that forces a website to display malicious code, which •rewrite portions of the page then executes in the user’s web browser. The attacker uses a •log keystrokes vulnerable website to send malicious code to another end user of the site. The vulnerability arises when the website takes data in some •steal browser information way from a user and dynamically includes it in a web page without •Steal client machine data first validating that data. •attack the user’s network •ANYTHING A USER CAN DO OR ACCESS FROM THE BROWSER!
XSS Manual Testing <SCRIPT>alert(„XSS‟)</SCRIPT> XSS Cheat-Sheet: http://ha.ckers.org/xss.html OWASP Broken Web Applications (Vulnerable Applications to Hack): https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
XSS Browser Plugins
XSS Web Application Vulnerability Scanners
XSS Web Application Vulnerability Scanners
XSS Preventing Cross-Site Scripting https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Input Validation Output Encoding / Escaping Accept known good (whitelist) Characters will still render in a browser Reject known bad (blacklist) correctly; escaping simply lets the interpreter Sanitize (change input to acceptable format) know the data is not meant to be executed. &  &amp; <  &lt; >  &gt; "  &quot; '  &#x27; /  &#x2F;
XSS Preventing Cross-Site Scripting Use Libraries ESAPI – https://www.owasp.org/index.php/ESAPI MS Anti-XSS Library - http://wpl.codeplex.com
XSS Cross-Site Scripting Reporting Seriously? The value of the search_txt request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload <script>alert(XSS)</script> was submitted in the search_txt parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
XSS Browser Exploitation Framework (BeEF) http://beefproject.com/
XSS Cross-Site Scripting Exploitation
XSS Socially Engineering your Report Exploit the Vulnerability! Report the Impact!
XSS Socially Engineering your Report Exploit the Vulnerability! Report the Impact!
XSS Socially Engineering your Report Exploit the Vulnerability! Report the Impact!
XSS Copy Machine Experiment The Power of “Because” “May I use the Xerox machine?” Giving no reason - 60% “May I use the Xerox machine, because I have to make copies?” Giving no real reason - 93% “May I use the Xerox machine, because I’m in a rush?” Giving a reason - 94%
XSS Commander’s Intent Give Them a Reason!
XSS Bystander Apathy Assign a JIRA Ticket!
XSS Contrast Frame NLP The Ponemon Institute puts the cost per record of a breach at $214, with an average cost of 7.2 million dollars. By contrast, a week of development time seems cheap. Options 1 - $5,000 95% Effective 2 - $500 80% Effective
XSS Herd Effect You‟re all sheep. Best Practices Amazon and Facebook employ CAPTCHA 93% of Websites in our Industry use Input Validation
XSS Pygmalion Effect Clearly Communicate Expectations
XSS Metrics If you want to improve something, measure it. Measure to see if what you're doing is working. If not, try something else.
THANK YOU Questions?!

More Related Content

PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
PDF
Cross Site Scripting Going Beyond the Alert Box
byAaron Weaver
 
KEY
Stateless Anti-Csrf
byjohnwilander
 
PDF
Grey H@t - Cross-site Request Forgery
byChristopher Grayson
 
PPTX
Understanding dom based xss
byPotato
 
PPTX
Identifying XSS Vulnerabilities
byn|u - The Open Security Community
 
PDF
Understanding CSRF
byPotato
 
PPTX
Xss (cross site scripting)
byvinayh.vaghamshi _
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
Cross Site Scripting Going Beyond the Alert Box
byAaron Weaver
 
Stateless Anti-Csrf
byjohnwilander
 
Grey H@t - Cross-site Request Forgery
byChristopher Grayson
 
Understanding dom based xss
byPotato
 
Identifying XSS Vulnerabilities
byn|u - The Open Security Community
 
Understanding CSRF
byPotato
 
Xss (cross site scripting)
byvinayh.vaghamshi _
 

What's hot

PPT
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
PPT
Cross Site Request Forgery
byTony Bibbs
 
PDF
Xss frame work
byNgọc Liệu Nguyễn
 
PPTX
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
bySamvel Gevorgyan
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
PDF
When Ajax Attacks! Web application security fundamentals
bySimon Willison
 
PDF
Owasp eee 2015 csrf
byAurelijus Stanislovaitis
 
PPTX
CSRF Attack and Its Prevention technique in ASP.NET MVC
bySuvash Shah
 
PPTX
VodQA3_PenetrationTesting_AmitDhakkad
byvodQA
 
PPTX
Web security landscape Unit 3 part 2
byDr. SURBHI SAROHA
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPT
Xss is more than a simple threat
byAvădănei Andrei
 
