Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
XSS (Cross-Site Scripting) - An
application security vulnerability from
Developers point of view
Soumyasanto Sen, #sitMUC
...
Wikipedia says
"XSS enables attackers to inject client-side script into web pages viewed by other users".
OWASP(the free a...
#sitMUC
What is XSS?
 Client side vulnerability but can Server side one.
 Based on injection through
JavaScript, VBScrip...
#sitMUC
What is XSS?
#sitMUC
 According to latest White-hat Security report, 47% of web applications have XSS vulnerability
Why XSS?
#sitMUC
 According to Google Vulnerability Reward Program's Statistics, XSS is the most
reported issue
Why XSS?
#sitMUC
 According to "Open Sourced Vulnerability Database" XSS is at #1
Why XSS?
#sitMUC
 TrustWave Global Security Report says XSS is again the highest
Why XSS?
#sitMUC
 No Monkey Testing
Example: Based on Testing
Injection Points: Through which the Attacker can enter or injects scripts
 Insert /Edit Text
 Insert/Edit Image
 Insert...
#sitMUC
http://www.ea.com/search?q=“XYZ
Example: Based on Testing
(Contexts)
#sitMUC
http://www.ea.com/search?q=“JUNK
Example: Based on Testing
(Contexts)
#sitMUC
http://search.health.com/results.html?Ntt=xxxxxxxxxx
Single Quotes Case
Double Quotes Case
Example: Based on Testi...
#sitMUC
https://www.froala.com/wysiwyg-editor
Example: Based on Testing
(Contexts)
#sitMUC
Example: Based on Testing
(Contexts)
#sitMUC
Example: Based on Testing
(Summary of Contexts)
#sitMUC
ATTACK METHODOLOGY
• Systematic in nature
• Easy to understand
• Context-Specific
• Attack methodology is `complet...
#sitMUC
SCRIPT CONTEXT
ATTACK METHODOLOGY
Example: Based on Testing
(Attack Methodology)
Demo
http://jsfiddle.net/4eqK4/5/
#sitMUC
ATTRIBUTE CONTEXT
ATTACK METHODOLOGY
Example: Based on Testing
(Attack Methodology)
Demo
http://www.drudgereportar...
#sitMUC
STYLE CONTEXT
ATTACK METHODOLOGY
Example: Based on Testing
(Attack Methodology)
#sitMUC
URL CONTEXT
ATTACK METHODOLOGY
Example: Based on Testing
(Attack Methodology)
#sitMUC
 <a href="url">link text</a>
 <a href=javascript:alert(1)>link text</a>

 <img src="pic_mountain.jpg">
 <img ...
#sitMUC
Encoding will not help
in breaking the script
context unless
developers are doing
some sort of explicit
decoding.
...
#sitMUC
Two arrays of black-listed keywords
Other names filterXSS and noXSS
Example: Based on Testing
(Customized XSS Solu...
#sitMUC
Two arrays of black-listed keywords
Example: Based on Testing
(Customized XSS Solutions)
Bypass: <img src=x id=con...
#sitMUC
The goal of this function is to stop
JavaScript execution via style.
Example: Based on Testing
(Customized XSS Sol...
#sitMUC
Example: Based on Testing
(Customized XSS Solutions)
Another popular customized XSS protection solution
#sitMUC
Example: Based on Testing
(Summary of Bypasses)
#sitMUC
Example: Based on Testing
(Real Solutions)
#sitMUC
Example: Based on Testing
(Real Solutions)
Protection against JavaScript execution via `url` e.g., img'ssrc and/or...
#sitMUC
Example: Based on Testing
(Solutions -Make it Simple)
WYSIWYG
What You See Is What You Get
· Forum Post
· Private ...
#sitMUC
Example: Based on Testing
(Solutions -Make it Simple)
WYSIWYG
What You See Is What You Get
#sitMUC
Example : Based on Real
(Bypassing)
 ABAP Case Study:
#sitMUC
Demo: Based on Games
(Bypassing)
https://xss-game.appspot.com/
http://xssplaygroundforfunandlearn.netai.net/series...
#sitMUC
Tools & Testing
 XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
 (HTML5 Security Clean Sheet)
 Validation on XSS Input. U...
#sitMUC
Latest News
Salesforce plugs silly website XSS hole, hopes nobody spotted it (Mid August)
Critical PayPal XSS vuln...
#sitMUC
Latest News
0-day XSS vulnerability on SAP website put customers’ data at risk of theft by
hackers (Early May)
SAP...
 Lack enough Pen. Test
( 92% of the respondents perform penetration testing. 21% perform it annually, 26%
perform it quar...
XSS is unavoidable at least nowadays !
Now its your job to raise the bar for attacker.
“XSS is Everywhere”
(Short and Simp...
#sitMUC
Learning
Thank You
Soumyasanto Sen
@soumyasantoDr. Ashar Javed : http://slides.com/mscasharjaved/
Nächste SlideShare
Wird geladen in …5
×

