SlideShare uma empresa Scribd logo

Appsec XSS Case Study

Mohamed Ridha CHEBBI, CISSP
Mohamed Ridha CHEBBI, CISSP

Appsec XSS Case Study

Tecnologia
1 de 23
Baixar para ler offline
Application Security Security Verified Chapter 04 Cross-Site Scripting Mohamed Ridha Chebbi, CISSP Ridha.chebbi@icodesecurity.com © 2012 iCode information security All rights reserved
Introduction Security Verified • Cross-site scripting (or XSS) is the Godfather of attacks against other users. • It is by some measure the most prevalent web application vulnerability found in the wild. • there are many situations in which XSS does represent a critical security weakness within an application. It can often be combined with other vulnerabilities to devastating effect. • In some situations, an XSS attack can be turned into a virus or a self-propagating worm. © 2012 iCode information security All rights reserved
Reflected XSS Vulnerabilities Security Verified • A very common example of XSS occurs when an application employs a dynamic page to display error messages to users. Typically, the page takes a parameter containing the text of the message, and simply renders this text back to the user within its response. • This type of mechanism is convenient for developers, because it allows them to invoke a customized error page from anywhere in the application, without needing to hard-code individual messages within the error page itself. Example of Dynamic URL : https://adb-app.com/error.php?message=Sorry%2c+an+error+occurred Crafted URL https://adb-app.com/error.php?message=<script>alert(‘xss’);</script> © 2012 iCode information security All rights reserved
Reflected XSS Vulnerabilities Security Verified • This type of simple XSS bug accounts for approximately 75% of the XSS vulnerabilities that exist in real-world web applications. • It is often referred to as reflected XSS because exploiting the vulnerability involves crafting a request containing embedded JavaScript which is reflected back to any user who makes the request. © 2012 iCode information security All rights reserved
Reflected XSS Vulnerabilities Security Verified © 2012 iCode information security All rights reserved
Stored XSS Vulnerabilities Security Verified • A different category of XSS vulnerability is often referred to as stored cross-site scripting. This version arises when data submitted by one user is stored within the application (typically in a back-end database) and then displayed to other users without being filtered or sanitized appropriately © 2012 iCode information security All rights reserved
Storing XSS in Uploaded Files Security Verified • If you can upload an HTML or text file containing JavaScript, and a victim views the file, then your payload will normally be executed. The following shows the raw response of an application that is vulnerable to stored XSS in this way : HTTP/1.1 200 OK Date: Sat, 5 May 2011 11:52:25 GMT Server: Apache Content-Length: 39 Content-Type: image/jpeg <script>alert(document.cookie)</script> Note : Even though the Content-Type header specifies that the message body contains an image, Internet Explorer overrides this and handles the content as HTML because this is what it in fact contains. © 2012 iCode information security All rights reserved
DOM-Based XSS Vulnerabilities Security Verified Here an example of the the process by which the attacker’s JavaScript gets executed is as follows: ■ A user requests a crafted URL and containing attacker’s JavaScript. ■ The server’s response does not contain the attacker’s script in any form. ■ When the user’s browser processes this response, the script is executed. How can this series of events occur? The answer is that client-side JavaScript can access the browser’s document object model (DOM), and so can determine the URL used to load the current page. A script issued by the application may extract data from the URL, perform some processing on this data, and then use it to dynamically update the contents of the page. When an application does this, it may be vulnerable to DOM-based XSS. © 2012 iCode information security All rights reserved
DOM-Based XSS Vulnerabilities Security Verified For example, suppose that the error page returned by the application contains the following: <script> var a = document.URL; a = unescape(a); document.write(a.substring(a.indexOf(“message=”) + 8, a.length)); </script> This script parses the URL to extract the value of the message parameter and simply writes this value into the HTML source code of the page. Note : if an attacker crafts a URL containing JavaScript then this code will be dynamically written into the page and executed. © 2012 iCode information security All rights reserved
Real-World XSS Attacks Security Verified AJAX : Ajax (or Asynchronous JavaScript and XML) is a technology used by some applications to create an enhanced interactive experience for users. Ajax is implemented using the XMLHttpRequest object. The following is a simple example of using Ajax within Internet Explorer to issue an asynchronous request and process its response: <script> var request = new ActiveXObject(“Microsoft.XMLHTTP”); request.open(“GET”, “https://wahh-app.com/foo”, false); request.send(); alert(request.responseText); </script> Ajax could be used to trivially violate the browser’s same origin policy, by enabling applications to retrieve and process data from a different domain. © 2012 iCode information security All rights reserved
Payloads for XSS Attacks Security Verified • Virtual Defacement • Injecting Trojan Functionality • Inducing User Actions hijacking a victim’s session © 2012 iCode information security All rights reserved
