Enviar pesquisa
Carregar
Appsec XSS Case Study
•
2 gostaram
•
1,632 visualizações
Mohamed Ridha CHEBBI, CISSP
Seguir
Appsec XSS Case Study
Leia menos
Leia mais
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 23
Baixar agora
Baixar para ler offline
Recomendados
Web Apps Security
Web Apps Security
Victor Bucutea
Xss frame work
Xss frame work
Ngọc Liệu Nguyễn
Tighten your Security and Privacy
Tighten your Security and Privacy
connectwebex
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Web Application Security
Web Application Security
Richard Peter Ong
Phu appsec13
Phu appsec13
drewz lin
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Recomendados
Web Apps Security
Web Apps Security
Victor Bucutea
Xss frame work
Xss frame work
Ngọc Liệu Nguyễn
Tighten your Security and Privacy
Tighten your Security and Privacy
connectwebex
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Web Application Security
Web Application Security
Richard Peter Ong
Phu appsec13
Phu appsec13
drewz lin
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
Security_Testing_Presentation
Security_Testing_Presentation
Razil Shaik
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
2013 OWASP Top 10
2013 OWASP Top 10
bilcorry
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
Web Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
OWASP
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
Security asp.net application
Security asp.net application
ZAIYAUL HAQUE
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
Java ist doch schon sicher?!
Java ist doch schon sicher?!
BridgingIT GmbH
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
TS-5358
TS-5358
tutorialsruby
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
Mais conteúdo relacionado
Mais procurados
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
Security_Testing_Presentation
Security_Testing_Presentation
Razil Shaik
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
2013 OWASP Top 10
2013 OWASP Top 10
bilcorry
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
Web Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
OWASP
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
Security asp.net application
Security asp.net application
ZAIYAUL HAQUE
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
Java ist doch schon sicher?!
Java ist doch schon sicher?!
BridgingIT GmbH
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
TS-5358
TS-5358
tutorialsruby
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
Mais procurados
(20)
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Security_Testing_Presentation
Security_Testing_Presentation
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
2013 OWASP Top 10
2013 OWASP Top 10
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
Web Security: A Primer for Developers
Web Security: A Primer for Developers
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
Secure coding in C#
Secure coding in C#
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
Security asp.net application
Security asp.net application
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
Java ist doch schon sicher?!
Java ist doch schon sicher?!
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
TS-5358
TS-5358
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
Semelhante a Appsec XSS Case Study
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
Cross site scripting
Cross site scripting
Dilan Warnakulasooriya
React security vulnerabilities
React security vulnerabilities
AngelinaJasper
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Omer Meshar
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
04. xss and encoding
04. xss and encoding
Eoin Keary
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
Arjun Jain
Web Hacking Series Part 4
Web Hacking Series Part 4
Aditya Kamat
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
chadtindel
AJAX: How to Divert Threats
AJAX: How to Divert Threats
Cenzic
Cross site scripting
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
Security risks awareness
Security risks awareness
Janagi Kannan
Owasp web security
Owasp web security
Pankaj Kumar Sharma
Semelhante a Appsec XSS Case Study
(20)
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
Cross site scripting
Cross site scripting
React security vulnerabilities
React security vulnerabilities
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
04. xss and encoding
04. xss and encoding
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
Web Hacking Series Part 4
Web Hacking Series Part 4
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
AJAX: How to Divert Threats
AJAX: How to Divert Threats
Cross site scripting
Cross site scripting
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Security risks awareness
Security risks awareness
Owasp web security
Owasp web security
Último
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Neo4j
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
null - The Open Security Community
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
The transition to renewables in India.pdf
The transition to renewables in India.pdf
Competition Advisory Services (India) LLP
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
soniya singh
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
LBM Solutions
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
BookNet Canada
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Dubai Multi Commodity Centre
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Último
(20)
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
The transition to renewables in India.pdf
The transition to renewables in India.pdf
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Appsec XSS Case Study
1.
Application Security
Security Verified Chapter 04 Cross-Site Scripting Mohamed Ridha Chebbi, CISSP Ridha.chebbi@icodesecurity.com © 2012 iCode information security All rights reserved
2.
Introduction
Security Verified • Cross-site scripting (or XSS) is the Godfather of attacks against other users. • It is by some measure the most prevalent web application vulnerability found in the wild. • there are many situations in which XSS does represent a critical security weakness within an application. It can often be combined with other vulnerabilities to devastating effect. • In some situations, an XSS attack can be turned into a virus or a self-propagating worm. © 2012 iCode information security All rights reserved
3.
