SlideShare a Scribd company logo

Cross-site Scripting

Andrew Kerr
Andrew Kerr

The document discusses an upcoming Capture the Flag (CTF) competition called CSAW from September 18-20. If the University of Florida Student InfoSec Team (UFSIT) qualifies, they will be able to send a team of undergraduates to the national competition. It also recaps their performance at a previous CTF called MMA where they left on Friday night in the top 15%. The rest of the document is a presentation about cross-site scripting (XSS) attacks given by Andrew Kerr, who is a fifth year software engineering student and secretary of UFSIT. It covers what XSS is, the different types (reflected, stored, DOM-based), examples of vulnerable code, how to

Engineering
1 of 100
Download to read offline
UF Student InfoSec Team September 8, 2015 #ufsit on Freenode XSS | Andrew Kerr 1
Announcements XSS | Andrew Kerr 2
Upcoming CTF: CSAW XSS | Andrew Kerr 3
CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm XSS | Andrew Kerr 4
CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm • If we qualify, we get to send a team of undergrads to national CTF XSS | Andrew Kerr 5
MMA CTF Recap XSS | Andrew Kerr 6
MMA CTF Recap • Lots of people there on Friday! • Left Friday night in top 15% XSS | Andrew Kerr 7
We want your writeups! XSS | Andrew Kerr 8
Cross-site Scripting (Also known as XSS) Andrew Kerr | Sept 8, 2015 me@andrewjkerr.com XSS | Andrew Kerr 9
whoami XSS | Andrew Kerr 10
whoami • Fifth year Software Engineering @ UF XSS | Andrew Kerr 11
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs XSS | Andrew Kerr 12
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer XSS | Andrew Kerr 13
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr XSS | Andrew Kerr 14
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr • Former intern at BlockScore XSS | Andrew Kerr 15
Cross-site Scripting (Also known as XSS) XSS | Andrew Kerr 16
XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. — OWASP XSS | Andrew Kerr 17
Ok... what does that mean? XSS | Andrew Kerr 18
XSS | Andrew Kerr 19
XSS | Andrew Kerr 20
XSS | Andrew Kerr 21
Why does this work? XSS | Andrew Kerr 22
Why does this work? • Browser is tricked into thinking the code is part of the site XSS | Andrew Kerr 23
Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly XSS | Andrew Kerr 24
Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly • Poor client-side JavaScript executes given parameters XSS | Andrew Kerr 25
Why do it? XSS | Andrew Kerr 26
Why do it? • Steal session cookies XSS | Andrew Kerr 27
Why do it? • Steal session cookies • Steal logins by defacing XSS | Andrew Kerr 28
Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins XSS | Andrew Kerr 29
Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins • For the lulz XSS | Andrew Kerr 30
XSS | Andrew Kerr 31
Remember this? • ❤ emoji broke XSS sanitization on TweetDeck XSS | Andrew Kerr 32
Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times XSS | Andrew Kerr 33
Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times • Good thing it wasn't malicious! XSS | Andrew Kerr 34
Ok, but it's Twitter... why does it matter? XSS | Andrew Kerr 35
XSS | Andrew Kerr 36
XSS Payloads XSS | Andrew Kerr 37
XSS Payloads • A TON of possible XSS payloads XSS | Andrew Kerr 38
XSS Payloads • A TON of possible XSS payloads • <script>alert(1)</script> • <img src="x" onerror="alert(1)" /> • <a href="javascript: alert(1)">Click me!</a> • and more! XSS | Andrew Kerr 39
Types of XSS XSS | Andrew Kerr 40
Types of XSS 1. Reflected XSS | Andrew Kerr 41
Types of XSS 1. Reflected 2. Stored XSS | Andrew Kerr 42
Types of XSS 1. Reflected 2. Stored 3. DOM-based XSS | Andrew Kerr 43
Reflected XSS XSS | Andrew Kerr 44
Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! XSS | Andrew Kerr 45
Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! XSS | Andrew Kerr 46
Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! • Example: search forms showing input on results page after submission XSS | Andrew Kerr 47
Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; XSS | Andrew Kerr 48
www.site.com/search.php? q=<script>alert(1)</script> XSS | Andrew Kerr 49
XSS | Andrew Kerr 50
Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? XSS | Andrew Kerr 51
Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 52
Stored XSS XSS | Andrew Kerr 53
Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case XSS | Andrew Kerr 54
Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS XSS | Andrew Kerr 55
Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS • Example: form post storing XSS XSS | Andrew Kerr 56