XSS- an application security vulnerability

808 Aufrufe

Veröffentlicht am

One of the most typical web application security vulnerabilities Cross-Site Scripting (XSS). What does it mean to Developer?
How they are important? What should we keep in mind? How could we prevent this to some extend as Developer? How Attackers proceed? Many mores..

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

XSS- an application security vulnerability

  1. 1. XSS (Cross-Site Scripting) - An application security vulnerability from Developers point of view Soumyasanto Sen, #sitMUC @soumyasanto
  2. 2. Wikipedia says "XSS enables attackers to inject client-side script into web pages viewed by other users". OWASP(the free and open software security community) says "Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites." "An XSS attack occurs when a script from an untrusted source is executed in rendering a page" #sitMUC Definition
  3. 3. #sitMUC What is XSS?  Client side vulnerability but can Server side one.  Based on injection through JavaScript, VBScript, Flash, HTML, JSON, ActiveX etc.  Due to insufficient validation and sanitization.  Attacker’s Paradise  Stealing Credentials, Private Info.  Execute commands (CSRF), malicious scripts  Redirection to malicious site  Port Scanning, Phishing, Keylogging etc.
  4. 4. #sitMUC What is XSS?
  5. 5. #sitMUC  According to latest White-hat Security report, 47% of web applications have XSS vulnerability Why XSS?
  6. 6. #sitMUC  According to Google Vulnerability Reward Program's Statistics, XSS is the most reported issue Why XSS?
  7. 7. #sitMUC  According to "Open Sourced Vulnerability Database" XSS is at #1 Why XSS?
  8. 8. #sitMUC  TrustWave Global Security Report says XSS is again the highest Why XSS?
  9. 9. #sitMUC  No Monkey Testing Example: Based on Testing
  10. 10. Injection Points: Through which the Attacker can enter or injects scripts  Insert /Edit Text  Insert/Edit Image  Insert/Edit URL  Set Attributes  Insert/Upload File  Insert/Upload Video What is Context? Context is an environment where user-supplied input or input from other application(s) eventually ends-up or starts living. “Context Is King for All Areas of IT Security” #sitMUC Example: Based on Testing (Definitions)
  11. 11. #sitMUC http://www.ea.com/search?q=“XYZ Example: Based on Testing (Contexts)
  12. 12. #sitMUC http://www.ea.com/search?q=“JUNK Example: Based on Testing (Contexts)
  13. 13. #sitMUC http://search.health.com/results.html?Ntt=xxxxxxxxxx Single Quotes Case Double Quotes Case Example: Based on Testing (Contexts)
  14. 14. #sitMUC https://www.froala.com/wysiwyg-editor Example: Based on Testing (Contexts)
  15. 15. #sitMUC Example: Based on Testing (Contexts)
  16. 16. #sitMUC Example: Based on Testing (Summary of Contexts)
  17. 17. #sitMUC ATTACK METHODOLOGY • Systematic in nature • Easy to understand • Context-Specific • Attack methodology is `complete` and one can guarantee that there is an XSS or no XSS in a particular injection point. • With the help of attack methodology, one can make a secure per-context XSS sanitizer • Can be applied to other server-side languages Example: Based on Testing (Attack Methodology)
  18. 18. #sitMUC SCRIPT CONTEXT ATTACK METHODOLOGY Example: Based on Testing (Attack Methodology) Demo http://jsfiddle.net/4eqK4/5/
  19. 19. #sitMUC ATTRIBUTE CONTEXT ATTACK METHODOLOGY Example: Based on Testing (Attack Methodology) Demo http://www.drudgereportarc hives.com/dsp/search.htm http://jsfiddle.net/9t8UM/3/
  20. 20. #sitMUC STYLE CONTEXT ATTACK METHODOLOGY Example: Based on Testing (Attack Methodology)