Reflected XSS Vulnerabilities
Security Verified • A very common example of XSS occurs when an application employs a dynamic page to display error messages to users. Typically, the page takes a parameter containing the text of the message, and simply renders this text back to the user within its response. • This type of mechanism is convenient for developers, because it allows them to invoke a customized error page from anywhere in the application, without needing to hard-code individual messages within the error page itself. Example of Dynamic URL : https://adb-app.com/error.php?message=Sorry%2c+an+error+occurred Crafted URL https://adb-app.com/error.php?message=<script>alert(‘xss’);</script> © 2012 iCode information security All rights reserved
4.
Reflected XSS Vulnerabilities
Security Verified • This type of simple XSS bug accounts for approximately 75% of the XSS vulnerabilities that exist in real-world web applications. • It is often referred to as reflected XSS because exploiting the vulnerability involves crafting a request containing embedded JavaScript which is reflected back to any user who makes the request. © 2012 iCode information security All rights reserved
5.
Reflected XSS Vulnerabilities
Security Verified © 2012 iCode information security All rights reserved
6.
Stored XSS Vulnerabilities
Security Verified • A different category of XSS vulnerability is often referred to as stored cross-site scripting. This version arises when data submitted by one user is stored within the application (typically in a back-end database) and then displayed to other users without being filtered or sanitized appropriately © 2012 iCode information security All rights reserved
7.
Storing XSS in
Uploaded Files Security Verified • If you can upload an HTML or text file containing JavaScript, and a victim views the file, then your payload will normally be executed. The following shows the raw response of an application that is vulnerable to stored XSS in this way : HTTP/1.1 200 OK Date: Sat, 5 May 2011 11:52:25 GMT Server: Apache Content-Length: 39 Content-Type: image/jpeg <script>alert(document.cookie)</script> Note : Even though the Content-Type header specifies that the message body contains an image, Internet Explorer overrides this and handles the content as HTML because this is what it in fact contains. © 2012 iCode information security All rights reserved
8.
DOM-Based XSS Vulnerabilities
Security Verified Here an example of the the process by which the attacker’s JavaScript gets executed is as follows: ■ A user requests a crafted URL and containing attacker’s JavaScript. ■ The server’s response does not contain the attacker’s script in any form. ■ When the user’s browser processes this response, the script is executed. How can this series of events occur? The answer is that client-side JavaScript can access the browser’s document object model (DOM), and so can determine the URL used to load the current page. A script issued by the application may extract data from the URL, perform some processing on this data, and then use it to dynamically update the contents of the page. When an application does this, it may be vulnerable to DOM-based XSS. © 2012 iCode information security All rights reserved
9.
DOM-Based XSS Vulnerabilities
Security Verified For example, suppose that the error page returned by the application contains the following: <script> var a = document.URL; a = unescape(a); document.write(a.substring(a.indexOf(“message=”) + 8, a.length)); </script> This script parses the URL to extract the value of the message parameter and simply writes this value into the HTML source code of the page. Note : if an attacker crafts a URL containing JavaScript then this code will be dynamically written into the page and executed. © 2012 iCode information security All rights reserved
10.
Real-World XSS Attacks
Security Verified AJAX : Ajax (or Asynchronous JavaScript and XML) is a technology used by some applications to create an enhanced interactive experience for users. Ajax is implemented using the XMLHttpRequest object. The following is a simple example of using Ajax within Internet Explorer to issue an asynchronous request and process its response: <script> var request = new ActiveXObject(“Microsoft.XMLHTTP”); request.open(“GET”, “https://wahh-app.com/foo”, false); request.send(); alert(request.responseText); </script> Ajax could be used to trivially violate the browser’s same origin policy, by enabling applications to retrieve and process data from a different domain. © 2012 iCode information security All rights reserved
11.
Payloads for XSS
Attacks Security Verified • Virtual Defacement • Injecting Trojan Functionality • Inducing User Actions hijacking a victim’s session © 2012 iCode information security All rights reserved
12.
Payloads for XSS
Attacks Security Verified • Exploiting Any Trust Relationships There are several trust relationships that can sometimes be exploited in an XSS attack: ■ If the application employs forms with autocomplete enabled, JavaScript issued by the application can capture any previously entered data that the user’s browser has stored in the autocomplete cache. ■ Some web applications recommend or require that users add their domain name to the “Trusted Sites” zone of their browser. This is almost always undesirable. For example, injecting the following code will cause the Windows calculator program to launch on the user’s computer: <script> var o = new ActiveXObject(‘WScript.shell’); o.Run(‘calc.exe’); </script> ■ etc. © 2012 iCode information security All rights reserved
13.