Payloads for XSS Attacks Security Verified • Exploiting Any Trust Relationships There are several trust relationships that can sometimes be exploited in an XSS attack: ■ If the application employs forms with autocomplete enabled, JavaScript issued by the application can capture any previously entered data that the user’s browser has stored in the autocomplete cache. ■ Some web applications recommend or require that users add their domain name to the “Trusted Sites” zone of their browser. This is almost always undesirable. For example, injecting the following code will cause the Windows calculator program to launch on the user’s computer: <script> var o = new ActiveXObject(‘WScript.shell’); o.Run(‘calc.exe’); </script> ■ etc. © 2012 iCode information security All rights reserved
Escalating the Client-Side Attack Security Verified • Log Keystrokes <script> document.onkeypress = function () { window.status += String.fromCharCode(window.event.keyCode); } </script> • Capture Clipboard Contents <script> alert(window.clipboardData.getData(‘Text’)); </script> • Steal History and Search Queries JavaScript can be used to perform a brute-force exercise to discover thirdparty sites recently visited by the user (using getComputedStyle API) • Enumerate Currently Used Applications JavaScript can be used to determine whether the user is presently logged in to third-party web applications. The trick is to attempt to dynamically load and execute the protected page as a piece of JavaScript: window.onerror = fingerprint; <script src=”https://other-app.com/MyDetails.aspx”></script> © 2012 iCode information security All rights reserved
Escalating the Client-Side Attack Security Verified • Port Scan the Local Network JavaScript can be used to perform a port scan of hosts on the user’s local network • Attack Other Network Hosts The following code checks for a specific image associated with a popular range of DSL routers: <img src=”http://192.168.1.1/hm_icon.gif” onerror=”notNetgear()“> © 2012 iCode information security All rights reserved
Preventing Reflected and Stored XSS Security Verified ■ Validate input. ■ Validate output. ■ Eliminate dangerous insertion points. © 2012 iCode information security All rights reserved
Validate Input Security Verified The application should perform context-dependent validation of input data, in as strict a manner as possible. Potential features to validate include the following: ■ That the data is not too long. ■ That the data only contains a certain permitted set of characters. ■ That the data matches a particular regular expression. Different validation rules should be applied as restrictively as possible to names, email addresses, account numbers, and so on, according to the type of data that the application is expecting to receive in each field. © 2012 iCode information security All rights reserved
Validate Output Security Verified Output data should be HTMLencoded to sanitize potentially malicious characters. HTML-encoding involves replacing literal characters with their corresponding HTML entities. This ensures that browsers will handle potentially malicious characters in a safe way, treating them as part of the content of the HTML document and not part of its structure. The HTML-encodings of the primary problematic characters are as follows: “ &quot; ‘ &apos; & &amp; < &lt; > &gt; In addition to these common encodings, in fact any character can be HTMLencoded using its numeric ASCII character code, as follows: % &#37; * &#42; © 2012 iCode information security All rights reserved
HTML Encoding Example Security Verified On the Java platform, there is no equivalent built-in API available; however, it is simple to construct your own equivalent method using just the numeric form of encoding. For example: public static String HTMLEncode(String s) { StringBuffer out = new StringBuffer(); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); if(c > 0x7f || c==’“‘ || c==’&‘ || c==’<’ || c==’>’) out.append(“&#“ + (int) c + “;”); else out.append(c); } return out.toString(); } © 2012 iCode information security All rights reserved
Eliminate Dangerous Insertion Points Security Verified Inserting user-controllable data directly into existing JavaScript should be avoided wherever possible. When applications attempt to do this safely, it is frequently possible to bypass their defensive filters. A second location where user input should not be inserted is any other context in which JavaScript commands may appear directly. For example: <img src=”userdata”> <img src=”foo.gif” onload=”userdata”> In this case an attacker can proceed directly to injecting JavaScript commands within the quoted string. For example: <img src=”javascript&#58;alert(document.cookie)“> <img src=”foo.gif” onload=”alert(&apos;xss&apos;)“> © 2012 iCode information security All rights reserved
Preventing DOM-Based XSS Security Verified • Validate Input • Validate Output © 2012 iCode information security All rights reserved
Validate Input Security Verified In many situations, applications can perform rigorous validation on the data being processed. Indeed, this is one area where client-side validation can be more effective than server-side validation. Validating that the data about to be inserted into the document only contains alphanumeric characters and whitespace could be for example: <script> var a = document.URL; a = a.substring(a.indexOf(“message=”) + 8, a.length); a = unescape(a); var regex=/^([A-Za-z0-9+s])*$/; if (regex.test(a)) document.write(a); </script> © 2012 iCode information security All rights reserved
Validate Output Security Verified As with reflected XSS flaws, applications can perform HTML-encoding of user- controllable DOM data before this is inserted into the document. This will enable all kinds of potentially dangerous characters and expressions to be displayed within the page in a safe way. HTML encoding can be implemented in client-side JavaScript with a function like the following: function sanitize(str) { var d = document.createElement(‘div’); d.appendChild(document.createTextNode(str)); return d.innerHTML; } © 2012 iCode information security All rights reserved
Security Verified Thanks Mohamed Ridha Chebbi, CISSP © 2012 iCode information security All rights reserved

