A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack...

Atalkby

13-06-2014,

http://en.wikipedia.org/wiki/Monkey_test

Aresearcherin uhr niversity ochum,AstudentofXSSwhoisworkingtowardshisPhDinXSSAnXSSer/AnXSSEnthusiast

Listedintopsites'halloffameAproudfatheroftwoSpeaker@HITBKUL2013,@DeepSec2013&OWASPSeminar@RSAEurope2013ATwitterlover

http://www.tubechop.com/watch/2670518

@soaj1664ashar

http://slides.com/mscasharjaved/cross-site-scripting-my-love

https://twitter.com/soaj1664ashar/status/466945529059221504

50$per-contextbypass(outputreflectsin5contexts)

http://demo.chm-software.com/7fc785c6bd26b49d7a7698a7518a73ed/

http://xssplaygroundforfunandlearn.netai.net/final.html

http://xssplayground.net23.net/final.html

1. PHP2. XSS3. TestingMethodology4. Per-ContextXSSAttackMethodology5. SummarizePHP'sfindings(includesbuilt-infunctions,

customizedXSSsolutionsandtopPHP-basedwebframeworks)

6. ResultsofAlexaSurveyofTop100sites7. Conclusion

http://w3techs.com/technologies/overview/programming_language/all

http://www.php.net/usage.php

http://w3techs.com/blog/entry/web_technologies_of_the_year_2013

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

https://www.brighttalk.com/webcast/288/97255

http://www.osvdb.org/osvdb/show_graph/1

http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-

%202013%20-%20RC1.pdf

http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html

isthetermcoinedhere:#tweetbleedhttps://twitter.com/pdp/status/476796934062370816

https://twitter.com/derGeruhn/status/476764918763749376

https://twitter.com/TweetDeck/status/476770732987252736

SimulateRealWebApplicationsTestingconductedinfivecommoncontexts(HTML,Script,Attribute,Style&URL)

===generaltermfilter_function

DoubleQuotesCase

SingleQuotesCase

SystematicinnatureEasytounderstandContext-SpecificAttackmethodologyis` `andonecanguaranteethatthereisanXSSornoXSSinaparticularinjectionpoint.Withthehelpofattackmethodology,onecanmakeasecureper-contextXSSsanitizerCanbeappliedtootherserver-sidelanguagese.g.,ASP,Rubyetc

Onlyforattendees...:)

";confirm(1);//

';confirm(1);//

http://www.dailymail.co.uk/home/search.html

http://de.eonline.com

Itsimplydoesnotwork.Encodingwillnothelpyouinbreakingthescriptcontextunlessdevelopersaredoing

somesortofexplicitdecoding.

http://issuu.com/mscasharjaved/docs/urlwriteup

http://jsfiddle.net/4eqK4/2/

http://xssplaygroundforfunandlearn.netai.net/series7.html

Onlyforattendees:)

http://www.ea.com/

http://www.drudgereportarchives.com/dsp/search.htm

http://www.biblegateway.com

``onmouseover=alert(1)

``===backtick

https://twitter.com/hasegawayosuke

Veryusefulinbreakingattributecontextifsiteisproperlyfilteringsingleanddoublequotes

MarioHeiderichhttps://twitter.com/0x6D6172696F

Anotherusefultoolbyhimishttp://html5sec.org/innerhtml/

andmustreadresearchpaperbyhimifyouareinterestedin

innerHTMLandmutationXSShttp://www.nds.rub.de/media/emma/veroeffentlichungen/2013/12/10/mXSS-

CCS13.pdf

http://xssplaygroundforfunandlearn.netai.net/innerHTMLtesting.html

http://view.officeapps.live.com/op/view.aspx?src=%20http%3a%2f%2fvideo.ch9.ms%2fsessions%2fbuild%2f2014%2f2-

559.pptx

seedemohttp://jsfiddle.net/9t8UM/2/

Onlyforattendees:)

http://www.scribd.com/doc/226925089/Stylish-XSS-in-Magento-When-Style-helps-you

Onlyforattendees:)

http://www.scribd.com/doc/211362856/Stored-XSS-in-Twitter-Translation

AquicksearchonGitHubreveals...

http://xssplayground.net23.net/clean6.html

AquicksearchonGitHubreveals...(falsepositivesarealsotherebutstillgiveyouanideaofpopularity)

AquicksearchonGitHubshows...