XSS | Andrew Kerr 57
Samy MySpace worm XSS | Andrew Kerr 58
Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims XSS | Andrew Kerr 59
Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims • Fastest spreading virus of all time • 1+ million runs in ~20hrs XSS | Andrew Kerr 60
Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } XSS | Andrew Kerr 61
Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? XSS | Andrew Kerr 62
Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 63
DOM-based XSS XSS | Andrew Kerr 64
DOM-based XSS • Similar to Reflected, but is not rendered from the server. XSS | Andrew Kerr 65
DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code XSS | Andrew Kerr 66
DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code • Also crafted by a URL • Don't let users pass in JS via the URL! XSS | Andrew Kerr 67
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 68
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? XSS | Andrew Kerr 69
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 70
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? XSS | Andrew Kerr 71
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? A: Craft a URL like: www.site.com/page.html?title=<img src='x' onerror='alert(1)' /> XSS | Andrew Kerr 72
Protecting Against XSS XSS | Andrew Kerr 73
Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 74
Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. XSS | Andrew Kerr 75
Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. • But, what's the difference? XSS | Andrew Kerr 76
Let's look at the documentation! XSS | Andrew Kerr 77
Let's look at the documentation! (Aka RTFM) XSS | Andrew Kerr 78
Protecting Against XSS Set the text contents of the matched elements. — .text() Set the HTML contents of each element in the set of matched elements. — .html() XSS | Andrew Kerr 79
Protecting Against XSS <html> <head> <title>Test Page</title> <script type="text/javascript" src="jquery.min.js"></script> <script type="text/javascript"> $(function(){ $("#div1").html('<a href="example.html">Link</a><b>hello</b>'); $("#div2").text('<a href="example.html">Link</a><b>hello</b>'); }); </script> </head> <body> <div id="div1"></div> <div id="div2"></div> </body> </html> XSS | Andrew Kerr 80
Protecting Against XSS 1. Know your framework/library/language! XSS | Andrew Kerr 81
Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! XSS | Andrew Kerr 82
Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist XSS | Andrew Kerr 83
Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist 4. Headers XSS | Andrew Kerr 84
Protecting Against XSS • Or, ya know, read the NSA's recommendations. • https://www.nsa.gov/ia/files/ factsheets/ xssiadfactsheetfinal_web.pdf XSS | Andrew Kerr 85
But most importantly... XSS | Andrew Kerr 86
TEST YOUR APPLICATION XSS | Andrew Kerr 87
XSS | Andrew Kerr 88
Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet XSS | Andrew Kerr 89
Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet • Also, some guess work helps! XSS | Andrew Kerr 90
Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); XSS | Andrew Kerr 91
Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? XSS | Andrew Kerr 92
Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? A: Think about it :) XSS | Andrew Kerr 93
Resources XSS | Andrew Kerr 94
Resources • OWASP XSS | Andrew Kerr 95
Resources • OWASP • The Web Application Hackers Handbook XSS | Andrew Kerr 96
Resources • OWASP • The Web Application Hackers Handbook • Mutillidae Practice Application XSS | Andrew Kerr 97
Ok, cool, onto challenges! XSS | Andrew Kerr 98
104.236.76.214 Go here XSS | Andrew Kerr 99
Challenges • Server: 104.236.76.214 • Source: github.com/ufsit/xss-challenges • Try not to use this! • Cheatsheet: https://www.owasp.org/index.php/ XSSFilterEvasionCheatSheet XSS | Andrew Kerr 100

Recommended

Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Priyanka Aash
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint Security
Alexander Benoit
 
Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)
camsec
 
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
Ryan Kovar
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
Комсс Файквэе
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT - Multimediatreff
 
Writing Secure Code for WordPress
Writing Secure Code for WordPressWriting Secure Code for WordPress
Writing Secure Code for WordPress
Shawn Hooper
 

Recommended

Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Priyanka Aash
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint Security
Alexander Benoit
 
Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)
camsec
 
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
Ryan Kovar
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
Комсс Файквэе
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT - Multimediatreff
 
Writing Secure Code for WordPress
Writing Secure Code for WordPressWriting Secure Code for WordPress
Writing Secure Code for WordPress
Shawn Hooper
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
vodQA
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
Soumyasanto Sen
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
security.pptx
security.pptxsecurity.pptx
security.pptx
HusseinNassrullah
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
jessepollak
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"
NodeUkraine
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Ömer Çıtak
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
Aditya K Sood
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
n|u - The Open Security Community
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
Marc Littlemore
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
Shawn Hooper
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
JavaScript For People Who Don't Code
JavaScript For People Who Don't CodeJavaScript For People Who Don't Code
JavaScript For People Who Don't Code
Christopher Schmitt
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
Uri Nativ
 
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.pptUnit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
KrishnaveniKrishnara1
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
IJECEIAES
 

More Related Content

Similar to Cross-site Scripting

XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
vodQA
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
Soumyasanto Sen
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
security.pptx
security.pptxsecurity.pptx
security.pptx
HusseinNassrullah
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
jessepollak
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"
NodeUkraine
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Ömer Çıtak
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
Aditya K Sood
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
n|u - The Open Security Community
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
Marc Littlemore
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
Shawn Hooper
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
JavaScript For People Who Don't Code
JavaScript For People Who Don't CodeJavaScript For People Who Don't Code
JavaScript For People Who Don't Code
Christopher Schmitt
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
Uri Nativ
 

Similar to Cross-site Scripting (20)

XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
security.pptx
security.pptxsecurity.pptx
security.pptx
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
JavaScript For People Who Don't Code
JavaScript For People Who Don't CodeJavaScript For People Who Don't Code
JavaScript For People Who Don't Code
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 

Recently uploaded

Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.pptUnit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
KrishnaveniKrishnara1
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
IJECEIAES
 
An improved modulation technique suitable for a three level flying capacitor ...
An improved modulation technique suitable for a three level flying capacitor ...An improved modulation technique suitable for a three level flying capacitor ...
An improved modulation technique suitable for a three level flying capacitor ...
IJECEIAES
 
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
ecqow
 
Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...
bijceesjournal
 
ITSM Integration with MuleSoft.pptx
ITSM Integration with MuleSoft.pptxITSM Integration with MuleSoft.pptx
ITSM Integration with MuleSoft.pptx
VANDANAMOHANGOUDA
 
AI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptxAI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptx
architagupta876
 
Design and optimization of ion propulsion drone
Design and optimization of ion propulsion droneDesign and optimization of ion propulsion drone
Design and optimization of ion propulsion drone
bjmsejournal
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
Hitesh Mohapatra
 
CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1
PKavitha10
 
Data Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason WebinarData Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason Webinar
UReason
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
Mahmoud Morsy
 
Null Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAMNull Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAM
Divyanshu
 
Manufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptxManufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptx
Madan Karki
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
IJECEIAES
 
Welding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdfWelding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdf
AjmalKhan50578
 
An Introduction to the Compiler Designss
An Introduction to the Compiler DesignssAn Introduction to the Compiler Designss
An Introduction to the Compiler Designss
ElakkiaU
 
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURSCompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
RamonNovais6
 
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
shadow0702a
 
BRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdfBRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdf
LAXMAREDDY22
 

Recently uploaded (20)

Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.pptUnit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
 
An improved modulation technique suitable for a three level flying capacitor ...
An improved modulation technique suitable for a three level flying capacitor ...An improved modulation technique suitable for a three level flying capacitor ...
An improved modulation technique suitable for a three level flying capacitor ...
 
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
 
Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...
 
