XSS? Sure, we all have heard about - XSS, stands for Cross Site Scripting, but XSS sounds lot more cool, huh? Have your account or website been hacked? Or you sure might have heard about such a compromised account or site from someone? Have you been ever tricked by a website? Have you ever noticed your everyday trusted site behaving abnormally, throwing weird content at you? Nowadays, these are very common incidents. Recently: Pentagon XSS Hack Facebook XSS Hack How hackers do it all? Why the hell do they do it? Would you like to check it out live, do some hands-on? And focus on how to secure against this nasty vulnerability. Come join us to see - HOW IT HAPPENS and MAKE IT HAPPEN YOURSELF.

1. Hacking and Information Security Group
Organised with TechNext

2. Mr. Sandip Chaudhari
•13+ years experience in Software and Information Security Industry
•6+ years worked as a Professional Software Security Analyst and Secure Code
Auditor
•100+ in-house vulnerabilities discovered and reported
•Presented Security Research Paper at various security conferences around the
globe including New York, USA, Luxembourg, Luxembourg, Tokyo, Japan, Bangalore,
India
•Undertook multiple responsibilities in various roles like – Security Analyst,
Application Developer, Project Manager, Software Application Architect,
Information Security Researcher, CTO
•Proud to have worked along with, and be part of group that included – Dino Dai
Zovi, Shane Macaulay, Adam Green, Jonathan Leonard and Jeremy Jethro
Organizer and Mentor

3. We Are…The Speakers…
Sudarshan Pawar
Certified Security Expert(C.S.E.)
Certified Information Security Specialist (C.I.S.S.)
Security Xplained (TechNext Speaker)
Pursuing B.E.(Computer)
& a Security Professional
Prakashchandra Suthar
Cisco Certified Network Associate
Red Hat Linux Certified
Security Xplained (TechNext Speaker)
Computer Engg
Security Researcher

4. WHY are we in this room on weekend rather than
enjoying hot beverage on a rainy day?

5. Today’s Agenda
1. XSS: What does it mean?
2. Birth
3. Stats
4. Working
5. The Havoc it Created
6. Reason of attack
7. Causes
8. Types of XSS
9. Vulnerabilities in web programming
10. Solutions
11. Prevention Mechanisms
Blah blah….
CAPTURE THE FLAG
D.I.Y. (Do it yourself and
experience the dark side of the
Force...!!!)
Session 1 Session 2

6. BIRTH OF XSS
• Netscape introduced JavaScript in 1995. Soon
after, hackers realize that when someone surfs
their website they can force load any website
(webmail, banks, auction sites) in a frame and
use JavaScript to cross boundaries between the
two sites hence the name “cross site scripting.”
• The XSS explosion came in 2005 when the Samy
worm took down MySpace.

7. STATS

8. STATS: XSS ATTACKS

9. FEW AFFECTED ORGANISATIONS…
Myspace

10. Myspace Samy attack

11. PayPal

12. Annauniversity

13. Avast.

14. XSS Attack Scenario

15. www.sometrustedwebsite.com
Asia America Europe
BEFORE ATTACK…

16. www.sometrustedwebsite.com
Asia America Europe
AFTER ATTACK
(Injects script)
Injected Script can be:
• Malicious page
•Explicit Images
•Bots(to make zombies)
•Redirecting links
•Fake Login Pages
•Etc. etc.
(NOTE: Names of Continents is JUST used as an example representing users accessing a
trusted website)

17. How much financial loss it costs?
How much it will cost if your online bank
account is attacked ?
(Big Hint: Please be bold, take the lead,
stand-up and share how much money you
got in your bank right now)

18. CAN U TAKE THIS TYPE OF CHANCE….??

19. CAUSES
•A XSS vulnerability is majorly caused by
the failure of a site to sanitize user input
before returning it to the client’s web-
browser

20. REASON OF ATTACK
• Change Settings
• Cookie theft
• False Advertising
• Steal Form Tokens to make XSRF Easier
• And more, you have to be creative to exploit XSS

21. There are Three Types of XSS
• Persistent (Stored) XSS : Attack is stored on the
website server
• Non Persistent (reflected) XSS: user has to go through
a special link to be exposed
• DOM-based XSS: problem exists within the client-
side script
XSS Types

22. UNSANITIZED CODE: STORED XSS
<?php
?>
if(isset($_POST['btnSign']))
{
$message = trim($_POST['mtxMessage']);
$name = trim($_POST['txtName']);
// Sanitize message input
$message = stripslashes($message);
$message = mysql_real_escape_string($message);
// Sanitize name input
$name = mysql_real_escape_string($name);
$query = "INSERT INTO guestbook (comment,name) VALUES ('$messa
ge','$name');";
$result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' );
}

23. UNSANITIZED CODE: REFLECTED XSS
<?php
{
Else // else generates HTML page on user input
{
echo '<pre>';
echo 'Hello ' . $_GET['name'];
echo '</pre>';
}
?>
$isempty = true;
}
if(!
array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET
['name'] == '') //checks for empty text...

