Enviar pesquisa
Carregar
Appsec XSS Case Study
•
2 gostaram
•
1,617 visualizações
Mohamed Ridha CHEBBI, CISSP
Seguir
Appsec XSS Case Study
Leia menos
Leia mais
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 23
Baixar agora
Baixar para ler offline
Recomendados
Web Apps Security
Web Apps Security
Victor Bucutea
Xss frame work
Xss frame work
Ngọc Liệu Nguyễn
Tighten your Security and Privacy
Tighten your Security and Privacy
connectwebex
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Web Application Security
Web Application Security
Richard Peter Ong
Phu appsec13
Phu appsec13
drewz lin
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Recomendados
Web Apps Security
Web Apps Security
Victor Bucutea
Xss frame work
Xss frame work
Ngọc Liệu Nguyễn
Tighten your Security and Privacy
Tighten your Security and Privacy
connectwebex
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Web Application Security
Web Application Security
Richard Peter Ong
Phu appsec13
Phu appsec13
drewz lin
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
Security_Testing_Presentation
Security_Testing_Presentation
Razil Shaik
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
2013 OWASP Top 10
2013 OWASP Top 10
bilcorry
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
Web Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
OWASP
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
Security asp.net application
Security asp.net application
ZAIYAUL HAQUE
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
Java ist doch schon sicher?!
Java ist doch schon sicher?!
BridgingIT GmbH
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
TS-5358
TS-5358
tutorialsruby
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
Mais conteúdo relacionado
Mais procurados
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
Security_Testing_Presentation
Security_Testing_Presentation
Razil Shaik
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
2013 OWASP Top 10
2013 OWASP Top 10
bilcorry
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
Web Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
OWASP
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
Security asp.net application
Security asp.net application
ZAIYAUL HAQUE
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
Java ist doch schon sicher?!
Java ist doch schon sicher?!
BridgingIT GmbH
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
TS-5358
TS-5358
tutorialsruby
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
Mais procurados
(20)
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Security_Testing_Presentation
Security_Testing_Presentation
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
2013 OWASP Top 10
2013 OWASP Top 10
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
Web Security: A Primer for Developers
Web Security: A Primer for Developers
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
Secure coding in C#
Secure coding in C#
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
Security asp.net application
Security asp.net application
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
Java ist doch schon sicher?!
Java ist doch schon sicher?!
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
TS-5358
TS-5358
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
Semelhante a Appsec XSS Case Study
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
Cross site scripting
Cross site scripting
Dilan Warnakulasooriya
React security vulnerabilities
React security vulnerabilities
AngelinaJasper
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Omer Meshar
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
04. xss and encoding
04. xss and encoding
Eoin Keary
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
Arjun Jain
Web Hacking Series Part 4
Web Hacking Series Part 4
Aditya Kamat
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
chadtindel
AJAX: How to Divert Threats
AJAX: How to Divert Threats
Cenzic
Cross site scripting
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
Security risks awareness
Security risks awareness
Janagi Kannan
Owasp web security
Owasp web security
Pankaj Kumar Sharma
Semelhante a Appsec XSS Case Study
(20)
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
Cross site scripting
Cross site scripting
React security vulnerabilities
React security vulnerabilities
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
04. xss and encoding
04. xss and encoding
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
Web Hacking Series Part 4
Web Hacking Series Part 4
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
AJAX: How to Divert Threats
AJAX: How to Divert Threats
Cross site scripting
Cross site scripting
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Security risks awareness
Security risks awareness
Owasp web security
Owasp web security
Último
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
ThousandEyes
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
Inflectra
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
Knoldus Inc.
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
Ravi Sanghani
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
Nathaniel Shimoni
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
AliaaTarek5
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
Ingrid Airi González
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
Nicole Novielli
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
LoriGlavin3
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
Kari Kakkonen
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
Skynet Technologies
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
Neo4j
2024 April Patch Tuesday
2024 April Patch Tuesday
Ivanti
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
panagenda
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
Rick Flair
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
Hiroshi SHIBATA
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
LoriGlavin3
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
Farhan Tariq
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Raghuram Pandurangan
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Pim van der Noll
Último
(20)
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
2024 April Patch Tuesday
2024 April Patch Tuesday
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Appsec XSS Case Study
1.
Application Security
Security Verified Chapter 04 Cross-Site Scripting Mohamed Ridha Chebbi, CISSP Ridha.chebbi@icodesecurity.com © 2012 iCode information security All rights reserved
2.
Introduction
Security Verified • Cross-site scripting (or XSS) is the Godfather of attacks against other users. • It is by some measure the most prevalent web application vulnerability found in the wild. • there are many situations in which XSS does represent a critical security weakness within an application. It can often be combined with other vulnerabilities to devastating effect. • In some situations, an XSS attack can be turned into a virus or a self-propagating worm. © 2012 iCode information security All rights reserved
3.