PPTX
Introduction to CSRF Attacks & Defense
bySurya Subhash
 
PDF
CSRF Basics
byn|u - The Open Security Community
 
PPTX
Cross Site Request Forgery (CSRF) Scripting Explained
byValency Networks
 
PPTX
Web application security for java (XSS,Session Fixation)
byRitesh Raushan
 
PDF
XSS Exploitation
byHacking Articles
 
PPTX
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
byNilesh Sapariya
 
KEY
Introduction to web security @ confess 2012
byjakobkorherr
 
PDF
A4 A K S H A Y B H A R D W A J
bybhardwajakshay
 
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
Cross Site Request Forgery
byTony Bibbs
 
Xss frame work
byNgọc Liệu Nguyễn
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
bySamvel Gevorgyan
 
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
When Ajax Attacks! Web application security fundamentals
bySimon Willison
 
Owasp eee 2015 csrf
byAurelijus Stanislovaitis
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
bySuvash Shah
 
VodQA3_PenetrationTesting_AmitDhakkad
byvodQA
 
Web security landscape Unit 3 part 2
byDr. SURBHI SAROHA
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Xss is more than a simple threat
byAvădănei Andrei
 
Introduction to CSRF Attacks & Defense
bySurya Subhash
 
CSRF Basics
byn|u - The Open Security Community
 
Cross Site Request Forgery (CSRF) Scripting Explained
byValency Networks
 
Web application security for java (XSS,Session Fixation)
byRitesh Raushan
 
XSS Exploitation
byHacking Articles
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
byNilesh Sapariya
 
Introduction to web security @ confess 2012
byjakobkorherr
 
A4 A K S H A Y B H A R D W A J
bybhardwajakshay
 

Similar to Convincing Developers to take Cross-Site Scripting Seriously

KEY
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
PPTX
Cross-Site Scripting (XSS)
byDaniel Tumser
 
PPTX
Cross Site Scripting
byAli Mattash
 
DOCX
logout.php Session Data after Logout Username Email . $_.docx
bysmile790243
 
PDF
XSS.pdf
byOkan YILDIZ
 
PDF
XSS.pdf
byOkan YILDIZ
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
PDF
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
PDF
The Cross Site Scripting Guide
byDaisuke_Dan
 
DOC
HallTumserFinalPaper
byDaniel Tumser
 
PDF
Complete xss walkthrough
byAhmed Elhady Mohamed
 
PDF
Appsec XSS Case Study
byMohamed Ridha CHEBBI, CISSP
 
PPTX
Cross site scripting
bykinish kumar
 
PDF
xss-100908063522-phpapp02.pdf
byyashvirsingh48
 
PPTX
Cross site scripting XSS
byRonan Dunne, CEH, SSCP
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
 
PPT
Not only a XSS
byConferencias FIST
 
PDF
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
bySam Bowne
 
PPTX
Cm7 secure code_training_1day_xss
bydcervigni
 
PPTX
Cross Site Scripting (XSS)
byAvi Aryan
 
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
Cross-Site Scripting (XSS)
byDaniel Tumser
 
Cross Site Scripting
byAli Mattash
 
logout.php Session Data after Logout Username Email . $_.docx
bysmile790243
 
XSS.pdf
byOkan YILDIZ
 
XSS.pdf
byOkan YILDIZ
 
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
The Cross Site Scripting Guide
byDaisuke_Dan
 
HallTumserFinalPaper
byDaniel Tumser
 
Complete xss walkthrough
byAhmed Elhady Mohamed
 
Appsec XSS Case Study
byMohamed Ridha CHEBBI, CISSP
 
Cross site scripting
bykinish kumar
 
xss-100908063522-phpapp02.pdf
byyashvirsingh48
 
Cross site scripting XSS
byRonan Dunne, CEH, SSCP
 
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
 
Not only a XSS
byConferencias FIST
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
bySam Bowne
 
