Suche senden
Hochladen
Appsec XSS Case Study
•
2 gefällt mir
•
1,635 views
Mohamed Ridha CHEBBI, CISSP
Folgen
Appsec XSS Case Study
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 23
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Web Apps Security
Web Apps Security
Victor Bucutea
Xss frame work
Xss frame work
Ngọc Liệu Nguyễn
Tighten your Security and Privacy
Tighten your Security and Privacy
connectwebex
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Web Application Security
Web Application Security
Richard Peter Ong
Phu appsec13
Phu appsec13
drewz lin
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Empfohlen
Web Apps Security
Web Apps Security
Victor Bucutea
Xss frame work
Xss frame work
Ngọc Liệu Nguyễn
Tighten your Security and Privacy
Tighten your Security and Privacy
connectwebex
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Web Application Security
Web Application Security
Richard Peter Ong
Phu appsec13
Phu appsec13
drewz lin
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
Security_Testing_Presentation
Security_Testing_Presentation
Razil Shaik
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
2013 OWASP Top 10
2013 OWASP Top 10
bilcorry
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
Web Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
OWASP
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
Security asp.net application
Security asp.net application
ZAIYAUL HAQUE
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
Java ist doch schon sicher?!
Java ist doch schon sicher?!
BridgingIT GmbH
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
TS-5358
TS-5358
tutorialsruby
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
Weitere ähnliche Inhalte
Was ist angesagt?
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
Security_Testing_Presentation
Security_Testing_Presentation
Razil Shaik
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
2013 OWASP Top 10
2013 OWASP Top 10
bilcorry
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
Web Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
OWASP
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
Security asp.net application
Security asp.net application
ZAIYAUL HAQUE
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
Java ist doch schon sicher?!
Java ist doch schon sicher?!
BridgingIT GmbH
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
TS-5358
TS-5358
tutorialsruby
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
Was ist angesagt?
(20)
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Security_Testing_Presentation
Security_Testing_Presentation
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
2013 OWASP Top 10
2013 OWASP Top 10
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
Web Security: A Primer for Developers
Web Security: A Primer for Developers
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
Secure coding in C#
Secure coding in C#
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
Security asp.net application
Security asp.net application
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
Java ist doch schon sicher?!
Java ist doch schon sicher?!
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
TS-5358
TS-5358
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
Ähnlich wie Appsec XSS Case Study
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
Cross site scripting
Cross site scripting
Dilan Warnakulasooriya
React security vulnerabilities
React security vulnerabilities
AngelinaJasper
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Omer Meshar
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
04. xss and encoding
04. xss and encoding
Eoin Keary
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
Arjun Jain
Web Hacking Series Part 4
Web Hacking Series Part 4
Aditya Kamat
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
chadtindel
AJAX: How to Divert Threats
AJAX: How to Divert Threats
Cenzic
Cross site scripting
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
Security risks awareness
Security risks awareness
Janagi Kannan
Owasp web security
Owasp web security
Pankaj Kumar Sharma
Ähnlich wie Appsec XSS Case Study
(20)
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
Cross site scripting
Cross site scripting
React security vulnerabilities
React security vulnerabilities
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
04. xss and encoding
04. xss and encoding
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
Web Hacking Series Part 4
Web Hacking Series Part 4
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
AJAX: How to Divert Threats
AJAX: How to Divert Threats
Cross site scripting
Cross site scripting
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Security risks awareness
Security risks awareness
Owasp web security
Owasp web security
Kürzlich hochgeladen
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
gurkirankumar98700
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
Kürzlich hochgeladen
(20)
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Appsec XSS Case Study
1.
Application Security
Security Verified Chapter 04 Cross-Site Scripting Mohamed Ridha Chebbi, CISSP Ridha.chebbi@icodesecurity.com © 2012 iCode information security All rights reserved
2.
Introduction
Security Verified • Cross-site scripting (or XSS) is the Godfather of attacks against other users. • It is by some measure the most prevalent web application vulnerability found in the wild. • there are many situations in which XSS does represent a critical security weakness within an application. It can often be combined with other vulnerabilities to devastating effect. • In some situations, an XSS attack can be turned into a virus or a self-propagating worm. © 2012 iCode information security All rights reserved
3.
