Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Developing Secure WebApplicationCross-Site Scripting(XSS)Cezar CocaEndava10th of November 2012
Agenda• Why?• Formal description• Same Origin Policy• How to perform an XSS attack• Demo• Prevention of XSS attacks
OWASP Top Ten (2010 Edition)                        http://www.owasp.org/index.php/Top_10
At first sight                 =
Second sight
XSS formal descriptionTypes – at least two primary flavors• Non-persistent (or reflected)• Persistent (or stored)Typical i...
Same Origin Policy – Security Domain
Same Origin Policy - DOM
Same Origin Policy - DOM
Same Origin Policy - DOM
Reflected XSS Illustrated             Attacker send the victim a misleading email with a link         1             contai...
Reflected XSS IllustratedWhen the victim clicks on thelink, the HTTP request is initiatedfrom the victims browser andsent ...
Reflected XSS Illustrated                                                  The malicious JavaScript is then               ...
DEMO – deployment diagram
LET’S HACK
Second sight
Prevention of XSS Attack – part 1• Input Validation  • Canonicalize data first      •   Prevent encoded attacks  •   Black...
Prevention of XSS Attack – Multiple contextsBrowser have multiple contexts that must be considered!     HTML        HTML  ...
Prevention of XSS Attack – Session Hijacking• Session hijacking  • “HttpOnly" Cookies  • "secure" Cookies. Cookies are onl...
Diamond SponsorsPlatinum Sponsors                    Gold SponsorsTraining Partners   Media Partners          Other Partners
Developing Secure Web Application - Cross-Site Scripting (XSS)
Developing Secure Web Application - Cross-Site Scripting (XSS)
Prochain SlideShare
Chargement dans…5
×

Developing Secure Web Application - Cross-Site Scripting (XSS)

906 vues

Publié le

  • Soyez le premier à commenter

Developing Secure Web Application - Cross-Site Scripting (XSS)

  1. 1. Developing Secure WebApplicationCross-Site Scripting(XSS)Cezar CocaEndava10th of November 2012
  2. 2. Agenda• Why?• Formal description• Same Origin Policy• How to perform an XSS attack• Demo• Prevention of XSS attacks
  3. 3. OWASP Top Ten (2010 Edition) http://www.owasp.org/index.php/Top_10
  4. 4. At first sight =
  5. 5. Second sight
  6. 6. XSS formal descriptionTypes – at least two primary flavors• Non-persistent (or reflected)• Persistent (or stored)Typical impact• Steal user’s session (hijack session)• Rewrite web page• Redirect user to phishing or malware site• Most Severe: Install XSS proxy
  7. 7. Same Origin Policy – Security Domain
  8. 8. Same Origin Policy - DOM
  9. 9. Same Origin Policy - DOM
  10. 10. Same Origin Policy - DOM
  11. 11. Reflected XSS Illustrated Attacker send the victim a misleading email with a link 1 containing malicious JavaScript
  12. 12. Reflected XSS IllustratedWhen the victim clicks on thelink, the HTTP request is initiatedfrom the victims browser andsent to the vulnerable Webapplication. 2 Attacker send the victim a misleading email with a link 1 containing malicious JavaScript
  13. 13. Reflected XSS Illustrated The malicious JavaScript is then reflected back to the victims browser, where it is executed in the context ofWhen the victim clicks on the the victim users sessionlink, the HTTP request is initiatedfrom the victims browser and 3sent to the vulnerable Webapplication. 2 Attacker send the victim a misleading email with a link 1 containing malicious JavaScript
  14. 14. DEMO – deployment diagram
  15. 15. LET’S HACK
  16. 16. Second sight
  17. 17. Prevention of XSS Attack – part 1• Input Validation • Canonicalize data first • Prevent encoded attacks • Black list testing is no solution • Black lists are never complete! • White list testing is better • Only what you expect will pass • Regular expressions • HTML Encoding • HTML encoding of all input when put into output pages
  18. 18. Prevention of XSS Attack – Multiple contextsBrowser have multiple contexts that must be considered! HTML HTML <STYLE> <SCRIPT> URL Body Attributes Context Context Context
  19. 19. Prevention of XSS Attack – Session Hijacking• Session hijacking • “HttpOnly" Cookies • "secure" Cookies. Cookies are only sent over SSL • Disable TRACE• References: • http://www.owasp.org/index.php/XSS_(Cross Site Scripting) Prevention Cheat Sheet • http://ha.ckers.org/xss.html • http://www.owasp.org/index.php/ESAPI
  20. 20. Diamond SponsorsPlatinum Sponsors Gold SponsorsTraining Partners Media Partners Other Partners

×