Cm7 secure code_training_1day_xss
bydcervigni
 
Cross Site Scripting (XSS)
byAvi Aryan
 

Recently uploaded

PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 

Convincing Developers to take Cross-Site Scripting Seriously

  • 1.
    Cross-Site Scripting Getting Developersto Take XSS Seriously Use Social Engineering to Enhance Your Vulnerability Reporting XSS
  • 2.
    XSS Contact Information Jason Pubal Website Social www.intellavis.com/blog http://www.linkedin.com/in/pubal E-mail http://www.twitter.com/pubal jpubal@gmail.com
  • 3.
    XSS Cross-Site Scripting Outline What is XSS? XSS History Detecting XSS Preventing XSS Reporting Tricks
  • 4.
    XSS Cross-Site Scripting Cross Site Scripting (XSS) is an attack against the user of a website. It •account hijacking is a technique that forces a website to display malicious code, which •rewrite portions of the page then executes in the user’s web browser. The attacker uses a •log keystrokes vulnerable website to send malicious code to another end user of the site. The vulnerability arises when the website takes data in some •steal browser information way from a user and dynamically includes it in a web page without •Steal client machine data first validating that data. •attack the user’s network
  • 5.
  • 6.
  • 7.
  • 8.
    XSS Websites with Cross-SiteScripting WhiteHat Website Security Statistic Report, Winter 2011
  • 9.
    XSS Attacks Using Cross-SiteScripting Web Hacking Incident Database
  • 10.
    XSS Real World Examples Hacker Redirects Barack Obama’s site to hillaryclinton.com During the 2008 democratic primaries, XSS in Obama’s website was exploited to redirect visitors to Hillary Clinton’s website. Users who went to Obama’s community blog were instead taken to www.hillaryclinton.com. Apache.org hit by targeted XSS attack, passwords compromised A targeted attack against JIRA admins used XSS to steal administrative cookies. Using those privileges, they installed backdoors and scripts to collect passwords at login. Thanks to people’s tendency to use the same password on several websites and applications, the attacker was able to use those credentials get root access to other servers. New XSS Facebook Worm Allows Automatic Wall Posts An XSS in the Facebook’s mobile API allowed a maliciously prepared iframe element containing JavaScript to post to user’s walls.
  • 11.
  • 12.
    XSS Samy “I’m sorry MySpace and FOX. I love you guys, all the great things MySpace provides, and all the great shows FOX has, my favorite being Nip/Tuck. Oh wait, Nip/Tuck is FX? My bad, but FOX, I’m sure you still have some good stuff. But maybe you should start picking up Nip/Tuck reruns? Just a thought. I’m kidding! Please don’t sue me.”
  • 13.
    XSS Samy Fastest Spreading Worm in History
  • 14.
    XSS JavaScript Malware Cross Site Scripting (XSS) is an attack against the user of a website. It •account hijacking is a technique that forces a website to display malicious code, which •rewrite portions of the page then executes in the user’s web browser. The attacker uses a •log keystrokes vulnerable website to send malicious code to another end user of the site. The vulnerability arises when the website takes data in some •steal browser information way from a user and dynamically includes it in a web page without •Steal client machine data first validating that data. •attack the user’s network •ANYTHING A USER CAN DO OR ACCESS FROM THE BROWSER!
  • 15.
    XSS Manual Testing <SCRIPT>alert(„XSS‟)</SCRIPT> XSS Cheat-Sheet: http://ha.ckers.org/xss.html OWASP Broken Web Applications (Vulnerable Applications to Hack): https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
  • 16.
  • 17.
  • 18.
  • 19.
    XSS Preventing Cross-Site Scripting https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Input Validation Output Encoding / Escaping Accept known good (whitelist) Characters will still render in a browser Reject known bad (blacklist) correctly; escaping simply lets the interpreter Sanitize (change input to acceptable format) know the data is not meant to be executed. &  &amp; <  &lt; >  &gt; "  &quot; '  &#x27; /  &#x2F;
  • 20.
    XSS Preventing Cross-SiteScripting Use Libraries ESAPI – https://www.owasp.org/index.php/ESAPI MS Anti-XSS Library - http://wpl.codeplex.com
  • 21.
    XSS Cross-Site Scripting Reporting Seriously? The value of the search_txt request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload <script>alert(XSS)</script> was submitted in the search_txt parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
  • 22.
    XSS Browser Exploitation Framework(BeEF) http://beefproject.com/
  • 23.
  • 24.
    XSS Socially Engineering yourReport Exploit the Vulnerability! Report the Impact!
  • 25.
    XSS Socially Engineering yourReport Exploit the Vulnerability! Report the Impact!
  • 26.
    XSS Socially Engineering yourReport Exploit the Vulnerability! Report the Impact!
  • 27.
    XSS Copy Machine Experiment The Power of “Because” “May I use the Xerox machine?” Giving no reason - 60% “May I use the Xerox machine, because I have to make copies?” Giving no real reason - 93% “May I use the Xerox machine, because I’m in a rush?” Giving a reason - 94%
  • 28.
    XSS Commander’s Intent Give Them a Reason!
  • 29.
    XSS Bystander Apathy Assign a JIRA Ticket!
  • 30.
    XSS Contrast Frame NLP The Ponemon Institute puts the cost per record of a breach at $214, with an average cost of 7.2 million dollars. By contrast, a week of development time seems cheap. Options 1 - $5,000 95% Effective 2 - $500 80% Effective
  • 31.
    XSS Herd Effect You‟re all sheep. Best Practices Amazon and Facebook employ CAPTCHA 93% of Websites in our Industry use Input Validation
  • 32.
  • 33.
    XSS Metrics If you want to improve something, measure it. Measure to see if what you're doing is working. If not, try something else.
  • 34.
    THANK YOU Questions?!