Reflected XSS Vulnerabilities
Security Verified • A very common example of XSS occurs when an application employs a dynamic page to display error messages to users. Typically, the page takes a parameter containing the text of the message, and simply renders this text back to the user within its response. • This type of mechanism is convenient for developers, because it allows them to invoke a customized error page from anywhere in the application, without needing to hard-code individual messages within the error page itself. Example of Dynamic URL : https://adb-app.com/error.php?message=Sorry%2c+an+error+occurred Crafted URL https://adb-app.com/error.php?message=<script>alert(‘xss’);</script> © 2012 iCode information security All rights reserved
4.
Reflected XSS Vulnerabilities
Security Verified • This type of simple XSS bug accounts for approximately 75% of the XSS vulnerabilities that exist in real-world web applications. • It is often referred to as reflected XSS because exploiting the vulnerability involves crafting a request containing embedded JavaScript which is reflected back to any user who makes the request. © 2012 iCode information security All rights reserved
5.
Reflected XSS Vulnerabilities
Security Verified © 2012 iCode information security All rights reserved
6.
Stored XSS Vulnerabilities
Security Verified • A different category of XSS vulnerability is often referred to as stored cross-site scripting. This version arises when data submitted by one user is stored within the application (typically in a back-end database) and then displayed to other users without being filtered or sanitized appropriately © 2012 iCode information security All rights reserved
7.
Storing XSS in
Uploaded Files Security Verified • If you can upload an HTML or text file containing JavaScript, and a victim views the file, then your payload will normally be executed. The following shows the raw response of an application that is vulnerable to stored XSS in this way : HTTP/1.1 200 OK Date: Sat, 5 May 2011 11:52:25 GMT Server: Apache Content-Length: 39 Content-Type: image/jpeg <script>alert(document.cookie)</script> Note : Even though the Content-Type header specifies that the message body contains an image, Internet Explorer overrides this and handles the content as HTML because this is what it in fact contains. © 2012 iCode information security All rights reserved
8.
DOM-Based XSS Vulnerabilities
Security Verified Here an example of the the process by which the attacker’s JavaScript gets executed is as follows: ■ A user requests a crafted URL and containing attacker’s JavaScript. ■ The server’s response does not contain the attacker’s script in any form. ■ When the user’s browser processes this response, the script is executed. How can this series of events occur? The answer is that client-side JavaScript can access the browser’s document object model (DOM), and so can determine the URL used to load the current page. A script issued by the application may extract data from the URL, perform some processing on this data, and then use it to dynamically update the contents of the page. When an application does this, it may be vulnerable to DOM-based XSS. © 2012 iCode information security All rights reserved
9.
DOM-Based XSS Vulnerabilities
Security Verified For example, suppose that the error page returned by the application contains the following: <script> var a = document.URL; a = unescape(a); document.write(a.substring(a.indexOf(“message=”) + 8, a.length)); </script> This script parses the URL to extract the value of the message parameter and simply writes this value into the HTML source code of the page. Note : if an attacker crafts a URL containing JavaScript then this code will be dynamically written into the page and executed. © 2012 iCode information security All rights reserved
10.
Real-World XSS Attacks
Security Verified AJAX : Ajax (or Asynchronous JavaScript and XML) is a technology used by some applications to create an enhanced interactive experience for users. Ajax is implemented using the XMLHttpRequest object. The following is a simple example of using Ajax within Internet Explorer to issue an asynchronous request and process its response: <script> var request = new ActiveXObject(“Microsoft.XMLHTTP”); request.open(“GET”, “https://wahh-app.com/foo”, false); request.send(); alert(request.responseText); </script> Ajax could be used to trivially violate the browser’s same origin policy, by enabling applications to retrieve and process data from a different domain. © 2012 iCode information security All rights reserved
11.
Payloads for XSS
Attacks Security Verified • Virtual Defacement • Injecting Trojan Functionality • Inducing User Actions hijacking a victim’s session © 2012 iCode information security All rights reserved
12.
Payloads for XSS
Attacks Security Verified • Exploiting Any Trust Relationships There are several trust relationships that can sometimes be exploited in an XSS attack: ■ If the application employs forms with autocomplete enabled, JavaScript issued by the application can capture any previously entered data that the user’s browser has stored in the autocomplete cache. ■ Some web applications recommend or require that users add their domain name to the “Trusted Sites” zone of their browser. This is almost always undesirable. For example, injecting the following code will cause the Windows calculator program to launch on the user’s computer: <script> var o = new ActiveXObject(‘WScript.shell’); o.Run(‘calc.exe’); </script> ■ etc. © 2012 iCode information security All rights reserved
13.
