SlideShare une entreprise Scribd logo

Cross-site Scripting

Andrew Kerr
Andrew Kerr

The document discusses an upcoming Capture the Flag (CTF) competition called CSAW from September 18-20. If the University of Florida Student InfoSec Team (UFSIT) qualifies, they will be able to send a team of undergraduates to the national competition. It also recaps their performance at a previous CTF called MMA where they left on Friday night in the top 15%. The rest of the document is a presentation about cross-site scripting (XSS) attacks given by Andrew Kerr, who is a fifth year software engineering student and secretary of UFSIT. It covers what XSS is, the different types (reflected, stored, DOM-based), examples of vulnerable code, how to

Ingénierie
1  sur  100
Télécharger pour lire hors ligne
UF Student InfoSec Team September 8, 2015 #ufsit on Freenode XSS | Andrew Kerr 1
Announcements XSS | Andrew Kerr 2
Upcoming CTF: CSAW XSS | Andrew Kerr 3
CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm XSS | Andrew Kerr 4
CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm • If we qualify, we get to send a team of undergrads to national CTF XSS | Andrew Kerr 5
MMA CTF Recap XSS | Andrew Kerr 6
MMA CTF Recap • Lots of people there on Friday! • Left Friday night in top 15% XSS | Andrew Kerr 7
We want your writeups! XSS | Andrew Kerr 8
Cross-site Scripting (Also known as XSS) Andrew Kerr | Sept 8, 2015 me@andrewjkerr.com XSS | Andrew Kerr 9
whoami XSS | Andrew Kerr 10
whoami • Fifth year Software Engineering @ UF XSS | Andrew Kerr 11
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs XSS | Andrew Kerr 12
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer XSS | Andrew Kerr 13
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr XSS | Andrew Kerr 14
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr • Former intern at BlockScore XSS | Andrew Kerr 15
Cross-site Scripting (Also known as XSS) XSS | Andrew Kerr 16
XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. — OWASP XSS | Andrew Kerr 17
Ok... what does that mean? XSS | Andrew Kerr 18
XSS | Andrew Kerr 19
XSS | Andrew Kerr 20
XSS | Andrew Kerr 21
Why does this work? XSS | Andrew Kerr 22
Why does this work? • Browser is tricked into thinking the code is part of the site XSS | Andrew Kerr 23
Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly XSS | Andrew Kerr 24
Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly • Poor client-side JavaScript executes given parameters XSS | Andrew Kerr 25
Why do it? XSS | Andrew Kerr 26
Why do it? • Steal session cookies XSS | Andrew Kerr 27
Why do it? • Steal session cookies • Steal logins by defacing XSS | Andrew Kerr 28
Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins XSS | Andrew Kerr 29
Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins • For the lulz XSS | Andrew Kerr 30
XSS | Andrew Kerr 31
Remember this? • ❤ emoji broke XSS sanitization on TweetDeck XSS | Andrew Kerr 32
Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times XSS | Andrew Kerr 33
Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times • Good thing it wasn't malicious! XSS | Andrew Kerr 34
Ok, but it's Twitter... why does it matter? XSS | Andrew Kerr 35
XSS | Andrew Kerr 36
XSS Payloads XSS | Andrew Kerr 37
XSS Payloads • A TON of possible XSS payloads XSS | Andrew Kerr 38
XSS Payloads • A TON of possible XSS payloads • <script>alert(1)</script> • <img src="x" onerror="alert(1)" /> • <a href="javascript: alert(1)">Click me!</a> • and more! XSS | Andrew Kerr 39
Types of XSS XSS | Andrew Kerr 40
Types of XSS 1. Reflected XSS | Andrew Kerr 41
Types of XSS 1. Reflected 2. Stored XSS | Andrew Kerr 42
Types of XSS 1. Reflected 2. Stored 3. DOM-based XSS | Andrew Kerr 43
Reflected XSS XSS | Andrew Kerr 44
Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! XSS | Andrew Kerr 45
Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! XSS | Andrew Kerr 46
Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! • Example: search forms showing input on results page after submission XSS | Andrew Kerr 47
Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; XSS | Andrew Kerr 48
www.site.com/search.php? q=<script>alert(1)</script> XSS | Andrew Kerr 49
XSS | Andrew Kerr 50
Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? XSS | Andrew Kerr 51
Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 52
Stored XSS XSS | Andrew Kerr 53
Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case XSS | Andrew Kerr 54
Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS XSS | Andrew Kerr 55
Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS • Example: form post storing XSS XSS | Andrew Kerr 56
XSS | Andrew Kerr 57
Samy MySpace worm XSS | Andrew Kerr 58
Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims XSS | Andrew Kerr 59
Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims • Fastest spreading virus of all time • 1+ million runs in ~20hrs XSS | Andrew Kerr 60
Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } XSS | Andrew Kerr 61
Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? XSS | Andrew Kerr 62
Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 63
DOM-based XSS XSS | Andrew Kerr 64
DOM-based XSS • Similar to Reflected, but is not rendered from the server. XSS | Andrew Kerr 65
DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code XSS | Andrew Kerr 66
DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code • Also crafted by a URL • Don't let users pass in JS via the URL! XSS | Andrew Kerr 67
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 68
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? XSS | Andrew Kerr 69
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 70
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? XSS | Andrew Kerr 71
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? A: Craft a URL like: www.site.com/page.html?title=<img src='x' onerror='alert(1)' /> XSS | Andrew Kerr 72
Protecting Against XSS XSS | Andrew Kerr 73
Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 74
Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. XSS | Andrew Kerr 75
Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. • But, what's the difference? XSS | Andrew Kerr 76
Let's look at the documentation! XSS | Andrew Kerr 77
Let's look at the documentation! (Aka RTFM) XSS | Andrew Kerr 78
Protecting Against XSS Set the text contents of the matched elements. — .text() Set the HTML contents of each element in the set of matched elements. — .html() XSS | Andrew Kerr 79
Protecting Against XSS <html> <head> <title>Test Page</title> <script type="text/javascript" src="jquery.min.js"></script> <script type="text/javascript"> $(function(){ $("#div1").html('<a href="example.html">Link</a><b>hello</b>'); $("#div2").text('<a href="example.html">Link</a><b>hello</b>'); }); </script> </head> <body> <div id="div1"></div> <div id="div2"></div> </body> </html> XSS | Andrew Kerr 80
Protecting Against XSS 1. Know your framework/library/language! XSS | Andrew Kerr 81
Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! XSS | Andrew Kerr 82
Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist XSS | Andrew Kerr 83
Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist 4. Headers XSS | Andrew Kerr 84
Protecting Against XSS • Or, ya know, read the NSA's recommendations. • https://www.nsa.gov/ia/files/ factsheets/ xssiadfactsheetfinal_web.pdf XSS | Andrew Kerr 85
But most importantly... XSS | Andrew Kerr 86
TEST YOUR APPLICATION XSS | Andrew Kerr 87
XSS | Andrew Kerr 88
Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet XSS | Andrew Kerr 89
Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet • Also, some guess work helps! XSS | Andrew Kerr 90
Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); XSS | Andrew Kerr 91
Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? XSS | Andrew Kerr 92
Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? A: Think about it :) XSS | Andrew Kerr 93
Resources XSS | Andrew Kerr 94
Resources • OWASP XSS | Andrew Kerr 95
Resources • OWASP • The Web Application Hackers Handbook XSS | Andrew Kerr 96
Resources • OWASP • The Web Application Hackers Handbook • Mutillidae Practice Application XSS | Andrew Kerr 97
Ok, cool, onto challenges! XSS | Andrew Kerr 98
104.236.76.214 Go here XSS | Andrew Kerr 99
Challenges • Server: 104.236.76.214 • Source: github.com/ufsit/xss-challenges • Try not to use this! • Cheatsheet: https://www.owasp.org/index.php/ XSSFilterEvasionCheatSheet XSS | Andrew Kerr 100