Escalating the Client-Side
Attack Security Verified • Log Keystrokes <script> document.onkeypress = function () { window.status += String.fromCharCode(window.event.keyCode); } </script> • Capture Clipboard Contents <script> alert(window.clipboardData.getData(‘Text’)); </script> • Steal History and Search Queries JavaScript can be used to perform a brute-force exercise to discover thirdparty sites recently visited by the user (using getComputedStyle API) • Enumerate Currently Used Applications JavaScript can be used to determine whether the user is presently logged in to third-party web applications. The trick is to attempt to dynamically load and execute the protected page as a piece of JavaScript: window.onerror = fingerprint; <script src=”https://other-app.com/MyDetails.aspx”></script> © 2012 iCode information security All rights reserved
14.
Escalating the Client-Side
Attack Security Verified • Port Scan the Local Network JavaScript can be used to perform a port scan of hosts on the user’s local network • Attack Other Network Hosts The following code checks for a specific image associated with a popular range of DSL routers: <img src=”http://192.168.1.1/hm_icon.gif” onerror=”notNetgear()“> © 2012 iCode information security All rights reserved
15.
Preventing Reflected and
Stored XSS Security Verified ■ Validate input. ■ Validate output. ■ Eliminate dangerous insertion points. © 2012 iCode information security All rights reserved
16.
Validate Input
Security Verified The application should perform context-dependent validation of input data, in as strict a manner as possible. Potential features to validate include the following: ■ That the data is not too long. ■ That the data only contains a certain permitted set of characters. ■ That the data matches a particular regular expression. Different validation rules should be applied as restrictively as possible to names, email addresses, account numbers, and so on, according to the type of data that the application is expecting to receive in each field. © 2012 iCode information security All rights reserved
17.
Validate Output
Security Verified Output data should be HTMLencoded to sanitize potentially malicious characters. HTML-encoding involves replacing literal characters with their corresponding HTML entities. This ensures that browsers will handle potentially malicious characters in a safe way, treating them as part of the content of the HTML document and not part of its structure. The HTML-encodings of the primary problematic characters are as follows: “ " ‘ ' & & < < > > In addition to these common encodings, in fact any character can be HTMLencoded using its numeric ASCII character code, as follows: % % * * © 2012 iCode information security All rights reserved
18.
HTML Encoding Example
Security Verified On the Java platform, there is no equivalent built-in API available; however, it is simple to construct your own equivalent method using just the numeric form of encoding. For example: public static String HTMLEncode(String s) { StringBuffer out = new StringBuffer(); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); if(c > 0x7f || c==’“‘ || c==’&‘ || c==’<’ || c==’>’) out.append(“&#“ + (int) c + “;”); else out.append(c); } return out.toString(); } © 2012 iCode information security All rights reserved
19.
Eliminate Dangerous Insertion
Points Security Verified Inserting user-controllable data directly into existing JavaScript should be avoided wherever possible. When applications attempt to do this safely, it is frequently possible to bypass their defensive filters. A second location where user input should not be inserted is any other context in which JavaScript commands may appear directly. For example: <img src=”userdata”> <img src=”foo.gif” onload=”userdata”> In this case an attacker can proceed directly to injecting JavaScript commands within the quoted string. For example: <img src=”javascript:alert(document.cookie)“> <img src=”foo.gif” onload=”alert('xss')“> © 2012 iCode information security All rights reserved
20.
Preventing DOM-Based XSS
Security Verified • Validate Input • Validate Output © 2012 iCode information security All rights reserved
21.
Validate Input
Security Verified In many situations, applications can perform rigorous validation on the data being processed. Indeed, this is one area where client-side validation can be more effective than server-side validation. Validating that the data about to be inserted into the document only contains alphanumeric characters and whitespace could be for example: <script> var a = document.URL; a = a.substring(a.indexOf(“message=”) + 8, a.length); a = unescape(a); var regex=/^([A-Za-z0-9+s])*$/; if (regex.test(a)) document.write(a); </script> © 2012 iCode information security All rights reserved
22.
Validate Output
Security Verified As with reflected XSS flaws, applications can perform HTML-encoding of user- controllable DOM data before this is inserted into the document. This will enable all kinds of potentially dangerous characters and expressions to be displayed within the page in a safe way. HTML encoding can be implemented in client-side JavaScript with a function like the following: function sanitize(str) { var d = document.createElement(‘div’); d.appendChild(document.createTextNode(str)); return d.innerHTML; } © 2012 iCode information security All rights reserved
23.
Security Verified
Thanks Mohamed Ridha Chebbi, CISSP © 2012 iCode information security All rights reserved
Baixar agora