This presentation explores on how to test Cross site scripting Injection Vulnerabilities, prevention, Best practice, small lab(introduction to web
goat) etc.
6. Is XSS Dangerous?
Big Yes.(OWASP Top 2)Just think, any JavaScript
you want will be run in the victim’s browser in the context
of the vulnerable web page
what can you do with JavaScript?
7. what can you do with JavaScript?
Pop-up alerts and prompts
1.
Access/Modify DOM
2.
Access cookies/session tokens
3.
“Circumvent” same-origin policy
Virtually deface web page
Detect installed programs
Detect browser history
Capture keystrokes (and other trojan functionality)
Port scan the local network
Induce user actions…………………So on..
10. Stored XSS
JavaScript supplied by the attacker is stored by the website (e.g. in a
database)
Doesn’t require the victim to supply the JavaScript somehow, just visit the
exploited web page
More dangerous than Reflected XSS
Has resulted in many XSS worms on high profile sites like MySpace and
Twitter
11. DOM Based XSS
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS
attack wherein the attack payload is executed as a result of modifying the
DOM “environment” in the victim’s browser used by the original client side
script, so that the client side code runs in an “unexpected” manner
https://www.owasp.org/index.php/DOM_Based_XSS
14. Limitations
Often fail to test a substantial fraction of a web
application’s logic ..
Especially when this logic is invoked from pages that can
only be reached after filling out complex forms that check
the correctness of the provided values.
15. Testing guide
Black Box testing
1.
Detect input vectors.
2.
Analyze each input vector to detect potential vulnerabilities.
XSS Filter
Evasion Cheat Sheet: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
3.
For each test input attempted in the previous phase, the tester will
analyze the result and determine if it represents a vulnerability that has a
realistic impact on the web application's security.
Gray Box testing
Gray Box testing is similar to Black box testing with partial knowledge of the
application.
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)
17. Developer Guide
Validate Output
Encode HTML Output
If data came from user input, a database, or a file
Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));
Not 100% effective but prevents most vulnerabilities
Encode URL Output
If returning URL strings
Response.Write(HttpUtility.UrlEncode(urlString));
How To: Prevent Cross-Site Scripting in ASP.NET
http://msdn.microsoft.com/en-us/library/ms998274.aspx
XSS Prevention Cheat Sheet:
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_
Cheat_Sheet
19. Conclusion
XSS vulnerabilities are bad.
Don’t satisfy with black box scanner.. Hacker
don’t.
Avoid introducing XSS vulnerabilities in your
code.
Beware while clicking on a phishing link..