Onlyforattendees:)

Developersarealsocallingitwithnameslike and

AquicksearchonGitHubreveals

http://xssplayground.net23.net/clean.html

Twoarraysofblack-listedkeywords:)

http://xssplayground.net23.net/clean.html

Alleventhandlersthatarenotpartofblack-listedarraywillbypassthisprotectione.g.,

AverypopularbutsorrytosayBADXSSprotection...

AquicksearchonGitHubreveals...

ThegoalofthisfunctionistostopJavaScriptexecutionviastyle.

AnotherpopularcustomizedXSSprotectionsolution.

ApopularXSLT-poweredopensourcecontentmanagementsystemisusing function.

AFullyBakedPHPFrameworkhttp://ellislab.com/codeigniter

https://github.com/EllisLab/CodeIgniter/issues/2667

(SnapshotfromthelatestCodeIgniterversionavailableatGitHub)

https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L438

(oldtest-bed)http://xssplayground.net23.net/clean11.html(newtest-

bed)http://xssplayground.net23.net/clean100.html

SanitizeNaughtyHTMLelements

OldlistofnaughtyelementsbeforeIstartedbypassing...

<math><a/xlink:href=javascript&colon;confirm(1)>click</a>

(oldtest-bed)http://xssplayground.net23.net/clean11.html

(newtest-bed)

https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L592

RemovesInvisiblecharacterse.g.,%00i.e.,NULL

https://twitter.com/kinugawamasato

https://zdresearch.com/zdresearch-xss1-challenge-writeup/

http://websec.ca/kb/sql_injection#MySQL_Fuzzing_Obfuscation

demo:http://jsfiddle.net/GTxVt/5/

HxDhttp://mh-nexus.de/en/hxd/

https://github.com/EllisLab/CodeIgniter/issues/2667

Onlyforattendees:)

Isurveyedtop10sitesfromthefollowing10categories...

http://www.scribd.com/doc/210121412/XSS-is-not-going-anywhere

OurlargescalesurveyofPHP-basedsanitisationroutinesshowsSADstateofwebsecurityasfarasXSSisconcerned.Theproposedattackandtestingmethodologyisgeneralandmaybeappliedtootherserver-sidelanguages.Whatifweautomatethiscontext-specificattackmethodologyandunleashautomationtoolonalargescalesurveyofdeepweb...:)

@padraicb

@enygma

@metromoxie

A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack...

Documents

Transcript of A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack...

Identifying XSS Vulnerabilities

XSS Theory

XSS Attacks

XSS Vulnerabilities

Xss Security Days

CSP - the panacea for XSS - owasp.org another security blogger . XSS. 4 XSS ... Over 12 million email messages daily ... CSP Based IDS Magic XSS XSS XSS Test & Fix . 29

PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •

Grails vs XSS: Defending Grails against XSS attacks

XSS Documentation

DOM-based XSS

Universal XSS via IE8s XSS Filters - Black Hat Briefings · Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides:

PHP's Filter Module

Xss for fun_and_profit_scg09

XSS Defense

Complete xss walkthrough

Cross-site Scripting (XSS) Attack - uCozramzi.ucoz.com/NetworkSecurity/XSS-Security_Presentation.pdf · 2016-12-05 · WHAT IS “CROSS-SITE SCRIPTING (XSS)”? The end user’s browser

Combinatorial XSS Attack Grammars - SBA Research · Combinatorial XSS Attack Grammars XSS Vectors for ... SBA Research April 10, 2015 SBA Research, Vienna. Outline Introduction XSS

Stylish XSS

Ess xss homepage_framework_ecc_50_erp_2004

Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.