One of the most typical web application security vulnerabilities Cross-Site Scripting (XSS). What does it mean to Developer?
How they are important? What should we keep in mind? How could we prevent this to some extend as Developer? How Attackers proceed? Many mores..
1. XSS (Cross-Site Scripting) - An
application security vulnerability from
Developers point of view
Soumyasanto Sen, #sitMUC
@soumyasanto
2. Wikipedia says
"XSS enables attackers to inject client-side script into web pages viewed by other users".
OWASP(the free and open software security community) says
"Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected
into the otherwise benign and trusted web sites."
"An XSS attack occurs when a script from an untrusted source is executed in
rendering a page"
#sitMUC
Definition
3. #sitMUC
What is XSS?
Client side vulnerability but can Server side one.
Based on injection through
JavaScript, VBScript, Flash, HTML, JSON, ActiveX etc.
Due to insufficient validation and sanitization.
Attacker’s Paradise
Stealing Credentials, Private Info.
Execute commands (CSRF), malicious scripts
Redirection to malicious site
Port Scanning, Phishing, Keylogging etc.
10. Injection Points: Through which the Attacker can enter or injects scripts
Insert /Edit Text
Insert/Edit Image
Insert/Edit URL
Set Attributes
Insert/Upload File
Insert/Upload Video
What is Context? Context is an environment where user-supplied input or input from other
application(s) eventually ends-up or starts living.
“Context Is King for All Areas of IT Security”
#sitMUC
Example: Based on Testing
(Definitions)
17. #sitMUC
ATTACK METHODOLOGY
• Systematic in nature
• Easy to understand
• Context-Specific
• Attack methodology is `complete` and one can guarantee that there is an XSS or no XSS in a
particular injection point.
• With the help of attack methodology, one can make a secure per-context XSS sanitizer
• Can be applied to other server-side languages
Example: Based on Testing
(Attack Methodology)
23. #sitMUC
Encoding will not help
in breaking the script
context unless
developers are doing
some sort of explicit
decoding.
Example: Based on Testing
(Attack Methodology)
24. #sitMUC
Two arrays of black-listed keywords
Other names filterXSS and noXSS
Example: Based on Testing
(Customized XSS Solutions)
25. #sitMUC
Two arrays of black-listed keywords
Example: Based on Testing
(Customized XSS Solutions)
Bypass: <img src=x id=confirm(1) onerror=eval(id)
26. #sitMUC
The goal of this function is to stop
JavaScript execution via style.
Example: Based on Testing
(Customized XSS Solutions)
Bypass:
width:expression(al
ert(1))
27. #sitMUC
Example: Based on Testing
(Customized XSS Solutions)
Another popular customized XSS protection solution
30. #sitMUC
Example: Based on Testing
(Real Solutions)
Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's
href attribute Implementation of `urlContextCleaner()`
31. #sitMUC
Example: Based on Testing
(Solutions -Make it Simple)
WYSIWYG
What You See Is What You Get
· Forum Post
· Private Messaging
· Wiki Post
· Support Ticket
· Signature Creation
· Comments
34. #sitMUC
Demo: Based on Games
(Bypassing)
https://xss-game.appspot.com/
http://xssplaygroundforfunandlearn.netai.net/series1.html
https://html5sec.org/innerhtml/ (Mario Heiderich's Utility)
36. XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
(HTML5 Security Clean Sheet)
Validation on XSS Input. Use White-Listing, Escaping and sanitization method.
(Use Sanitizers)
“Do not trust anything ever, specially when it comes to user input”
Understanding common browser behaviors that lead to XSS
Learning the best practices for your technology
#sitMUC
Preventions
37. #sitMUC
Latest News
Salesforce plugs silly website XSS hole, hopes nobody spotted it (Mid August)
Critical PayPal XSS vulnerability left accounts open to attack (Late August)
eBay Fixes XSS Flaw in Subdomain (Early September)
Netflix Sleepy Puppy Awakens XSS Vulnerabilities in Secondary Applications (Early
September)
Attackers exploit vulnerabilities in two WordPress plugins (Early May)
38. #sitMUC
Latest News
0-day XSS vulnerability on SAP website put customers’ data at risk of theft by
hackers (Early May)
SAP HANA Databases Vulnerable to XSS and SQL Injections (Late June)
Overall:
Almost ALL websites have serious security vulnerabilities, study
shows
39. Lack enough Pen. Test
( 92% of the respondents perform penetration testing. 21% perform it annually, 26%
perform it quarterly and 8% never perform penetration testing.)
Taking responsibility from the Developers
Unawareness of XSS vulnerability
Not taking seriously
#sitMUC
Challenges
40. XSS is unavoidable at least nowadays !
Now its your job to raise the bar for attacker.
“XSS is Everywhere”
(Short and Simple)
Use Prevention, Go for Solutions in the forms of layers, Keep Updated
& Do regular Penetration Testing
#sitMUC
Conclusion