Recomendados

Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Xss frame work
Xss frame workXss frame work
Xss frame workNgọc Liệu Nguyễn
 
Tighten your Security and Privacy
Tighten your Security and PrivacyTighten your Security and Privacy
Tighten your Security and Privacyconnectwebex
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityRichard Peter Ong
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

Recomendados

Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Xss frame work
Xss frame workXss frame work
Xss frame workNgọc Liệu Nguyễn
 
Tighten your Security and Privacy
Tighten your Security and PrivacyTighten your Security and Privacy
Tighten your Security and Privacyconnectwebex
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityRichard Peter Ong
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_PresentationRazil Shaik
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle - a Tripwire Company
 
Java ist doch schon sicher?!
Java ist doch schon sicher?!Java ist doch schon sicher?!
Java ist doch schon sicher?!BridgingIT GmbH
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
TS-5358
TS-5358TS-5358
TS-5358tutorialsruby
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 

Mais conteúdo relacionado

Mais procurados

Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_PresentationRazil Shaik
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
Java ist doch schon sicher?!
Java ist doch schon sicher?!Java ist doch schon sicher?!
Java ist doch schon sicher?!BridgingIT GmbH
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 

Mais procurados (20)

Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_Presentation
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Java ist doch schon sicher?!
Java ist doch schon sicher?!Java ist doch schon sicher?!
Java ist doch schon sicher?!
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
TS-5358
TS-5358TS-5358
TS-5358
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 

Semelhante a Appsec XSS Case Study

Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET Journal
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareOmer Meshar
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4Aditya Kamat
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 

Semelhante a Appsec XSS Case Study (20)

Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 

Último

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

Último (20)

