SlideShare una empresa de Scribd logo

Cross-site Scripting

Andrew Kerr
Andrew Kerr

The document discusses an upcoming Capture the Flag (CTF) competition called CSAW from September 18-20. If the University of Florida Student InfoSec Team (UFSIT) qualifies, they will be able to send a team of undergraduates to the national competition. It also recaps their performance at a previous CTF called MMA where they left on Friday night in the top 15%. The rest of the document is a presentation about cross-site scripting (XSS) attacks given by Andrew Kerr, who is a fifth year software engineering student and secretary of UFSIT. It covers what XSS is, the different types (reflected, stored, DOM-based), examples of vulnerable code, how to

Ingeniería
1 de 100
Descargar para leer sin conexión
UF Student InfoSec Team September 8, 2015 #ufsit on Freenode XSS | Andrew Kerr 1
Announcements XSS | Andrew Kerr 2
Upcoming CTF: CSAW XSS | Andrew Kerr 3
CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm XSS | Andrew Kerr 4
CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm • If we qualify, we get to send a team of undergrads to national CTF XSS | Andrew Kerr 5
MMA CTF Recap XSS | Andrew Kerr 6
MMA CTF Recap • Lots of people there on Friday! • Left Friday night in top 15% XSS | Andrew Kerr 7
We want your writeups! XSS | Andrew Kerr 8
Cross-site Scripting (Also known as XSS) Andrew Kerr | Sept 8, 2015 me@andrewjkerr.com XSS | Andrew Kerr 9
whoami XSS | Andrew Kerr 10
whoami • Fifth year Software Engineering @ UF XSS | Andrew Kerr 11
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs XSS | Andrew Kerr 12
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer XSS | Andrew Kerr 13
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr XSS | Andrew Kerr 14
whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr • Former intern at BlockScore XSS | Andrew Kerr 15
Cross-site Scripting (Also known as XSS) XSS | Andrew Kerr 16
XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. — OWASP XSS | Andrew Kerr 17
Ok... what does that mean? XSS | Andrew Kerr 18
XSS | Andrew Kerr 19
XSS | Andrew Kerr 20
XSS | Andrew Kerr 21
Why does this work? XSS | Andrew Kerr 22
Why does this work? • Browser is tricked into thinking the code is part of the site XSS | Andrew Kerr 23
Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly XSS | Andrew Kerr 24
Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly • Poor client-side JavaScript executes given parameters XSS | Andrew Kerr 25
Why do it? XSS | Andrew Kerr 26
Why do it? • Steal session cookies XSS | Andrew Kerr 27
Why do it? • Steal session cookies • Steal logins by defacing XSS | Andrew Kerr 28
Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins XSS | Andrew Kerr 29
Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins • For the lulz XSS | Andrew Kerr 30
XSS | Andrew Kerr 31
Remember this? • ❤ emoji broke XSS sanitization on TweetDeck XSS | Andrew Kerr 32
Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times XSS | Andrew Kerr 33
Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times • Good thing it wasn't malicious! XSS | Andrew Kerr 34
Ok, but it's Twitter... why does it matter? XSS | Andrew Kerr 35
XSS | Andrew Kerr 36
XSS Payloads XSS | Andrew Kerr 37
XSS Payloads • A TON of possible XSS payloads XSS | Andrew Kerr 38
XSS Payloads • A TON of possible XSS payloads • <script>alert(1)</script> • <img src="x" onerror="alert(1)" /> • <a href="javascript: alert(1)">Click me!</a> • and more! XSS | Andrew Kerr 39
Types of XSS XSS | Andrew Kerr 40
Types of XSS 1. Reflected XSS | Andrew Kerr 41
Types of XSS 1. Reflected 2. Stored XSS | Andrew Kerr 42
Types of XSS 1. Reflected 2. Stored 3. DOM-based XSS | Andrew Kerr 43
Reflected XSS XSS | Andrew Kerr 44
Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! XSS | Andrew Kerr 45
Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! XSS | Andrew Kerr 46
Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! • Example: search forms showing input on results page after submission XSS | Andrew Kerr 47
Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; XSS | Andrew Kerr 48
www.site.com/search.php? q=<script>alert(1)</script> XSS | Andrew Kerr 49
XSS | Andrew Kerr 50
Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? XSS | Andrew Kerr 51
Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 52
Stored XSS XSS | Andrew Kerr 53
Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case XSS | Andrew Kerr 54
Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS XSS | Andrew Kerr 55
Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS • Example: form post storing XSS XSS | Andrew Kerr 56
XSS | Andrew Kerr 57
Samy MySpace worm XSS | Andrew Kerr 58
Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims XSS | Andrew Kerr 59
Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims • Fastest spreading virus of all time • 1+ million runs in ~20hrs XSS | Andrew Kerr 60
Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } XSS | Andrew Kerr 61
Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? XSS | Andrew Kerr 62
Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 63
DOM-based XSS XSS | Andrew Kerr 64
DOM-based XSS • Similar to Reflected, but is not rendered from the server. XSS | Andrew Kerr 65
DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code XSS | Andrew Kerr 66
DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code • Also crafted by a URL • Don't let users pass in JS via the URL! XSS | Andrew Kerr 67
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 68
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? XSS | Andrew Kerr 69
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 70
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? XSS | Andrew Kerr 71
DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? A: Craft a URL like: www.site.com/page.html?title=<img src='x' onerror='alert(1)' /> XSS | Andrew Kerr 72
Protecting Against XSS XSS | Andrew Kerr 73
Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 74
Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. XSS | Andrew Kerr 75
Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. • But, what's the difference? XSS | Andrew Kerr 76
Let's look at the documentation! XSS | Andrew Kerr 77
Let's look at the documentation! (Aka RTFM) XSS | Andrew Kerr 78
Protecting Against XSS Set the text contents of the matched elements. — .text() Set the HTML contents of each element in the set of matched elements. — .html() XSS | Andrew Kerr 79
Protecting Against XSS <html> <head> <title>Test Page</title> <script type="text/javascript" src="jquery.min.js"></script> <script type="text/javascript"> $(function(){ $("#div1").html('<a href="example.html">Link</a><b>hello</b>'); $("#div2").text('<a href="example.html">Link</a><b>hello</b>'); }); </script> </head> <body> <div id="div1"></div> <div id="div2"></div> </body> </html> XSS | Andrew Kerr 80
Protecting Against XSS 1. Know your framework/library/language! XSS | Andrew Kerr 81
Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! XSS | Andrew Kerr 82
Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist XSS | Andrew Kerr 83
Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist 4. Headers XSS | Andrew Kerr 84
Protecting Against XSS • Or, ya know, read the NSA's recommendations. • https://www.nsa.gov/ia/files/ factsheets/ xssiadfactsheetfinal_web.pdf XSS | Andrew Kerr 85
But most importantly... XSS | Andrew Kerr 86
TEST YOUR APPLICATION XSS | Andrew Kerr 87
XSS | Andrew Kerr 88
Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet XSS | Andrew Kerr 89
Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet • Also, some guess work helps! XSS | Andrew Kerr 90
Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); XSS | Andrew Kerr 91
Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? XSS | Andrew Kerr 92
Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? A: Think about it :) XSS | Andrew Kerr 93
Resources XSS | Andrew Kerr 94
Resources • OWASP XSS | Andrew Kerr 95
Resources • OWASP • The Web Application Hackers Handbook XSS | Andrew Kerr 96
Resources • OWASP • The Web Application Hackers Handbook • Mutillidae Practice Application XSS | Andrew Kerr 97
Ok, cool, onto challenges! XSS | Andrew Kerr 98
104.236.76.214 Go here XSS | Andrew Kerr 99
Challenges • Server: 104.236.76.214 • Source: github.com/ufsit/xss-challenges • Try not to use this! • Cheatsheet: https://www.owasp.org/index.php/ XSSFilterEvasionCheatSheet XSS | Andrew Kerr 100

Recomendados

Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Priyanka Aash
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint Security
Alexander Benoit
 
Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)
camsec
 
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
Ryan Kovar
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
Комсс Файквэе
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT - Multimediatreff
 
Writing Secure Code for WordPress
Writing Secure Code for WordPressWriting Secure Code for WordPress
Writing Secure Code for WordPress
Shawn Hooper
 