ITSM Integration with MuleSoft.pptx
ITSM Integration with MuleSoft.pptxITSM Integration with MuleSoft.pptx
ITSM Integration with MuleSoft.pptx
 
AI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptxAI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptx
 
Design and optimization of ion propulsion drone
Design and optimization of ion propulsion droneDesign and optimization of ion propulsion drone
Design and optimization of ion propulsion drone
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
 
CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1
 
Data Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason WebinarData Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason Webinar
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
 
Null Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAMNull Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAM
 
Manufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptxManufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptx
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
 
Welding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdfWelding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdf
 
An Introduction to the Compiler Designss
An Introduction to the Compiler DesignssAn Introduction to the Compiler Designss
An Introduction to the Compiler Designss
 
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURSCompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
 
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
 
BRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdfBRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdf
 

Cross-site Scripting

  • 1. UF Student InfoSec Team September 8, 2015 #ufsit on Freenode XSS | Andrew Kerr 1
  • 3. Upcoming CTF: CSAW XSS | Andrew Kerr 3
  • 4. CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm XSS | Andrew Kerr 4
  • 5. CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm • If we qualify, we get to send a team of undergrads to national CTF XSS | Andrew Kerr 5
  • 6. MMA CTF Recap XSS | Andrew Kerr 6
  • 7. MMA CTF Recap • Lots of people there on Friday! • Left Friday night in top 15% XSS | Andrew Kerr 7
  • 8. We want your writeups! XSS | Andrew Kerr 8
  • 9. Cross-site Scripting (Also known as XSS) Andrew Kerr | Sept 8, 2015 me@andrewjkerr.com XSS | Andrew Kerr 9
  • 11. whoami • Fifth year Software Engineering @ UF XSS | Andrew Kerr 11
  • 12. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs XSS | Andrew Kerr 12
  • 13. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer XSS | Andrew Kerr 13
  • 14. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr XSS | Andrew Kerr 14
  • 15. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr • Former intern at BlockScore XSS | Andrew Kerr 15
  • 16. Cross-site Scripting (Also known as XSS) XSS | Andrew Kerr 16
  • 17. XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. — OWASP XSS | Andrew Kerr 17
  • 18. Ok... what does that mean? XSS | Andrew Kerr 18
  • 19. XSS | Andrew Kerr 19
  • 20. XSS | Andrew Kerr 20
  • 21. XSS | Andrew Kerr 21
  • 22. Why does this work? XSS | Andrew Kerr 22
  • 23. Why does this work? • Browser is tricked into thinking the code is part of the site XSS | Andrew Kerr 23
  • 24. Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly XSS | Andrew Kerr 24
  • 25. Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly • Poor client-side JavaScript executes given parameters XSS | Andrew Kerr 25
  • 26. Why do it? XSS | Andrew Kerr 26
  • 27. Why do it? • Steal session cookies XSS | Andrew Kerr 27
  • 28. Why do it? • Steal session cookies • Steal logins by defacing XSS | Andrew Kerr 28
  • 29. Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins XSS | Andrew Kerr 29
  • 30. Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins • For the lulz XSS | Andrew Kerr 30
  • 31. XSS | Andrew Kerr 31
  • 32. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck XSS | Andrew Kerr 32
  • 33. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times XSS | Andrew Kerr 33
  • 34. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times • Good thing it wasn't malicious! XSS | Andrew Kerr 34
  • 35. Ok, but it's Twitter... why does it matter? XSS | Andrew Kerr 35
  • 36. XSS | Andrew Kerr 36
  • 37. XSS Payloads XSS | Andrew Kerr 37
  • 38. XSS Payloads • A TON of possible XSS payloads XSS | Andrew Kerr 38
  • 39. XSS Payloads • A TON of possible XSS payloads • <script>alert(1)</script> • <img src="x" onerror="alert(1)" /> • <a href="javascript: alert(1)">Click me!</a> • and more! XSS | Andrew Kerr 39
  • 40. Types of XSS XSS | Andrew Kerr 40
  • 41. Types of XSS 1. Reflected XSS | Andrew Kerr 41
  • 42. Types of XSS 1. Reflected 2. Stored XSS | Andrew Kerr 42
  • 43. Types of XSS 1. Reflected 2. Stored 3. DOM-based XSS | Andrew Kerr 43
  • 44. Reflected XSS XSS | Andrew Kerr 44
  • 45. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! XSS | Andrew Kerr 45
