2. Vinesh Redkar
(Security Analyst)
At NII Consulting
Research
Found Stored XSS on Paypal ,Rediffmail.
http://securityvin32.blogspot.com
vineshredkar89@gmail.com
3. Introduction
What is Cross-Site Scripting
Types of Cross-site Scripting
What is Blind XSS
Demo of Blind XSS
Impact of XSS
Mitigation Of XSS
4. Cross-Site Scripting attacks are a type of
injection problem, in which malicious scripts
are injected into web sites.
Types Of Cross-Site Scripting
Reflected XSS (Non-persistent)
Stored XSS(Persistent)
DOM XSS
5.
6. Attacker sets the trap – update my profile
Application with
stored XSS
Attacker enters a malicious vulnerability
script into a web page that
stores the data on the server
Communication
Bus. Functions
Administration
Transactions
E-Commerce
Knowledge
Accounts
Finance
Mgmt
2
Custom Code
Script runs inside victim’s
browser with full access to
the DOM and cookies
3 Script silently sends attacker Victim’s session cookie
7.
8. • XSS attack’s first target is the Client
– Client trusts server (Does not expect attack)
– Browser executes malicious script
• But second target = Company running the Server
– Loss of public image (Blame)
– Loss of customer trust
– Loss of money
9. What is it?
Using it in penetration tests
Challenges
10. IT’S NOT LIKE BLIND SQLI WHERE YOU GET
IMMEDIATE FEEDBACK.
YOU DON’T EVEN KNOW WHETHER YOUR
PAYLOAD WILL EXECUTE (OR WHEN!)
YOU MUST THINK AHEAD ABOUT WHAT
YOU WANT TO ACCOMPLISH … AND YOU
HAVE TO BE LISTENING.
11.
12.
13.
14.
15.
16.
17. 1. Carefully choose the right payload for the
right situation.
2. Get lucky!
3. Patience
18. log viewers
exception handlers
customer service apps (chats, tickets, forums,
etc.)
anything moderated
For Demo we used Feedback Page.
19.
20. A malicious user can use XSS to steal
credentials or silently redirect to malicious
pages which can aide in further exploitation.
A cross site scripting attack can result in the
following:
1. Account hijacking
2. Malicious script execution
3. Information theft -.
4. Denial of Service
5. Browser Redirection
6. Manipulation of user settings
21. Input validation
Output Encoding:
< < > >
( ( ) )
# # & &
Do not use "blacklist" validation
Specify the output encoding
22. Clickjacking is an attack that tricks a web user into clicking a button, a
link or a picture, etc. that the web user didn’t intend to click, typically by
overlaying the web page with an iframe.
We’ve known about clickjacking, also called “UI redress attacks,” for
years now, as they were originally described in 2008 by Robert Hansen
and Jeremiah Grossman.
Clickjacking is when an attacker uses multiple transparent or opaque
layers to trick a user into clicking on a button or link on another page
when they were intending to click on the the top level page. Thus, the
attacker is “hijacking” clicks meant for their page and routing them to
other another page, most likely owned by another application, domain,
or both.
Payload for Iframe injection
<iframe src=“Target WebSite”>
Set opacity:0;
Use z-index:-1 :An element with greater stack order is always in front of an
element with a lower stack order.
23.
24.
25. Don’t allow website to inject in IFRAME by
using X-frame Header.
Using X-Frame-Options
There are three possible values for X-Frame-Options:
1. DENY The page cannot be displayed in a frame, regardless
of the site attempting to do so.
2. SAMEORIGIN The page can only be displayed in a frame
on the same origin as the page itself.
3. ALLOW-FROM uri The page can only be displayed in a
frame on the specified origin.