SlideShare uma empresa Scribd logo

Cross site scripting

Transferir como PPTX, PDF
Dilan Warnakulasooriya
Dilan Warnakulasooriya

Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.

Tecnologia
1 de 14
CROSS SITE Scripting HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE… Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology
What is it?  Script is injected into page  Script can come from URL, Database, Cookie, Form  Types:  Reflected  Persistent  DOM Based  What can it do?  Create or access any DOM element  Hijack click, cookies, credentials  Limited JavaScript port scanning  Send information to remote sites (think credentials)  And many more… January 1, 2013 99X Technology(c) 2
How is it exploited?  Attacker injects script into user’s experience  Can happen from server side code (beware ASP.NET code)  Can happen from client side code (beware JavaScript/Jquery Code) January 1, 2013 99X Technology(c) 3
Exploiting Demos Reflected January 1, 2013 99X Technology(c) 4
Exploiting Demos Persistent January 1, 2013 99X Technology(c) 5
Exploiting Demos Older style IE6 Content type Sniffing January 1, 2013 99X Technology(c) 6
Exploiting Demos DOM based + JSON + JQUERY January 1, 2013 99X Technology(c) 7
Exploiting Demos DATA URI – Link Hijack January 1, 2013 99X Technology(c) 8
Exploiting Demos Dangling markup January 1, 2013 99X Technology(c) 9
How do you prevent it?  Relected/Persisted not used _anywhere_ in JavaScript is the easiest way to prevent  Html Encode – specify encoder for AntiXss  Avoid user inputs in any attribute or regex to a-z only  Consider stripping out anything not a-z,0-9  Json.Encode() or Encoder.JavascriptEncode() all data supplied to JavaScript  Still vulnerable if this text is read from an element and used incorrectly  More complex scenarios require serious investigation into code sections  Audit anywhere DOM elements are created/altered for user supplied inputs  Some past vulnerabilities were hard to control (flash, pdf, etc) January 1, 2013 99X Technology(c) 10
How do you prevent it?(cont’d)  Do not store data encoded, but sanitized  Encoding & Storing can lead to double encoding:  < &lt &amp;lt; &amp;amp;lt  AntiXss Sanitizer’s GetSafeHtml()/ GetSafeHtmlFragment()  Specify Page Encoding in the web.config  Content Security Policies  Firefox OK  Chrome/Safari(WebKit) OK  IE 10 – Partially implemented – As expected  Don’t expect blacklists to work (ie searching for <script>)  Have been bypassed in many ways  Replacing “script” with “” can end up making <script>!  Consider removing all data: from all stored URI’s to exclude data  Only allow local URL redirects that start with “/uri” January 1, 2013 99X Technology(c) 11
How do you prevent it?(Last but not least)  Audit every location data is assigned, output, and used since lots of data can be affected by user  Ensure its not used in JavaScript, or Highly sanitized  ASP.NET Textbox HtmlEncodes(), Label does not ○ KNOW YOUR CONTROL’s BEHAVIOUR!!! EVERY ONE!  Test by injecting script, special characters (ex <) into app – use Fiddler if you must, to change incoming data  Be Concerned with any place that DOM elements are created/modified  Use functions such as setAttribute and var y = document.createElement(“div”); rather than document.writeln, $(x).html(), element.innerHTML, eval  Deprecate IE6 (and all older browsers)  Use Request.Browser, ie6update.com, etc…  Don’t turn off EnableRequestValidation or ValidateRequest!  MVC apps use [AllowHtml], Web forms more difficult (Until 4.5!!) January 1, 2013 99X Technology(c) 12
Know your encoding options Encoding option Code/Config Web forms/ Web forms View Engine <%= Server.HtmlEncode(data) %> Web Forms v4.0+ <%:data %> MVC3+Razor View Engine @data Data bindings in web forms v4 & below <%# Server.HtmlEncode(Eval(“property”)) %> Data binding v4.5 <%#: Item.Property %> Better: ASP.Net 3.5 below use AntiXss library Microsoft.Security.Application.Encoder.HtmlEncode directly (data) ASP.Net 4(Web Forms & MVC) <httpRuntime encoderType=“Microsoft.Security.Application.AntiX ssEncoder.AntiXssLibrary” /> ASP.Net 4.5(AntiXss included in this version) <httpRuntime encoderType=“System.Web.SecurityAntiXss..AntiX ssEncoder, System.Web, version=4.5.00,…” /> JSON(MVC) Json.Encode(Model) Javascript encoding using AntiXss Encoder.JavascriptEncoder(Model.comment) January 1, 2013 99X Technology(c) 13
Tools  Development tools  Microsoft’s Anti-Xss tools  FxCop rules  Testting tools  Dominator  jsFiddle.net  DomSnitch – Chrome plugin  Fiddler ○ Remember you can set breakpoints and change incoming data  Scanners (SAINTexploit)  Keep on top of current Xss types of attacks  OWASP is a great resource  @wascwhild  http://we.nvd.nist.goc/view/vuln/seach- results?query=xss&search_type=all&cves=on January 1, 2013 99X Technology(c) 14