Recommandé

Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetPriyanka Aash
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)camsec
 
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningRyan Kovar
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingКомсс Файквэе
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
Writing Secure Code for WordPress
Writing Secure Code for WordPressWriting Secure Code for WordPress
Writing Secure Code for WordPressShawn Hooper
 

Recommandé

Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetPriyanka Aash
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)camsec
 
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningRyan Kovar
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingКомсс Файквэе
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
Writing Secure Code for WordPress
Writing Secure Code for WordPressWriting Secure Code for WordPress
Writing Secure Code for WordPressShawn Hooper
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadvodQA
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developersSoumyasanto Sen
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
security.pptx
security.pptxsecurity.pptx
security.pptxHusseinNassrullah
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hackjessepollak
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"NodeUkraine
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilitiesn|u - The Open Security Community
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPressShawn Hooper
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
JavaScript For People Who Don't Code
JavaScript For People Who Don't CodeJavaScript For People Who Don't Code
JavaScript For People Who Don't CodeChristopher Schmitt
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in RailsUri Nativ
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 

Contenu connexe

Similaire à Cross-site Scripting

VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadvodQA
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hackjessepollak
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"NodeUkraine
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Ömer Çıtak
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPressShawn Hooper
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
JavaScript For People Who Don't Code
JavaScript For People Who Don't CodeJavaScript For People Who Don't Code
JavaScript For People Who Don't CodeChristopher Schmitt
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in RailsUri Nativ
 

Similaire à Cross-site Scripting (20)

XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
security.pptx
security.pptxsecurity.pptx
security.pptx
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
JavaScript For People Who Don't Code
JavaScript For People Who Don't CodeJavaScript For People Who Don't Code
JavaScript For People Who Don't Code
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 

Dernier

Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGSIVASHANKAR N
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 

Dernier (20)

Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 

Cross-site Scripting

  • 1. UF Student InfoSec Team September 8, 2015 #ufsit on Freenode XSS | Andrew Kerr 1
  • 3. Upcoming CTF: CSAW XSS | Andrew Kerr 3
  • 4. CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm XSS | Andrew Kerr 4
  • 5. CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm • If we qualify, we get to send a team of undergrads to national CTF XSS | Andrew Kerr 5
  • 6. MMA CTF Recap XSS | Andrew Kerr 6
  • 7. MMA CTF Recap • Lots of people there on Friday! • Left Friday night in top 15% XSS | Andrew Kerr 7
  • 8. We want your writeups! XSS | Andrew Kerr 8
  • 9. Cross-site Scripting (Also known as XSS) Andrew Kerr | Sept 8, 2015 me@andrewjkerr.com XSS | Andrew Kerr 9
  • 11. whoami • Fifth year Software Engineering @ UF XSS | Andrew Kerr 11
  • 12. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs XSS | Andrew Kerr 12
  • 13. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer XSS | Andrew Kerr 13
  • 14. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr XSS | Andrew Kerr 14
  • 15. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr • Former intern at BlockScore XSS | Andrew Kerr 15
  • 16. Cross-site Scripting (Also known as XSS) XSS | Andrew Kerr 16
  • 17. XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. — OWASP XSS | Andrew Kerr 17
  • 18. Ok... what does that mean? XSS | Andrew Kerr 18
  • 19. XSS | Andrew Kerr 19
  • 20. XSS | Andrew Kerr 20
  • 21. XSS | Andrew Kerr 21
  • 22. Why does this work? XSS | Andrew Kerr 22
  • 23. Why does this work? • Browser is tricked into thinking the code is part of the site XSS | Andrew Kerr 23
  • 24. Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly XSS | Andrew Kerr 24
  • 25. Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly • Poor client-side JavaScript executes given parameters XSS | Andrew Kerr 25
  • 26. Why do it? XSS | Andrew Kerr 26
  • 27. Why do it? • Steal session cookies XSS | Andrew Kerr 27
  • 28. Why do it? • Steal session cookies • Steal logins by defacing XSS | Andrew Kerr 28
  • 29. Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins XSS | Andrew Kerr 29
  • 30. Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins • For the lulz XSS | Andrew Kerr 30
  • 31. XSS | Andrew Kerr 31
  • 32. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck XSS | Andrew Kerr 32
  • 33. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times XSS | Andrew Kerr 33
  • 34. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times • Good thing it wasn't malicious! XSS | Andrew Kerr 34
  • 35. Ok, but it's Twitter... why does it matter? XSS | Andrew Kerr 35
  • 36. XSS | Andrew Kerr 36
  • 37. XSS Payloads XSS | Andrew Kerr 37
  • 38. XSS Payloads • A TON of possible XSS payloads XSS | Andrew Kerr 38
  • 39. XSS Payloads • A TON of possible XSS payloads • <script>alert(1)</script> • <img src="x" onerror="alert(1)" /> • <a href="javascript: alert(1)">Click me!</a> • and more! XSS | Andrew Kerr 39
  • 40. Types of XSS XSS | Andrew Kerr 40
  • 41. Types of XSS 1. Reflected XSS | Andrew Kerr 41
  • 42. Types of XSS 1. Reflected 2. Stored XSS | Andrew Kerr 42
  • 43. Types of XSS 1. Reflected 2. Stored 3. DOM-based XSS | Andrew Kerr 43
  • 44. Reflected XSS XSS | Andrew Kerr 44
  • 45. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! XSS | Andrew Kerr 45
  • 46. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! XSS | Andrew Kerr 46
  • 47. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! • Example: search forms showing input on results page after submission XSS | Andrew Kerr 47
  • 48. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; XSS | Andrew Kerr 48
  • 50. XSS | Andrew Kerr 50
  • 51. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? XSS | Andrew Kerr 51
  • 52. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 52
  • 53. Stored XSS XSS | Andrew Kerr 53
  • 54. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case XSS | Andrew Kerr 54
  • 55. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS XSS | Andrew Kerr 55
  • 56. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS • Example: form post storing XSS XSS | Andrew Kerr 56