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 

Appsec XSS Case Study

  • 1. Application Security Security Verified Chapter 04 Cross-Site Scripting Mohamed Ridha Chebbi, CISSP Ridha.chebbi@icodesecurity.com © 2012 iCode information security All rights reserved
  • 2. Introduction Security Verified • Cross-site scripting (or XSS) is the Godfather of attacks against other users. • It is by some measure the most prevalent web application vulnerability found in the wild. • there are many situations in which XSS does represent a critical security weakness within an application. It can often be combined with other vulnerabilities to devastating effect. • In some situations, an XSS attack can be turned into a virus or a self-propagating worm. © 2012 iCode information security All rights reserved
  • 3. Reflected XSS Vulnerabilities Security Verified • A very common example of XSS occurs when an application employs a dynamic page to display error messages to users. Typically, the page takes a parameter containing the text of the message, and simply renders this text back to the user within its response. • This type of mechanism is convenient for developers, because it allows them to invoke a customized error page from anywhere in the application, without needing to hard-code individual messages within the error page itself. Example of Dynamic URL : https://adb-app.com/error.php?message=Sorry%2c+an+error+occurred Crafted URL https://adb-app.com/error.php?message=<script>alert(‘xss’);</script> © 2012 iCode information security All rights reserved
  • 4. Reflected XSS Vulnerabilities Security Verified • This type of simple XSS bug accounts for approximately 75% of the XSS vulnerabilities that exist in real-world web applications. • It is often referred to as reflected XSS because exploiting the vulnerability involves crafting a request containing embedded JavaScript which is reflected back to any user who makes the request. © 2012 iCode information security All rights reserved
  • 5. Reflected XSS Vulnerabilities Security Verified © 2012 iCode information security All rights reserved
  • 6. Stored XSS Vulnerabilities Security Verified • A different category of XSS vulnerability is often referred to as stored cross-site scripting. This version arises when data submitted by one user is stored within the application (typically in a back-end database) and then displayed to other users without being filtered or sanitized appropriately © 2012 iCode information security All rights reserved
  • 7. Storing XSS in Uploaded Files Security Verified • If you can upload an HTML or text file containing JavaScript, and a victim views the file, then your payload will normally be executed. The following shows the raw response of an application that is vulnerable to stored XSS in this way : HTTP/1.1 200 OK Date: Sat, 5 May 2011 11:52:25 GMT Server: Apache Content-Length: 39 Content-Type: image/jpeg <script>alert(document.cookie)</script> Note : Even though the Content-Type header specifies that the message body contains an image, Internet Explorer overrides this and handles the content as HTML because this is what it in fact contains. © 2012 iCode information security All rights reserved
  • 8. DOM-Based XSS Vulnerabilities Security Verified Here an example of the the process by which the attacker’s JavaScript gets executed is as follows: ■ A user requests a crafted URL and containing attacker’s JavaScript. ■ The server’s response does not contain the attacker’s script in any form. ■ When the user’s browser processes this response, the script is executed. How can this series of events occur? The answer is that client-side JavaScript can access the browser’s document object model (DOM), and so can determine the URL used to load the current page. A script issued by the application may extract data from the URL, perform some processing on this data, and then use it to dynamically update the contents of the page. When an application does this, it may be vulnerable to DOM-based XSS. © 2012 iCode information security All rights reserved
  • 9. DOM-Based XSS Vulnerabilities Security Verified For example, suppose that the error page returned by the application contains the following: <script> var a = document.URL; a = unescape(a); document.write(a.substring(a.indexOf(“message=”) + 8, a.length)); </script> This script parses the URL to extract the value of the message parameter and simply writes this value into the HTML source code of the page. Note : if an attacker crafts a URL containing JavaScript then this code will be dynamically written into the page and executed. © 2012 iCode information security All rights reserved
  • 10. Real-World XSS Attacks Security Verified AJAX : Ajax (or Asynchronous JavaScript and XML) is a technology used by some applications to create an enhanced interactive experience for users. Ajax is implemented using the XMLHttpRequest object. The following is a simple example of using Ajax within Internet Explorer to issue an asynchronous request and process its response: <script> var request = new ActiveXObject(“Microsoft.XMLHTTP”); request.open(“GET”, “https://wahh-app.com/foo”, false); request.send(); alert(request.responseText); </script> Ajax could be used to trivially violate the browser’s same origin policy, by enabling applications to retrieve and process data from a different domain. © 2012 iCode information security All rights reserved
  • 11. Payloads for XSS Attacks Security Verified • Virtual Defacement • Injecting Trojan Functionality • Inducing User Actions hijacking a victim’s session © 2012 iCode information security All rights reserved