Recomendados

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML Attacks
Toe Khaing
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 

Recomendados

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML Attacks
Toe Khaing
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Emily Stark
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
OWASPKerala
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
Emily Stark
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Htaccess info
Htaccess infoHtaccess info
Htaccess info
umakant jadhav
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
Ahmed Elhady Mohamed
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection Paper
Aung Khant
 
Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
kuza55
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Xlator
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Porfirio Tramontana
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
OWASP EEE
 
Application security overview
Application security overviewApplication security overview
Application security overview
Dilan Warnakulasooriya
 
CSRF
CSRFCSRF
CSRF
Dilan Warnakulasooriya
 

Mais conteúdo relacionado

Mais procurados

Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Emily Stark
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection Paper
Aung Khant
 
Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Xlator
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Porfirio Tramontana
 

Mais procurados (20)

Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Htaccess info
Htaccess infoHtaccess info
Htaccess info
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection Paper
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
 

Destaque

Destaque (8)

Application security overview
Application security overviewApplication security overview
Application security overview
 
CSRF
CSRFCSRF
CSRF
 
Sql injection
Sql injectionSql injection
Sql injection
 
Application security overview
Application security overviewApplication security overview
Application security overview
 
Session Hijacking
Session HijackingSession Hijacking
Session Hijacking
 
webscarab
webscarabwebscarab
webscarab
 
Secure coding
Secure codingSecure coding
Secure coding
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
 

Semelhante a Cross site scripting

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
WinJS at NYC Code Camp 2012
WinJS at NYC Code Camp 2012WinJS at NYC Code Camp 2012
WinJS at NYC Code Camp 2012
Dmitri Artamonov
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 

Semelhante a Cross site scripting (20)

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Day8
Day8Day8
Day8
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
WinJS at NYC Code Camp 2012
WinJS at NYC Code Camp 2012WinJS at NYC Code Camp 2012
WinJS at NYC Code Camp 2012
 
XPages Blast - ILUG 2010
XPages Blast - ILUG 2010XPages Blast - ILUG 2010
XPages Blast - ILUG 2010
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case Study
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application development
 
Dojo - from web page to web apps
Dojo - from web page to web appsDojo - from web page to web apps
Dojo - from web page to web apps
 
Intro to .NET for Government Developers
Intro to .NET for Government DevelopersIntro to .NET for Government Developers
Intro to .NET for Government Developers
 