24. DOM-Based XSS
Var html=
[ ‘<form class = “config”>’, ‘<fieldset>’ ,
‘<label for=“appSuite”>enter url:</label>’,
‘<input type=“text” name=“appSuite”
id=“appSuite”
value=“ ‘ ,options.appendUrl || ”,’ “/>’
‘</fieldset>’, </form>].join(‘ ’),
dlg=$((html)appendTo($body));

25. Solutions Fast Track
Filtering
1.Filtering can deliver unexpected results if you
aren’t careful to monitor the output.
2.Using a loop can reduce the risks associated with
filtering out content.
3.Filtering alone can introduce new risks by
creating new types of attacks. Therefore, it is
critical to understand the order in which filters are
applied and how they interact with one another.

26. Input Encoding
1. Input encoding can create a single choke point for
all encoding.
2.Things like SQL injection and command injection
can also be checked prior to storing information in a
database.
3. Input encoding cannot stop persistent XSS once
stored.
Output Encoding
1. Output encoding is more granular and can take
context into account.
2. Developers must perform output encoding
potentially many times for each location the
information is outputted.

27. Web Browser’s Security
1. Beware of long or overly complex URLs. Often
these are the most likely to contain vulnerabilities.
2. Do not click on unknown URLs in e-mail if at all
possible.
3. Choose a secure browser and customize your
security settings to reduce the risk of exploitation.

28. CODE SOLUTION: Stored xss
<?php
if(isset($_POST['btnSign']))
{
$message = trim($_POST['mtxMessage']);
$name = trim($_POST['txtName']);
// Sanitize message input
$message = stripslashes($message);
$message = mysql_real_escape_string($message);
$message = htmlspecialchars($message);
// Sanitize name input
$name = stripslashes($name);
$name = mysql_real_escape_string($name);
$name = htmlspecialchars($name);
$query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');";
$result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' );
}

29. SOLUTION:Reflected XSS
<?php
if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL ||
$_GET['name'] == '')
{
$isempty = true;
}
Else
{
echo '<pre>';
echo 'Hello ' . htmlspecialchars($_GET['name']);
echo '</pre>';
}
?>

30. DOM-Based
Var html=
‘<form class = “config”>’, ‘<fieldset>’ ,
‘<label for=“appSuite”>enter url:</label>’,
‘<input type=“text” name=“appSuite” id=“appSuite”
value=“ ‘ ,options.appendUrl || ”,’ “/>’
‘</fieldset>’, </form>.join(‘ ’),
dlg=$(html)appendTo($(‘body’));
appSuite.val(options.appSuiteUrl || ‘ ‘);

31. Rebels?
Tinkering?
Go beyond programming
Attack attacker’s attack
Attitude! Matters. But beware of the Dark Side
About You…

32. Any Doubts….

33. FAQ’s
1.Is there a safe browser?
2. Are you safe if you turn off JavaScript?
3. How can I stop myself from becoming
a victim of a JavaScript worm?
4.It’s hopeless. I can’t trust a single Web application.
Why did you do this to me?
5. I think I am infected. What can I do?

34. 6. Does my anti-virus software protect me from XSS
attacks?
7. Can XSS worm propagate on my system?
8. XSS attacks can compromise my online account but
not my network.Is that true?
9. What is the best technique to evade XSS filters?
10. Are persistent XSS vulnerabilities more severe
than non-persistent ones?

35. 11. How many URL’s can be tested in the various
history stealing hacks?
12. I run XYZ program that creates an HTML report.
How can I determine if it is vulnerable?
13. Is the browser-hijacking feature in XSS-proxy persistent?

36. XSS Lab
• Now is your chance to try some
hands on!
• Experience the thrill of hacking
• You’ve got to hack a blogger web
application using XSS
• For site URL refer the white-board

37. XSS Lab - Goal
• Goal of the lab is to steal the session
cookie of the logged in user (demo)
on the blogger application
• Use that cookie locally and login as
the demo user
• Demo user has an un-published
secret post, saved as draft, that has
some secret content
• All posts – published and drafts are
accessible after logging in, using
menu link – Manage Posts
• Call us as soon as you are able to
access the secret post!

38. XSS Lab – Code Review:
Vulnerability & Fix

39. Questions?
• What you want to ask, many already have that same
question on their mind. Be bold and lead
• OK, if you don’t want to speak and keep shut and keep
thinking about it in your mind and take those questions
home, make sure you email those to us and sleep well at
night!

40. What should be our topic for the next meet?
I hate to ask but, how can we make this better?