Reflected XSS Vulnerabilities
Security Verified • A very common example of XSS occurs when an application employs a dynamic page to display error messages to users. Typically, the page takes a parameter containing the text of the message, and simply renders this text back to the user within its response. • This type of mechanism is convenient for developers, because it allows them to invoke a customized error page from anywhere in the application, without needing to hard-code individual messages within the error page itself. Example of Dynamic URL : https://adb-app.com/error.php?message=Sorry%2c+an+error+occurred Crafted URL https://adb-app.com/error.php?message=<script>alert(‘xss’);</script> © 2012 iCode information security All rights reserved
4.
Reflected XSS Vulnerabilities
Security Verified • This type of simple XSS bug accounts for approximately 75% of the XSS vulnerabilities that exist in real-world web applications. • It is often referred to as reflected XSS because exploiting the vulnerability involves crafting a request containing embedded JavaScript which is reflected back to any user who makes the request. © 2012 iCode information security All rights reserved
5.
Reflected XSS Vulnerabilities
Security Verified © 2012 iCode information security All rights reserved
6.
Stored XSS Vulnerabilities
Security Verified • A different category of XSS vulnerability is often referred to as stored cross-site scripting. This version arises when data submitted by one user is stored within the application (typically in a back-end database) and then displayed to other users without being filtered or sanitized appropriately © 2012 iCode information security All rights reserved
7.
Storing XSS in
Uploaded Files Security Verified • If you can upload an HTML or text file containing JavaScript, and a victim views the file, then your payload will normally be executed. The following shows the raw response of an application that is vulnerable to stored XSS in this way : HTTP/1.1 200 OK Date: Sat, 5 May 2011 11:52:25 GMT Server: Apache Content-Length: 39 Content-Type: image/jpeg <script>alert(document.cookie)</script> Note : Even though the Content-Type header specifies that the message body contains an image, Internet Explorer overrides this and handles the content as HTML because this is what it in fact contains. © 2012 iCode information security All rights reserved
8.
DOM-Based XSS Vulnerabilities
Security Verified Here an example of the the process by which the attacker’s JavaScript gets executed is as follows: ■ A user requests a crafted URL and containing attacker’s JavaScript. ■ The server’s response does not contain the attacker’s script in any form. ■ When the user’s browser processes this response, the script is executed. How can this series of events occur? The answer is that client-side JavaScript can access the browser’s document object model (DOM), and so can determine the URL used to load the current page. A script issued by the application may extract data from the URL, perform some processing on this data, and then use it to dynamically update the contents of the page. When an application does this, it may be vulnerable to DOM-based XSS. © 2012 iCode information security All rights reserved
9.
DOM-Based XSS Vulnerabilities
Security Verified For example, suppose that the error page returned by the application contains the following: <script> var a = document.URL; a = unescape(a); document.write(a.substring(a.indexOf(“message=”) + 8, a.length)); </script> This script parses the URL to extract the value of the message parameter and simply writes this value into the HTML source code of the page. Note : if an attacker crafts a URL containing JavaScript then this code will be dynamically written into the page and executed. © 2012 iCode information security All rights reserved
10.
Real-World XSS Attacks
Security Verified AJAX : Ajax (or Asynchronous JavaScript and XML) is a technology used by some applications to create an enhanced interactive experience for users. Ajax is implemented using the XMLHttpRequest object. The following is a simple example of using Ajax within Internet Explorer to issue an asynchronous request and process its response: <script> var request = new ActiveXObject(“Microsoft.XMLHTTP”); request.open(“GET”, “https://wahh-app.com/foo”, false); request.send(); alert(request.responseText); </script> Ajax could be used to trivially violate the browser’s same origin policy, by enabling applications to retrieve and process data from a different domain. © 2012 iCode information security All rights reserved
11.
Payloads for XSS
Attacks Security Verified • Virtual Defacement • Injecting Trojan Functionality • Inducing User Actions hijacking a victim’s session © 2012 iCode information security All rights reserved
12.
Payloads for XSS
Attacks Security Verified • Exploiting Any Trust Relationships There are several trust relationships that can sometimes be exploited in an XSS attack: ■ If the application employs forms with autocomplete enabled, JavaScript issued by the application can capture any previously entered data that the user’s browser has stored in the autocomplete cache. ■ Some web applications recommend or require that users add their domain name to the “Trusted Sites” zone of their browser. This is almost always undesirable. For example, injecting the following code will cause the Windows calculator program to launch on the user’s computer: <script> var o = new ActiveXObject(‘WScript.shell’); o.Run(‘calc.exe’); </script> ■ etc. © 2012 iCode information security All rights reserved
13.