Último

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

Cross site scripting

  • 1. CROSS SITE Scripting HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE… Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology
  • 2. What is it?  Script is injected into page  Script can come from URL, Database, Cookie, Form  Types:  Reflected  Persistent  DOM Based  What can it do?  Create or access any DOM element  Hijack click, cookies, credentials  Limited JavaScript port scanning  Send information to remote sites (think credentials)  And many more… January 1, 2013 99X Technology(c) 2
  • 3. How is it exploited?  Attacker injects script into user’s experience  Can happen from server side code (beware ASP.NET code)  Can happen from client side code (beware JavaScript/Jquery Code) January 1, 2013 99X Technology(c) 3
  • 4. Exploiting Demos Reflected January 1, 2013 99X Technology(c) 4
  • 5. Exploiting Demos Persistent January 1, 2013 99X Technology(c) 5
  • 6. Exploiting Demos Older style IE6 Content type Sniffing January 1, 2013 99X Technology(c) 6
  • 7. Exploiting Demos DOM based + JSON + JQUERY January 1, 2013 99X Technology(c) 7
  • 8. Exploiting Demos DATA URI – Link Hijack January 1, 2013 99X Technology(c) 8
  • 9. Exploiting Demos Dangling markup January 1, 2013 99X Technology(c) 9
  • 10. How do you prevent it?  Relected/Persisted not used _anywhere_ in JavaScript is the easiest way to prevent  Html Encode – specify encoder for AntiXss  Avoid user inputs in any attribute or regex to a-z only  Consider stripping out anything not a-z,0-9  Json.Encode() or Encoder.JavascriptEncode() all data supplied to JavaScript  Still vulnerable if this text is read from an element and used incorrectly  More complex scenarios require serious investigation into code sections  Audit anywhere DOM elements are created/altered for user supplied inputs  Some past vulnerabilities were hard to control (flash, pdf, etc) January 1, 2013 99X Technology(c) 10
  • 11. How do you prevent it?(cont’d)  Do not store data encoded, but sanitized  Encoding & Storing can lead to double encoding:  < &lt &amp;lt; &amp;amp;lt  AntiXss Sanitizer’s GetSafeHtml()/ GetSafeHtmlFragment()  Specify Page Encoding in the web.config  Content Security Policies  Firefox OK  Chrome/Safari(WebKit) OK  IE 10 – Partially implemented – As expected  Don’t expect blacklists to work (ie searching for <script>)  Have been bypassed in many ways  Replacing “script” with “” can end up making <script>!  Consider removing all data: from all stored URI’s to exclude data  Only allow local URL redirects that start with “/uri” January 1, 2013 99X Technology(c) 11
  • 12. How do you prevent it?(Last but not least)  Audit every location data is assigned, output, and used since lots of data can be affected by user  Ensure its not used in JavaScript, or Highly sanitized  ASP.NET Textbox HtmlEncodes(), Label does not ○ KNOW YOUR CONTROL’s BEHAVIOUR!!! EVERY ONE!  Test by injecting script, special characters (ex <) into app – use Fiddler if you must, to change incoming data  Be Concerned with any place that DOM elements are created/modified  Use functions such as setAttribute and var y = document.createElement(“div”); rather than document.writeln, $(x).html(), element.innerHTML, eval  Deprecate IE6 (and all older browsers)  Use Request.Browser, ie6update.com, etc…  Don’t turn off EnableRequestValidation or ValidateRequest!  MVC apps use [AllowHtml], Web forms more difficult (Until 4.5!!) January 1, 2013 99X Technology(c) 12
  • 13. Know your encoding options Encoding option Code/Config Web forms/ Web forms View Engine <%= Server.HtmlEncode(data) %> Web Forms v4.0+ <%:data %> MVC3+Razor View Engine @data Data bindings in web forms v4 & below <%# Server.HtmlEncode(Eval(“property”)) %> Data binding v4.5 <%#: Item.Property %> Better: ASP.Net 3.5 below use AntiXss library Microsoft.Security.Application.Encoder.HtmlEncode directly (data) ASP.Net 4(Web Forms & MVC) <httpRuntime encoderType=“Microsoft.Security.Application.AntiX ssEncoder.AntiXssLibrary” /> ASP.Net 4.5(AntiXss included in this version) <httpRuntime encoderType=“System.Web.SecurityAntiXss..AntiX ssEncoder, System.Web, version=4.5.00,…” /> JSON(MVC) Json.Encode(Model) Javascript encoding using AntiXss Encoder.JavascriptEncoder(Model.comment) January 1, 2013 99X Technology(c) 13
  • 14. Tools  Development tools  Microsoft’s Anti-Xss tools  FxCop rules  Testting tools  Dominator  jsFiddle.net  DomSnitch – Chrome plugin  Fiddler ○ Remember you can set breakpoints and change incoming data  Scanners (SAINTexploit)  Keep on top of current Xss types of attacks  OWASP is a great resource  @wascwhild  http://we.nvd.nist.goc/view/vuln/seach- results?query=xss&search_type=all&cves=on January 1, 2013 99X Technology(c) 14