Recomendados

Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internetDefcon 22-graham-mc millan-tentler-masscaning-the-internet
Defcon 22-graham-mc millan-tentler-masscaning-the-internet
Priyanka Aash
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint Security
Alexander Benoit
 
Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)Custom Rules & Broken Tools (Password Cracking)
Custom Rules & Broken Tools (Password Cracking)
camsec
 
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
Ryan Kovar
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
Комсс Файквэе
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT - Multimediatreff
 
Writing Secure Code for WordPress
Writing Secure Code for WordPressWriting Secure Code for WordPress
Writing Secure Code for WordPress
Shawn Hooper
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
vodQA
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
Soumyasanto Sen
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
security.pptx
security.pptxsecurity.pptx
security.pptx
HusseinNassrullah
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
jessepollak
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"
NodeUkraine
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Ömer Çıtak
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
Aditya K Sood
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
n|u - The Open Security Community
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
Marc Littlemore
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
Shawn Hooper
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
JavaScript For People Who Don't Code
JavaScript For People Who Don't CodeJavaScript For People Who Don't Code
JavaScript For People Who Don't Code
Christopher Schmitt
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
Uri Nativ
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
DineshKumar4165
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
BhangaleSonal
 

Más contenido relacionado

Similar a Cross-site Scripting

Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
Aditya K Sood
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
JavaScript For People Who Don't Code
JavaScript For People Who Don't CodeJavaScript For People Who Don't Code
JavaScript For People Who Don't Code
Christopher Schmitt
 

Similar a Cross-site Scripting (20)

XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
security.pptx
security.pptxsecurity.pptx
security.pptx
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPress
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
JavaScript For People Who Don't Code
JavaScript For People Who Don't CodeJavaScript For People Who Don't Code
JavaScript For People Who Don't Code
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 

Último

Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 

Último (20)

Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 

Cross-site Scripting

  • 1. UF Student InfoSec Team September 8, 2015 #ufsit on Freenode XSS | Andrew Kerr 1
  • 3. Upcoming CTF: CSAW XSS | Andrew Kerr 3
  • 4. CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm XSS | Andrew Kerr 4
  • 5. CSAW CTF (Qualifiers) • September 18 @ 6pm - September 20 @ 6pm • If we qualify, we get to send a team of undergrads to national CTF XSS | Andrew Kerr 5
  • 6. MMA CTF Recap XSS | Andrew Kerr 6
  • 7. MMA CTF Recap • Lots of people there on Friday! • Left Friday night in top 15% XSS | Andrew Kerr 7
  • 8. We want your writeups! XSS | Andrew Kerr 8
  • 9. Cross-site Scripting (Also known as XSS) Andrew Kerr | Sept 8, 2015 me@andrewjkerr.com XSS | Andrew Kerr 9
  • 11. whoami • Fifth year Software Engineering @ UF XSS | Andrew Kerr 11
  • 12. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs XSS | Andrew Kerr 12
  • 13. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer XSS | Andrew Kerr 13
  • 14. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr XSS | Andrew Kerr 14
  • 15. whoami • Fifth year Software Engineering @ UF • Secretary of UFSIT for > 2yrs • Full stack web developer • Former security intern at Tumblr • Former intern at BlockScore XSS | Andrew Kerr 15
  • 16. Cross-site Scripting (Also known as XSS) XSS | Andrew Kerr 16
  • 17. XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. — OWASP XSS | Andrew Kerr 17
  • 18. Ok... what does that mean? XSS | Andrew Kerr 18
  • 19. XSS | Andrew Kerr 19
  • 20. XSS | Andrew Kerr 20
  • 21. XSS | Andrew Kerr 21
  • 22. Why does this work? XSS | Andrew Kerr 22
  • 23. Why does this work? • Browser is tricked into thinking the code is part of the site XSS | Andrew Kerr 23
  • 24. Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly XSS | Andrew Kerr 24
  • 25. Why does this work? • Browser is tricked into thinking the code is part of the site • Backend server does not sanitize input correctly • Poor client-side JavaScript executes given parameters XSS | Andrew Kerr 25
  • 26. Why do it? XSS | Andrew Kerr 26
  • 27. Why do it? • Steal session cookies XSS | Andrew Kerr 27
  • 28. Why do it? • Steal session cookies • Steal logins by defacing XSS | Andrew Kerr 28
  • 29. Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins XSS | Andrew Kerr 29
  • 30. Why do it? • Steal session cookies • Steal logins by defacing • Exploit the browser/plugins • For the lulz XSS | Andrew Kerr 30
  • 31. XSS | Andrew Kerr 31
  • 32. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck XSS | Andrew Kerr 32
  • 33. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times XSS | Andrew Kerr 33
  • 34. Remember this? • ❤ emoji broke XSS sanitization on TweetDeck • Auto-magically retweeted itself 70,000+ times • Good thing it wasn't malicious! XSS | Andrew Kerr 34
  • 35. Ok, but it's Twitter... why does it matter? XSS | Andrew Kerr 35
  • 36. XSS | Andrew Kerr 36
  • 37. XSS Payloads XSS | Andrew Kerr 37
  • 38. XSS Payloads • A TON of possible XSS payloads XSS | Andrew Kerr 38
  • 39. XSS Payloads • A TON of possible XSS payloads • <script>alert(1)</script> • <img src="x" onerror="alert(1)" /> • <a href="javascript: alert(1)">Click me!</a> • and more! XSS | Andrew Kerr 39
  • 40. Types of XSS XSS | Andrew Kerr 40
  • 41. Types of XSS 1. Reflected XSS | Andrew Kerr 41
  • 42. Types of XSS 1. Reflected 2. Stored XSS | Andrew Kerr 42
  • 43. Types of XSS 1. Reflected 2. Stored 3. DOM-based XSS | Andrew Kerr 43
  • 44. Reflected XSS XSS | Andrew Kerr 44
  • 45. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! XSS | Andrew Kerr 45
  • 46. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! XSS | Andrew Kerr 46
  • 47. Reflected XSS • Ability to inject code and have the server return it back, unsanitized • Not stored on the server/in a database! • Normally hidden in the URL • Don't click on random links! • Example: search forms showing input on results page after submission XSS | Andrew Kerr 47
  • 48. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; XSS | Andrew Kerr 48
  • 50. XSS | Andrew Kerr 50
  • 51. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? XSS | Andrew Kerr 51
  • 52. Reflected XSS Vulnerable Code Example // www.site.com/search.php?q=search+query $search_query = $_GET['q']; echo '<h1>Search results for: ' . $search_query . '</h1>; Q: What's wrong with this code? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 52
  • 53. Stored XSS XSS | Andrew Kerr 53
  • 54. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case XSS | Andrew Kerr 54
  • 55. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS XSS | Andrew Kerr 55
  • 56. Stored XSS • Ability to inject code and have the server store it and return it without sanitizing it in either case • HOLY CRAP THIS IS HORRIBLE • Only way for end user to protect themselves is to disable JS • Example: form post storing XSS XSS | Andrew Kerr 56
  • 57. XSS | Andrew Kerr 57