  • 46. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! XSS | Andrew Kerr 46
  • 47. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! • Example: search forms showing input on results page after submission XSS | Andrew Kerr 47
  • 48. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; XSS | Andrew Kerr 48
  • 50. XSS | Andrew Kerr 50
  • 51. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? XSS | Andrew Kerr 51
  • 52. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 52
  • 53. Stored XSS XSS | Andrew Kerr 53
  • 54. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case XSS | Andrew Kerr 54
  • 55. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS XSS | Andrew Kerr 55
  • 56. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS • Example: form post storing XSS XSS | Andrew Kerr 56
  • 57. XSS | Andrew Kerr 57
  • 58. Samy MySpace worm XSS | Andrew Kerr 58
  • 59. Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims XSS | Andrew Kerr 59
  • 60. Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims • Fastest spreading virus of all time • 1+ million runs in ~20hrs XSS | Andrew Kerr 60
  • 61. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } XSS | Andrew Kerr 61
  • 62. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? XSS | Andrew Kerr 62
  • 63. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 63
  • 64. DOM-based XSS XSS | Andrew Kerr 64
  • 65. DOM-based XSS • Similar to Reflected, but is not rendered from the server. XSS | Andrew Kerr 65
  • 66. DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code XSS | Andrew Kerr 66
  • 67. DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code • Also crafted by a URL • Don't let users pass in JS via the URL! XSS | Andrew Kerr 67
  • 68. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 68
  • 69. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? XSS | Andrew Kerr 69
  • 70. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 70
  • 71. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? XSS | Andrew Kerr 71
  • 72. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? A: Craft a URL like: www.site.com/page.html?title=<img src='x' onerror='alert(1)' /> XSS | Andrew Kerr 72
  • 73. Protecting Against XSS XSS | Andrew Kerr 73
  • 74. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 74
  • 75. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. XSS | Andrew Kerr 75
  • 76. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. • But, what's the difference? XSS | Andrew Kerr 76
  • 77. Let's look at the documentation! XSS | Andrew Kerr 77
  • 78. Let's look at the documentation! (Aka RTFM) XSS | Andrew Kerr 78
  • 79. Protecting Against XSS Set the text contents of the matched elements. — .text() Set the HTML contents of each element in the set of matched elements. — .html() XSS | Andrew Kerr 79
  • 80. Protecting Against XSS <html> <head> <title>Test Page</title> <script type="text/javascript" src="jquery.min.js"></script> <script type="text/javascript"> $(function(){ $("#div1").html('<a href="example.html">Link</a><b>hello</b>'); $("#div2").text('<a href="example.html">Link</a><b>hello</b>'); }); </script> </head> <body> <div id="div1"></div> <div id="div2"></div> </body> </html> XSS | Andrew Kerr 80
  • 81. Protecting Against XSS 1. Know your framework/library/language! XSS | Andrew Kerr 81
  • 82. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! XSS | Andrew Kerr 82
  • 83. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist XSS | Andrew Kerr 83
  • 84. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist 4. Headers XSS | Andrew Kerr 84
  • 85. Protecting Against XSS • Or, ya know, read the NSA's recommendations. • https://www.nsa.gov/ia/files/ factsheets/ xssiadfactsheetfinal_web.pdf XSS | Andrew Kerr 85
  • 86. But most importantly... XSS | Andrew Kerr 86
  • 87. TEST YOUR APPLICATION XSS | Andrew Kerr 87
  • 88. XSS | Andrew Kerr 88
  • 89. Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet XSS | Andrew Kerr 89
  • 90. Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet • Also, some guess work helps! XSS | Andrew Kerr 90
  • 91. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); XSS | Andrew Kerr 91
  • 92. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? XSS | Andrew Kerr 92
  • 93. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? A: Think about it :) XSS | Andrew Kerr 93
  • 95. Resources • OWASP XSS | Andrew Kerr 95
  • 96. Resources • OWASP • The Web Application Hackers Handbook XSS | Andrew Kerr 96
  • 97. Resources • OWASP • The Web Application Hackers Handbook • Mutillidae Practice Application XSS | Andrew Kerr 97
  • 98. Ok, cool, onto challenges! XSS | Andrew Kerr 98
  • 100. Challenges • Server: 104.236.76.214 • Source: github.com/ufsit/xss-challenges • Try not to use this! • Cheatsheet: https://www.owasp.org/index.php/ XSSFilterEvasionCheatSheet XSS | Andrew Kerr 100