  • 57. XSS | Andrew Kerr 57
  • 58. Samy MySpace worm XSS | Andrew Kerr 58
  • 59. Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims XSS | Andrew Kerr 59
  • 60. Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims • Fastest spreading virus of all time • 1+ million runs in ~20hrs XSS | Andrew Kerr 60
  • 61. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } XSS | Andrew Kerr 61
  • 62. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? XSS | Andrew Kerr 62
  • 63. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 63
  • 64. DOM-based XSS XSS | Andrew Kerr 64
  • 65. DOM-based XSS • Similar to Reflected, but is not rendered from the server. XSS | Andrew Kerr 65
  • 66. DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code XSS | Andrew Kerr 66
  • 67. DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code • Also crafted by a URL • Don't let users pass in JS via the URL! XSS | Andrew Kerr 67
  • 68. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 68
  • 69. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? XSS | Andrew Kerr 69
  • 70. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 70
  • 71. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? XSS | Andrew Kerr 71
  • 72. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? A: Craft a URL like: www.site.com/page.html?title=<img src='x' onerror='alert(1)' /> XSS | Andrew Kerr 72
  • 73. Protecting Against XSS XSS | Andrew Kerr 73
  • 74. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 74
  • 75. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. XSS | Andrew Kerr 75
  • 76. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. • But, what's the difference? XSS | Andrew Kerr 76
  • 77. Let's look at the documentation! XSS | Andrew Kerr 77
  • 78. Let's look at the documentation! (Aka RTFM) XSS | Andrew Kerr 78
  • 79. Protecting Against XSS Set the text contents of the matched elements. — .text() Set the HTML contents of each element in the set of matched elements. — .html() XSS | Andrew Kerr 79
  • 80. Protecting Against XSS <html> <head> <title>Test Page</title> <script type="text/javascript" src="jquery.min.js"></script> <script type="text/javascript"> $(function(){ $("#div1").html('<a href="example.html">Link</a><b>hello</b>'); $("#div2").text('<a href="example.html">Link</a><b>hello</b>'); }); </script> </head> <body> <div id="div1"></div> <div id="div2"></div> </body> </html> XSS | Andrew Kerr 80
  • 81. Protecting Against XSS 1. Know your framework/library/language! XSS | Andrew Kerr 81
  • 82. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! XSS | Andrew Kerr 82
  • 83. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist XSS | Andrew Kerr 83
  • 84. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist 4. Headers XSS | Andrew Kerr 84
  • 85. Protecting Against XSS • Or, ya know, read the NSA's recommendations. • https://www.nsa.gov/ia/files/ factsheets/ xssiadfactsheetfinal_web.pdf XSS | Andrew Kerr 85
  • 86. But most importantly... XSS | Andrew Kerr 86
  • 87. TEST YOUR APPLICATION XSS | Andrew Kerr 87
  • 88. XSS | Andrew Kerr 88
  • 89. Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet XSS | Andrew Kerr 89
  • 90. Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet • Also, some guess work helps! XSS | Andrew Kerr 90
  • 91. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); XSS | Andrew Kerr 91
  • 92. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? XSS | Andrew Kerr 92
  • 93. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? A: Think about it :) XSS | Andrew Kerr 93
  • 95. Resources • OWASP XSS | Andrew Kerr 95
  • 96. Resources • OWASP • The Web Application Hackers Handbook XSS | Andrew Kerr 96
  • 97. Resources • OWASP • The Web Application Hackers Handbook • Mutillidae Practice Application XSS | Andrew Kerr 97
  • 98. Ok, cool, onto challenges! XSS | Andrew Kerr 98
  • 100. Challenges • Server: 104.236.76.214 • Source: github.com/ufsit/xss-challenges • Try not to use this! • Cheatsheet: https://www.owasp.org/index.php/ XSSFilterEvasionCheatSheet XSS | Andrew Kerr 100