Escalating the Client-Side
Attack Security Verified • Log Keystrokes <script> document.onkeypress = function () { window.status += String.fromCharCode(window.event.keyCode); } </script> • Capture Clipboard Contents <script> alert(window.clipboardData.getData(‘Text’)); </script> • Steal History and Search Queries JavaScript can be used to perform a brute-force exercise to discover thirdparty sites recently visited by the user (using getComputedStyle API) • Enumerate Currently Used Applications JavaScript can be used to determine whether the user is presently logged in to third-party web applications. The trick is to attempt to dynamically load and execute the protected page as a piece of JavaScript: window.onerror = fingerprint; <script src=”https://other-app.com/MyDetails.aspx”></script> © 2012 iCode information security All rights reserved
14.
Escalating the Client-Side
Attack Security Verified • Port Scan the Local Network JavaScript can be used to perform a port scan of hosts on the user’s local network • Attack Other Network Hosts The following code checks for a specific image associated with a popular range of DSL routers: <img src=”http://192.168.1.1/hm_icon.gif” onerror=”notNetgear()“> © 2012 iCode information security All rights reserved
15.
Preventing Reflected and
Stored XSS Security Verified ■ Validate input. ■ Validate output. ■ Eliminate dangerous insertion points. © 2012 iCode information security All rights reserved
16.
Validate Input
Security Verified The application should perform context-dependent validation of input data, in as strict a manner as possible. Potential features to validate include the following: ■ That the data is not too long. ■ That the data only contains a certain permitted set of characters. ■ That the data matches a particular regular expression. Different validation rules should be applied as restrictively as possible to names, email addresses, account numbers, and so on, according to the type of data that the application is expecting to receive in each field. © 2012 iCode information security All rights reserved
17.
Validate Output
Security Verified Output data should be HTMLencoded to sanitize potentially malicious characters. HTML-encoding involves replacing literal characters with their corresponding HTML entities. This ensures that browsers will handle potentially malicious characters in a safe way, treating them as part of the content of the HTML document and not part of its structure. The HTML-encodings of the primary problematic characters are as follows: “ " ‘ ' & & < < > > In addition to these common encodings, in fact any character can be HTMLencoded using its numeric ASCII character code, as follows: % % * * © 2012 iCode information security All rights reserved
18.
HTML Encoding Example
Security Verified On the Java platform, there is no equivalent built-in API available; however, it is simple to construct your own equivalent method using just the numeric form of encoding. For example: public static String HTMLEncode(String s) { StringBuffer out = new StringBuffer(); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); if(c > 0x7f || c==’“‘ || c==’&‘ || c==’<’ || c==’>’) out.append(“&#“ + (int) c + “;”); else out.append(c); } return out.toString(); } © 2012 iCode information security All rights reserved
19.
Eliminate Dangerous Insertion
Points Security Verified Inserting user-controllable data directly into existing JavaScript should be avoided wherever possible. When applications attempt to do this safely, it is frequently possible to bypass their defensive filters. A second location where user input should not be inserted is any other context in which JavaScript commands may appear directly. For example: <img src=”userdata”> <img src=”foo.gif” onload=”userdata”> In this case an attacker can proceed directly to injecting JavaScript commands within the quoted string. For example: <img src=”javascript:alert(document.cookie)“> <img src=”foo.gif” onload=”alert('xss')“> © 2012 iCode information security All rights reserved
20.
Preventing DOM-Based XSS
Security Verified • Validate Input • Validate Output © 2012 iCode information security All rights reserved
21.
Validate Input
Security Verified In many situations, applications can perform rigorous validation on the data being processed. Indeed, this is one area where client-side validation can be more effective than server-side validation. Validating that the data about to be inserted into the document only contains alphanumeric characters and whitespace could be for example: <script> var a = document.URL; a = a.substring(a.indexOf(“message=”) + 8, a.length); a = unescape(a); var regex=/^([A-Za-z0-9+s])*$/; if (regex.test(a)) document.write(a); </script> © 2012 iCode information security All rights reserved
22.
Validate Output
Security Verified As with reflected XSS flaws, applications can perform HTML-encoding of user- controllable DOM data before this is inserted into the document. This will enable all kinds of potentially dangerous characters and expressions to be displayed within the page in a safe way. HTML encoding can be implemented in client-side JavaScript with a function like the following: function sanitize(str) { var d = document.createElement(‘div’); d.appendChild(document.createTextNode(str)); return d.innerHTML; } © 2012 iCode information security All rights reserved
23.
Security Verified
Thanks Mohamed Ridha Chebbi, CISSP © 2012 iCode information security All rights reserved
Baixar agora