  • 58. Samy MySpace worm XSS | Andrew Kerr 58
  • 59. Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims XSS | Andrew Kerr 59
  • 60. Samy MySpace worm • Posted 'but most of all, samy is my hero' to victims • Fastest spreading virus of all time • 1+ million runs in ~20hrs XSS | Andrew Kerr 60
  • 61. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } XSS | Andrew Kerr 61
  • 62. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? XSS | Andrew Kerr 62
  • 63. Stored XSS Vulnerable Code Example // Storing posts $post = $_POST['post']; $query = $mysql_conn->prepare("INSERT INTO posts VALUES ('" . $post . "')"); $query->execute(); // Fetching and outputting posts $query = $mysql_conn->prepare("SELECT * FROM posts"); $query->execute(); $query->bind_result($post); while($query->fetch()) { echo '<p>' . $post . '</p>'; } Q: What's the issue? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 63
  • 64. DOM-based XSS XSS | Andrew Kerr 64
  • 65. DOM-based XSS • Similar to Reflected, but is not rendered from the server. XSS | Andrew Kerr 65
  • 66. DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code XSS | Andrew Kerr 66
  • 67. DOM-based XSS • Similar to Reflected, but is not rendered from the server. • Normally due to bad JavaScript code • Also crafted by a URL • Don't let users pass in JS via the URL! XSS | Andrew Kerr 67
  • 68. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 68
  • 69. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? XSS | Andrew Kerr 69
  • 70. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: And, what's the issue here? A: UNSANITIZED USER INPUT XSS | Andrew Kerr 70
  • 71. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? XSS | Andrew Kerr 71
  • 72. DOM-based XSS Vulnerable Code Example // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); Q: How would we exploit this? A: Craft a URL like: www.site.com/page.html?title=<img src='x' onerror='alert(1)' /> XSS | Andrew Kerr 72
  • 73. Protecting Against XSS XSS | Andrew Kerr 73
  • 74. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); XSS | Andrew Kerr 74
  • 75. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. XSS | Andrew Kerr 75
  • 76. Protecting Against XSS // Pretend parse_get_params is imeplemented :) var title = parse_get_params('title'); $('.page-header').html("<h1>" + title + "</h1>"); • jQuery provides a .html AND .text. • But, what's the difference? XSS | Andrew Kerr 76
  • 77. Let's look at the documentation! XSS | Andrew Kerr 77
  • 78. Let's look at the documentation! (Aka RTFM) XSS | Andrew Kerr 78
  • 79. Protecting Against XSS Set the text contents of the matched elements. — .text() Set the HTML contents of each element in the set of matched elements. — .html() XSS | Andrew Kerr 79
  • 80. Protecting Against XSS <html> <head> <title>Test Page</title> <script type="text/javascript" src="jquery.min.js"></script> <script type="text/javascript"> $(function(){ $("#div1").html('<a href="example.html">Link</a><b>hello</b>'); $("#div2").text('<a href="example.html">Link</a><b>hello</b>'); }); </script> </head> <body> <div id="div1"></div> <div id="div2"></div> </body> </html> XSS | Andrew Kerr 80
  • 81. Protecting Against XSS 1. Know your framework/library/language! XSS | Andrew Kerr 81
  • 82. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! XSS | Andrew Kerr 82
  • 83. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist XSS | Andrew Kerr 83
  • 84. Protecting Against XSS 1. Know your framework/library/language! 2. SANITIZE! 3. Whitelist, not blacklist 4. Headers XSS | Andrew Kerr 84
  • 85. Protecting Against XSS • Or, ya know, read the NSA's recommendations. • https://www.nsa.gov/ia/files/ factsheets/ xssiadfactsheetfinal_web.pdf XSS | Andrew Kerr 85
  • 86. But most importantly... XSS | Andrew Kerr 86
  • 87. TEST YOUR APPLICATION XSS | Andrew Kerr 87
  • 88. XSS | Andrew Kerr 88
  • 89. Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet XSS | Andrew Kerr 89
  • 90. Bypassing Filters • Wonderful cheatsheet by OWASP: https://www.owasp.org/ index.php/XSSFilterEvasionCheatSheet • Also, some guess work helps! XSS | Andrew Kerr 90
  • 91. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); XSS | Andrew Kerr 91
  • 92. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? XSS | Andrew Kerr 92
  • 93. Bypassing Filters Vulnerable Code Example $input = $_POST['input']; $sanitized = str_replace('script', '', $input); Q: How could we get by this? A: Think about it :) XSS | Andrew Kerr 93
  • 95. Resources • OWASP XSS | Andrew Kerr 95
  • 96. Resources • OWASP • The Web Application Hackers Handbook XSS | Andrew Kerr 96
  • 97. Resources • OWASP • The Web Application Hackers Handbook • Mutillidae Practice Application XSS | Andrew Kerr 97
  • 98. Ok, cool, onto challenges! XSS | Andrew Kerr 98
  • 100. Challenges • Server: 104.236.76.214 • Source: github.com/ufsit/xss-challenges • Try not to use this! • Cheatsheet: https://www.owasp.org/index.php/ XSSFilterEvasionCheatSheet XSS | Andrew Kerr 100