SlideShare une entreprise Scribd logo

Cross site scripting

Télécharger en tant que PPTX, PDF
Dilan Warnakulasooriya
Dilan Warnakulasooriya

Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.

Technologie
1  sur  14
CROSS SITE Scripting HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE… Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology
What is it?  Script is injected into page  Script can come from URL, Database, Cookie, Form  Types:  Reflected  Persistent  DOM Based  What can it do?  Create or access any DOM element  Hijack click, cookies, credentials  Limited JavaScript port scanning  Send information to remote sites (think credentials)  And many more… January 1, 2013 99X Technology(c) 2
How is it exploited?  Attacker injects script into user’s experience  Can happen from server side code (beware ASP.NET code)  Can happen from client side code (beware JavaScript/Jquery Code) January 1, 2013 99X Technology(c) 3
Exploiting Demos Reflected January 1, 2013 99X Technology(c) 4
Exploiting Demos Persistent January 1, 2013 99X Technology(c) 5
Exploiting Demos Older style IE6 Content type Sniffing January 1, 2013 99X Technology(c) 6
Exploiting Demos DOM based + JSON + JQUERY January 1, 2013 99X Technology(c) 7
Exploiting Demos DATA URI – Link Hijack January 1, 2013 99X Technology(c) 8
Exploiting Demos Dangling markup January 1, 2013 99X Technology(c) 9
How do you prevent it?  Relected/Persisted not used _anywhere_ in JavaScript is the easiest way to prevent  Html Encode – specify encoder for AntiXss  Avoid user inputs in any attribute or regex to a-z only  Consider stripping out anything not a-z,0-9  Json.Encode() or Encoder.JavascriptEncode() all data supplied to JavaScript  Still vulnerable if this text is read from an element and used incorrectly  More complex scenarios require serious investigation into code sections  Audit anywhere DOM elements are created/altered for user supplied inputs  Some past vulnerabilities were hard to control (flash, pdf, etc) January 1, 2013 99X Technology(c) 10
How do you prevent it?(cont’d)  Do not store data encoded, but sanitized  Encoding & Storing can lead to double encoding:  < &lt &amp;lt; &amp;amp;lt  AntiXss Sanitizer’s GetSafeHtml()/ GetSafeHtmlFragment()  Specify Page Encoding in the web.config  Content Security Policies  Firefox OK  Chrome/Safari(WebKit) OK  IE 10 – Partially implemented – As expected  Don’t expect blacklists to work (ie searching for <script>)  Have been bypassed in many ways  Replacing “script” with “” can end up making <script>!  Consider removing all data: from all stored URI’s to exclude data  Only allow local URL redirects that start with “/uri” January 1, 2013 99X Technology(c) 11
How do you prevent it?(Last but not least)  Audit every location data is assigned, output, and used since lots of data can be affected by user  Ensure its not used in JavaScript, or Highly sanitized  ASP.NET Textbox HtmlEncodes(), Label does not ○ KNOW YOUR CONTROL’s BEHAVIOUR!!! EVERY ONE!  Test by injecting script, special characters (ex <) into app – use Fiddler if you must, to change incoming data  Be Concerned with any place that DOM elements are created/modified  Use functions such as setAttribute and var y = document.createElement(“div”); rather than document.writeln, $(x).html(), element.innerHTML, eval  Deprecate IE6 (and all older browsers)  Use Request.Browser, ie6update.com, etc…  Don’t turn off EnableRequestValidation or ValidateRequest!  MVC apps use [AllowHtml], Web forms more difficult (Until 4.5!!) January 1, 2013 99X Technology(c) 12
Know your encoding options Encoding option Code/Config Web forms/ Web forms View Engine <%= Server.HtmlEncode(data) %> Web Forms v4.0+ <%:data %> MVC3+Razor View Engine @data Data bindings in web forms v4 & below <%# Server.HtmlEncode(Eval(“property”)) %> Data binding v4.5 <%#: Item.Property %> Better: ASP.Net 3.5 below use AntiXss library Microsoft.Security.Application.Encoder.HtmlEncode directly (data) ASP.Net 4(Web Forms & MVC) <httpRuntime encoderType=“Microsoft.Security.Application.AntiX ssEncoder.AntiXssLibrary” /> ASP.Net 4.5(AntiXss included in this version) <httpRuntime encoderType=“System.Web.SecurityAntiXss..AntiX ssEncoder, System.Web, version=4.5.00,…” /> JSON(MVC) Json.Encode(Model) Javascript encoding using AntiXss Encoder.JavascriptEncoder(Model.comment) January 1, 2013 99X Technology(c) 13
Tools  Development tools  Microsoft’s Anti-Xss tools  FxCop rules  Testting tools  Dominator  jsFiddle.net  DomSnitch – Chrome plugin  Fiddler ○ Remember you can set breakpoints and change incoming data  Scanners (SAINTexploit)  Keep on top of current Xss types of attacks  OWASP is a great resource  @wascwhild  http://we.nvd.nist.goc/view/vuln/seach- results?query=xss&search_type=all&cves=on January 1, 2013 99X Technology(c) 14