  • 12. Payloads for XSS Attacks Security Verified • Exploiting Any Trust Relationships There are several trust relationships that can sometimes be exploited in an XSS attack: ■ If the application employs forms with autocomplete enabled, JavaScript issued by the application can capture any previously entered data that the user’s browser has stored in the autocomplete cache. ■ Some web applications recommend or require that users add their domain name to the “Trusted Sites” zone of their browser. This is almost always undesirable. For example, injecting the following code will cause the Windows calculator program to launch on the user’s computer: <script> var o = new ActiveXObject(‘WScript.shell’); o.Run(‘calc.exe’); </script> ■ etc. © 2012 iCode information security All rights reserved
  • 13. Escalating the Client-Side Attack Security Verified • Log Keystrokes <script> document.onkeypress = function () { window.status += String.fromCharCode(window.event.keyCode); } </script> • Capture Clipboard Contents <script> alert(window.clipboardData.getData(‘Text’)); </script> • Steal History and Search Queries JavaScript can be used to perform a brute-force exercise to discover thirdparty sites recently visited by the user (using getComputedStyle API) • Enumerate Currently Used Applications JavaScript can be used to determine whether the user is presently logged in to third-party web applications. The trick is to attempt to dynamically load and execute the protected page as a piece of JavaScript: window.onerror = fingerprint; <script src=”https://other-app.com/MyDetails.aspx”></script> © 2012 iCode information security All rights reserved
  • 14. Escalating the Client-Side Attack Security Verified • Port Scan the Local Network JavaScript can be used to perform a port scan of hosts on the user’s local network • Attack Other Network Hosts The following code checks for a specific image associated with a popular range of DSL routers: <img src=”http://192.168.1.1/hm_icon.gif” onerror=”notNetgear()“> © 2012 iCode information security All rights reserved
  • 15. Preventing Reflected and Stored XSS Security Verified ■ Validate input. ■ Validate output. ■ Eliminate dangerous insertion points. © 2012 iCode information security All rights reserved
  • 16. Validate Input Security Verified The application should perform context-dependent validation of input data, in as strict a manner as possible. Potential features to validate include the following: ■ That the data is not too long. ■ That the data only contains a certain permitted set of characters. ■ That the data matches a particular regular expression. Different validation rules should be applied as restrictively as possible to names, email addresses, account numbers, and so on, according to the type of data that the application is expecting to receive in each field. © 2012 iCode information security All rights reserved
  • 17. Validate Output Security Verified Output data should be HTMLencoded to sanitize potentially malicious characters. HTML-encoding involves replacing literal characters with their corresponding HTML entities. This ensures that browsers will handle potentially malicious characters in a safe way, treating them as part of the content of the HTML document and not part of its structure. The HTML-encodings of the primary problematic characters are as follows: “ &quot; ‘ &apos; & &amp; < &lt; > &gt; In addition to these common encodings, in fact any character can be HTMLencoded using its numeric ASCII character code, as follows: % &#37; * &#42; © 2012 iCode information security All rights reserved
  • 18. HTML Encoding Example Security Verified On the Java platform, there is no equivalent built-in API available; however, it is simple to construct your own equivalent method using just the numeric form of encoding. For example: public static String HTMLEncode(String s) { StringBuffer out = new StringBuffer(); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); if(c > 0x7f || c==’“‘ || c==’&‘ || c==’<’ || c==’>’) out.append(“&#“ + (int) c + “;”); else out.append(c); } return out.toString(); } © 2012 iCode information security All rights reserved
  • 19. Eliminate Dangerous Insertion Points Security Verified Inserting user-controllable data directly into existing JavaScript should be avoided wherever possible. When applications attempt to do this safely, it is frequently possible to bypass their defensive filters. A second location where user input should not be inserted is any other context in which JavaScript commands may appear directly. For example: <img src=”userdata”> <img src=”foo.gif” onload=”userdata”> In this case an attacker can proceed directly to injecting JavaScript commands within the quoted string. For example: <img src=”javascript&#58;alert(document.cookie)“> <img src=”foo.gif” onload=”alert(&apos;xss&apos;)“> © 2012 iCode information security All rights reserved
  • 20. Preventing DOM-Based XSS Security Verified • Validate Input • Validate Output © 2012 iCode information security All rights reserved
  • 21. Validate Input Security Verified In many situations, applications can perform rigorous validation on the data being processed. Indeed, this is one area where client-side validation can be more effective than server-side validation. Validating that the data about to be inserted into the document only contains alphanumeric characters and whitespace could be for example: <script> var a = document.URL; a = a.substring(a.indexOf(“message=”) + 8, a.length); a = unescape(a); var regex=/^([A-Za-z0-9+s])*$/; if (regex.test(a)) document.write(a); </script> © 2012 iCode information security All rights reserved
  • 22. Validate Output Security Verified As with reflected XSS flaws, applications can perform HTML-encoding of user- controllable DOM data before this is inserted into the document. This will enable all kinds of potentially dangerous characters and expressions to be displayed within the page in a safe way. HTML encoding can be implemented in client-side JavaScript with a function like the following: function sanitize(str) { var d = document.createElement(‘div’); d.appendChild(document.createTextNode(str)); return d.innerHTML; } © 2012 iCode information security All rights reserved
  • 23. Security Verified Thanks Mohamed Ridha Chebbi, CISSP © 2012 iCode information security All rights reserved