The document discusses an upcoming Capture the Flag (CTF) competition called CSAW from September 18-20. If the University of Florida Student InfoSec Team (UFSIT) qualifies, they will be able to send a team of undergraduates to the national competition. It also recaps their performance at a previous CTF called MMA where they left on Friday night in the top 15%. The rest of the document is a presentation about cross-site scripting (XSS) attacks given by Andrew Kerr, who is a fifth year software engineering student and secretary of UFSIT. It covers what XSS is, the different types (reflected, stored, DOM-based), examples of vulnerable code, how to
5. CSAW CTF (Qualifiers)
• September 18 @ 6pm - September 20 @ 6pm
• If we qualify, we get to send a team of undergrads to
national CTF
XSS | Andrew Kerr 5
12. whoami
• Fifth year Software Engineering @ UF
• Secretary of UFSIT for > 2yrs
XSS | Andrew Kerr 12
13. whoami
• Fifth year Software Engineering @ UF
• Secretary of UFSIT for > 2yrs
• Full stack web developer
XSS | Andrew Kerr 13
14. whoami
• Fifth year Software Engineering @
UF
• Secretary of UFSIT for > 2yrs
• Full stack web developer
• Former security intern at Tumblr
XSS | Andrew Kerr 14
15. whoami
• Fifth year Software Engineering @
UF
• Secretary of UFSIT for > 2yrs
• Full stack web developer
• Former security intern at Tumblr
• Former intern at BlockScore
XSS | Andrew Kerr 15
17. XSS
Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted
web sites. XSS attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a
browser side script, to a different end user.
— OWASP
XSS | Andrew Kerr 17
23. Why does this work?
• Browser is tricked into thinking the code is part of the site
XSS | Andrew Kerr 23
24. Why does this work?
• Browser is tricked into thinking the code is part of the site
• Backend server does not sanitize input correctly
XSS | Andrew Kerr 24
25. Why does this work?
• Browser is tricked into thinking the code is part of the site
• Backend server does not sanitize input correctly
• Poor client-side JavaScript executes given parameters
XSS | Andrew Kerr 25
38. XSS Payloads
• A TON of possible XSS payloads
XSS | Andrew Kerr 38
39. XSS Payloads
• A TON of possible XSS payloads
• <script>alert(1)</script>
• <img src="x" onerror="alert(1)" />
• <a href="javascript: alert(1)">Click me!</a>
• and more!
XSS | Andrew Kerr 39
45. Reflected XSS
• Ability to inject code and have the server return it back,
unsanitized
• Not stored on the server/in a database!
XSS | Andrew Kerr 45
46. Reflected XSS
• Ability to inject code and have the server return it back,
unsanitized
• Not stored on the server/in a database!
• Normally hidden in the URL
• Don't click on random links!
XSS | Andrew Kerr 46
47. Reflected XSS
• Ability to inject code and have the server return it back,
unsanitized
• Not stored on the server/in a database!
• Normally hidden in the URL
• Don't click on random links!
• Example: search forms showing input on results page after
submission
XSS | Andrew Kerr 47
54. Stored XSS
• Ability to inject code and have the server store it and return
it without sanitizing it in either case
XSS | Andrew Kerr 54
55. Stored XSS
• Ability to inject code and have the server store it and return
it without sanitizing it in either case
• HOLY CRAP THIS IS HORRIBLE
• Only way for end user to protect themselves is to disable
JS
XSS | Andrew Kerr 55
56. Stored XSS
• Ability to inject code and have the server store it and return
it without sanitizing it in either case
• HOLY CRAP THIS IS HORRIBLE
• Only way for end user to protect themselves is to disable
JS
• Example: form post storing XSS
XSS | Andrew Kerr 56
59. Samy MySpace worm
• Posted 'but most of all, samy is my hero' to victims
XSS | Andrew Kerr 59
60. Samy MySpace worm
• Posted 'but most of all, samy is my hero' to victims
• Fastest spreading virus of all time
• 1+ million runs in ~20hrs
XSS | Andrew Kerr 60
65. DOM-based XSS
• Similar to Reflected, but is not rendered from the server.
XSS | Andrew Kerr 65
66. DOM-based XSS
• Similar to Reflected, but is not rendered from the server.
• Normally due to bad JavaScript code
XSS | Andrew Kerr 66
67. DOM-based XSS
• Similar to Reflected, but is not rendered from the server.
• Normally due to bad JavaScript code
• Also crafted by a URL
• Don't let users pass in JS via the URL!
XSS | Andrew Kerr 67
68. DOM-based XSS Vulnerable Code Example
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-header').html("<h1>" + title + "</h1>");
XSS | Andrew Kerr 68
69. DOM-based XSS Vulnerable Code Example
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-header').html("<h1>" + title + "</h1>");
Q: And, what's the issue here?
XSS | Andrew Kerr 69
70. DOM-based XSS Vulnerable Code Example
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-header').html("<h1>" + title + "</h1>");
Q: And, what's the issue here?
A: UNSANITIZED USER INPUT
XSS | Andrew Kerr 70
71. DOM-based XSS Vulnerable Code Example
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-header').html("<h1>" + title + "</h1>");
Q: How would we exploit this?
XSS | Andrew Kerr 71
72. DOM-based XSS Vulnerable Code Example
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-header').html("<h1>" + title + "</h1>");
Q: How would we exploit this?
A: Craft a URL like:
www.site.com/page.html?title=<img src='x'
onerror='alert(1)' />
XSS | Andrew Kerr 72
74. Protecting Against XSS
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-header').html("<h1>" + title + "</h1>");
XSS | Andrew Kerr 74
75. Protecting Against XSS
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-header').html("<h1>" + title + "</h1>");
• jQuery provides a .html AND .text.
XSS | Andrew Kerr 75
76. Protecting Against XSS
// Pretend parse_get_params is imeplemented :)
var title = parse_get_params('title');
$('.page-header').html("<h1>" + title + "</h1>");
• jQuery provides a .html AND .text.
• But, what's the difference?
XSS | Andrew Kerr 76
77. Let's look at the documentation!
XSS | Andrew Kerr 77
78. Let's look at the documentation!
(Aka RTFM)
XSS | Andrew Kerr 78
79. Protecting Against XSS
Set the text contents of the matched elements.
— .text()
Set the HTML contents of each element in the set of matched
elements.
— .html()
XSS | Andrew Kerr 79
89. Bypassing Filters
• Wonderful cheatsheet by OWASP: https://www.owasp.org/
index.php/XSSFilterEvasionCheatSheet
XSS | Andrew Kerr 89
90. Bypassing Filters
• Wonderful cheatsheet by OWASP: https://www.owasp.org/
index.php/XSSFilterEvasionCheatSheet
• Also, some guess work helps!
XSS | Andrew Kerr 90
91. Bypassing Filters Vulnerable Code
Example
$input = $_POST['input'];
$sanitized = str_replace('script', '', $input);
XSS | Andrew Kerr 91
92. Bypassing Filters Vulnerable Code
Example
$input = $_POST['input'];
$sanitized = str_replace('script', '', $input);
Q: How could we get by this?
XSS | Andrew Kerr 92
93. Bypassing Filters Vulnerable Code
Example
$input = $_POST['input'];
$sanitized = str_replace('script', '', $input);
Q: How could we get by this?
A: Think about it :)
XSS | Andrew Kerr 93