Recommandé

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML AttacksToe Khaing
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 

Recommandé

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
Hands-On XML Attacks
Hands-On XML AttacksHands-On XML Attacks
Hands-On XML AttacksToe Khaing
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Emily Stark
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsSarvesh Kushwaha
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Htaccess info
Htaccess infoHtaccess info
Htaccess infoumakant jadhav
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthroughAhmed Elhady Mohamed
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection PaperAung Khant
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 
Application security overview
Application security overviewApplication security overview
Application security overviewDilan Warnakulasooriya
 
CSRF
CSRFCSRF
CSRFDilan Warnakulasooriya
 

Contenu connexe

Tendances

Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Emily Stark
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsSarvesh Kushwaha
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection PaperAung Khant
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 

Tendances (20)

Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Htaccess info
Htaccess infoHtaccess info
Htaccess info
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection Paper
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
 

En vedette

En vedette (8)

Application security overview
Application security overviewApplication security overview
Application security overview
 
CSRF
CSRFCSRF
CSRF
 
Sql injection
Sql injectionSql injection
Sql injection
 
Application security overview
Application security overviewApplication security overview
Application security overview
 
Session Hijacking
Session HijackingSession Hijacking
Session Hijacking
 
webscarab
webscarabwebscarab
webscarab
 
Secure coding
Secure codingSecure coding
Secure coding
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
 

Similaire à Cross site scripting

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
WinJS at NYC Code Camp 2012
WinJS at NYC Code Camp 2012WinJS at NYC Code Camp 2012
WinJS at NYC Code Camp 2012Dmitri Artamonov
 
XPages Blast - ILUG 2010
XPages Blast - ILUG 2010XPages Blast - ILUG 2010
XPages Blast - ILUG 2010Tim Clark
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application developmentzonathen
 
Dojo - from web page to web apps
Dojo - from web page to web appsDojo - from web page to web apps
Dojo - from web page to web appsyoavrubin
 
Intro to .NET for Government Developers
Intro to .NET for Government DevelopersIntro to .NET for Government Developers
Intro to .NET for Government DevelopersFrank La Vigne
 

Similaire à Cross site scripting (20)

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Day8
Day8Day8
Day8
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
WinJS at NYC Code Camp 2012
WinJS at NYC Code Camp 2012WinJS at NYC Code Camp 2012
WinJS at NYC Code Camp 2012
 
XPages Blast - ILUG 2010
XPages Blast - ILUG 2010XPages Blast - ILUG 2010
XPages Blast - ILUG 2010
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case Study
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application development
 
Dojo - from web page to web apps
Dojo - from web page to web appsDojo - from web page to web apps
Dojo - from web page to web apps
 
Intro to .NET for Government Developers
Intro to .NET for Government DevelopersIntro to .NET for Government Developers
Intro to .NET for Government Developers
 

Dernier

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Dernier (20)