Escalating the Client-Side
Attack Security Verified • Log Keystrokes <script> document.onkeypress = function () { window.status += String.fromCharCode(window.event.keyCode); } </script> • Capture Clipboard Contents <script> alert(window.clipboardData.getData(‘Text’)); </script> • Steal History and Search Queries JavaScript can be used to perform a brute-force exercise to discover thirdparty sites recently visited by the user (using getComputedStyle API) • Enumerate Currently Used Applications JavaScript can be used to determine whether the user is presently logged in to third-party web applications. The trick is to attempt to dynamically load and execute the protected page as a piece of JavaScript: window.onerror = fingerprint; <script src=”https://other-app.com/MyDetails.aspx”></script> © 2012 iCode information security All rights reserved
14.
Escalating the Client-Side
Attack Security Verified • Port Scan the Local Network JavaScript can be used to perform a port scan of hosts on the user’s local network • Attack Other Network Hosts The following code checks for a specific image associated with a popular range of DSL routers: <img src=”http://192.168.1.1/hm_icon.gif” onerror=”notNetgear()“> © 2012 iCode information security All rights reserved
15.
Preventing Reflected and
Stored XSS Security Verified ■ Validate input. ■ Validate output. ■ Eliminate dangerous insertion points. © 2012 iCode information security All rights reserved
16.
Validate Input
Security Verified The application should perform context-dependent validation of input data, in as strict a manner as possible. Potential features to validate include the following: ■ That the data is not too long. ■ That the data only contains a certain permitted set of characters. ■ That the data matches a particular regular expression. Different validation rules should be applied as restrictively as possible to names, email addresses, account numbers, and so on, according to the type of data that the application is expecting to receive in each field. © 2012 iCode information security All rights reserved
17.
Validate Output
Security Verified Output data should be HTMLencoded to sanitize potentially malicious characters. HTML-encoding involves replacing literal characters with their corresponding HTML entities. This ensures that browsers will handle potentially malicious characters in a safe way, treating them as part of the content of the HTML document and not part of its structure. The HTML-encodings of the primary problematic characters are as follows: “ " ‘ ' & & < < > > In addition to these common encodings, in fact any character can be HTMLencoded using its numeric ASCII character code, as follows: % % * * © 2012 iCode information security All rights reserved
18.
HTML Encoding Example
Security Verified On the Java platform, there is no equivalent built-in API available; however, it is simple to construct your own equivalent method using just the numeric form of encoding. For example: public static String HTMLEncode(String s) { StringBuffer out = new StringBuffer(); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); if(c > 0x7f || c==’“‘ || c==’&‘ || c==’<’ || c==’>’) out.append(“&#“ + (int) c + “;”); else out.append(c); } return out.toString(); } © 2012 iCode information security All rights reserved
19.
Eliminate Dangerous Insertion
Points Security Verified Inserting user-controllable data directly into existing JavaScript should be avoided wherever possible. When applications attempt to do this safely, it is frequently possible to bypass their defensive filters. A second location where user input should not be inserted is any other context in which JavaScript commands may appear directly. For example: <img src=”userdata”> <img src=”foo.gif” onload=”userdata”> In this case an attacker can proceed directly to injecting JavaScript commands within the quoted string. For example: <img src=”javascript:alert(document.cookie)“> <img src=”foo.gif” onload=”alert('xss')“> © 2012 iCode information security All rights reserved
20.
Preventing DOM-Based XSS
Security Verified • Validate Input • Validate Output © 2012 iCode information security All rights reserved
21.
Validate Input
Security Verified In many situations, applications can perform rigorous validation on the data being processed. Indeed, this is one area where client-side validation can be more effective than server-side validation. Validating that the data about to be inserted into the document only contains alphanumeric characters and whitespace could be for example: <script> var a = document.URL; a = a.substring(a.indexOf(“message=”) + 8, a.length); a = unescape(a); var regex=/^([A-Za-z0-9+s])*$/; if (regex.test(a)) document.write(a); </script> © 2012 iCode information security All rights reserved
22.
Validate Output
Security Verified As with reflected XSS flaws, applications can perform HTML-encoding of user- controllable DOM data before this is inserted into the document. This will enable all kinds of potentially dangerous characters and expressions to be displayed within the page in a safe way. HTML encoding can be implemented in client-side JavaScript with a function like the following: function sanitize(str) { var d = document.createElement(‘div’); d.appendChild(document.createTextNode(str)); return d.innerHTML; } © 2012 iCode information security All rights reserved
23.
Security Verified
Thanks Mohamed Ridha Chebbi, CISSP © 2012 iCode information security All rights reserved
Jetzt herunterladen