  21. 21. #sitMUC URL CONTEXT ATTACK METHODOLOGY Example: Based on Testing (Attack Methodology)
  22. 22. #sitMUC  <a href="url">link text</a>  <a href=javascript:alert(1)>link text</a>   <img src="pic_mountain.jpg">  <img src=javascript:while(1){}> Example: Based on Testing (Attack Methodology)
  23. 23. #sitMUC Encoding will not help in breaking the script context unless developers are doing some sort of explicit decoding. Example: Based on Testing (Attack Methodology)
  24. 24. #sitMUC Two arrays of black-listed keywords Other names filterXSS and noXSS Example: Based on Testing (Customized XSS Solutions)
  25. 25. #sitMUC Two arrays of black-listed keywords Example: Based on Testing (Customized XSS Solutions) Bypass: <img src=x id=confirm(1) onerror=eval(id)
  26. 26. #sitMUC The goal of this function is to stop JavaScript execution via style. Example: Based on Testing (Customized XSS Solutions) Bypass: width:expression(al ert(1))
  27. 27. #sitMUC Example: Based on Testing (Customized XSS Solutions) Another popular customized XSS protection solution
  28. 28. #sitMUC Example: Based on Testing (Summary of Bypasses)
  29. 29. #sitMUC Example: Based on Testing (Real Solutions)
  30. 30. #sitMUC Example: Based on Testing (Real Solutions) Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Implementation of `urlContextCleaner()`
  31. 31. #sitMUC Example: Based on Testing (Solutions -Make it Simple) WYSIWYG What You See Is What You Get · Forum Post · Private Messaging · Wiki Post · Support Ticket · Signature Creation · Comments
  32. 32. #sitMUC Example: Based on Testing (Solutions -Make it Simple) WYSIWYG What You See Is What You Get
  33. 33. #sitMUC Example : Based on Real (Bypassing)  ABAP Case Study:
  34. 34. #sitMUC Demo: Based on Games (Bypassing) https://xss-game.appspot.com/ http://xssplaygroundforfunandlearn.netai.net/series1.html https://html5sec.org/innerhtml/ (Mario Heiderich's Utility)
  35. 35. #sitMUC Tools & Testing
  36. 36.  XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP  (HTML5 Security Clean Sheet)  Validation on XSS Input. Use White-Listing, Escaping and sanitization method. (Use Sanitizers) “Do not trust anything ever, specially when it comes to user input”  Understanding common browser behaviors that lead to XSS  Learning the best practices for your technology #sitMUC Preventions
  37. 37. #sitMUC Latest News Salesforce plugs silly website XSS hole, hopes nobody spotted it (Mid August) Critical PayPal XSS vulnerability left accounts open to attack (Late August) eBay Fixes XSS Flaw in Subdomain (Early September) Netflix Sleepy Puppy Awakens XSS Vulnerabilities in Secondary Applications (Early September) Attackers exploit vulnerabilities in two WordPress plugins (Early May)
  38. 38. #sitMUC Latest News 0-day XSS vulnerability on SAP website put customers’ data at risk of theft by hackers (Early May) SAP HANA Databases Vulnerable to XSS and SQL Injections (Late June) Overall: Almost ALL websites have serious security vulnerabilities, study shows
  39. 39.  Lack enough Pen. Test ( 92% of the respondents perform penetration testing. 21% perform it annually, 26% perform it quarterly and 8% never perform penetration testing.)  Taking responsibility from the Developers  Unawareness of XSS vulnerability  Not taking seriously #sitMUC Challenges
  40. 40. XSS is unavoidable at least nowadays ! Now its your job to raise the bar for attacker. “XSS is Everywhere” (Short and Simple) Use Prevention, Go for Solutions in the forms of layers, Keep Updated & Do regular Penetration Testing #sitMUC Conclusion
  41. 41. #sitMUC Learning
  42. 42. Thank You Soumyasanto Sen @soumyasantoDr. Ashar Javed : http://slides.com/mscasharjaved/

×