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Cross site scripting

  • 1. CROSS SITE Scripting HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE… Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology
  • 2. What is it?  Script is injected into page  Script can come from URL, Database, Cookie, Form  Types:  Reflected  Persistent  DOM Based  What can it do?  Create or access any DOM element  Hijack click, cookies, credentials  Limited JavaScript port scanning  Send information to remote sites (think credentials)  And many more… January 1, 2013 99X Technology(c) 2
  • 3. How is it exploited?  Attacker injects script into user’s experience  Can happen from server side code (beware ASP.NET code)  Can happen from client side code (beware JavaScript/Jquery Code) January 1, 2013 99X Technology(c) 3
  • 4. Exploiting Demos Reflected January 1, 2013 99X Technology(c) 4
  • 5. Exploiting Demos Persistent January 1, 2013 99X Technology(c) 5
  • 6. Exploiting Demos Older style IE6 Content type Sniffing January 1, 2013 99X Technology(c) 6
  • 7. Exploiting Demos DOM based + JSON + JQUERY January 1, 2013 99X Technology(c) 7
  • 8. Exploiting Demos DATA URI – Link Hijack January 1, 2013 99X Technology(c) 8
  • 9. Exploiting Demos Dangling markup January 1, 2013 99X Technology(c) 9
  • 10. How do you prevent it?  Relected/Persisted not used _anywhere_ in JavaScript is the easiest way to prevent  Html Encode – specify encoder for AntiXss  Avoid user inputs in any attribute or regex to a-z only  Consider stripping out anything not a-z,0-9  Json.Encode() or Encoder.JavascriptEncode() all data supplied to JavaScript  Still vulnerable if this text is read from an element and used incorrectly  More complex scenarios require serious investigation into code sections  Audit anywhere DOM elements are created/altered for user supplied inputs  Some past vulnerabilities were hard to control (flash, pdf, etc) January 1, 2013 99X Technology(c) 10
  • 11. How do you prevent it?(cont’d)  Do not store data encoded, but sanitized  Encoding & Storing can lead to double encoding:  < &lt &amp;lt; &amp;amp;lt  AntiXss Sanitizer’s GetSafeHtml()/ GetSafeHtmlFragment()  Specify Page Encoding in the web.config  Content Security Policies  Firefox OK  Chrome/Safari(WebKit) OK  IE 10 – Partially implemented – As expected  Don’t expect blacklists to work (ie searching for <script>)  Have been bypassed in many ways  Replacing “script” with “” can end up making <script>!  Consider removing all data: from all stored URI’s to exclude data  Only allow local URL redirects that start with “/uri” January 1, 2013 99X Technology(c) 11
  • 12. How do you prevent it?(Last but not least)  Audit every location data is assigned, output, and used since lots of data can be affected by user  Ensure its not used in JavaScript, or Highly sanitized  ASP.NET Textbox HtmlEncodes(), Label does not ○ KNOW YOUR CONTROL’s BEHAVIOUR!!! EVERY ONE!  Test by injecting script, special characters (ex <) into app – use Fiddler if you must, to change incoming data  Be Concerned with any place that DOM elements are created/modified  Use functions such as setAttribute and var y = document.createElement(“div”); rather than document.writeln, $(x).html(), element.innerHTML, eval  Deprecate IE6 (and all older browsers)  Use Request.Browser, ie6update.com, etc…  Don’t turn off EnableRequestValidation or ValidateRequest!  MVC apps use [AllowHtml], Web forms more difficult (Until 4.5!!) January 1, 2013 99X Technology(c) 12
  • 13. Know your encoding options Encoding option Code/Config Web forms/ Web forms View Engine <%= Server.HtmlEncode(data) %> Web Forms v4.0+ <%:data %> MVC3+Razor View Engine @data Data bindings in web forms v4 & below <%# Server.HtmlEncode(Eval(“property”)) %> Data binding v4.5 <%#: Item.Property %> Better: ASP.Net 3.5 below use AntiXss library Microsoft.Security.Application.Encoder.HtmlEncode directly (data) ASP.Net 4(Web Forms & MVC) <httpRuntime encoderType=“Microsoft.Security.Application.AntiX ssEncoder.AntiXssLibrary” /> ASP.Net 4.5(AntiXss included in this version) <httpRuntime encoderType=“System.Web.SecurityAntiXss..AntiX ssEncoder, System.Web, version=4.5.00,…” /> JSON(MVC) Json.Encode(Model) Javascript encoding using AntiXss Encoder.JavascriptEncoder(Model.comment) January 1, 2013 99X Technology(c) 13
  • 14. Tools  Development tools  Microsoft’s Anti-Xss tools  FxCop rules  Testting tools  Dominator  jsFiddle.net  DomSnitch – Chrome plugin  Fiddler ○ Remember you can set breakpoints and change incoming data  Scanners (SAINTexploit)  Keep on top of current Xss types of attacks  OWASP is a great resource  @wascwhild  http://we.nvd.nist.goc/view/vuln/seach- results?query=xss&search_type=all&cves=on January 1, 2013 99X Technology(c) 14