Developing Secure Web Application - Cross-Site Scripting (XSS)
-
Upload
codecampiasi -
Category
Documents
-
view
478 -
download
5
Transcript of Developing Secure Web Application - Cross-Site Scripting (XSS)
Developing Secure Web ApplicationCross-Site Scripting (XSS)Cezar CocaEndava
10th of November 2012
Agenda
• Why?
• Formal description
• Same Origin Policy
• How to perform an XSS attack
• Demo
• Prevention of XSS attacks
OWASP Top Ten (2010 Edition)
http://www.owasp.org/index.php/Top_10
At first sight
=
Second sight
XSS formal description
Types – at least two primary flavors • Non-persistent (or reflected)
• Persistent (or stored)
Typical impact
• Steal user’s session (hijack session)
• Rewrite web page
• Redirect user to phishing or malware site
• Most Severe: Install XSS proxy
Same Origin Policy – Security Domain
Same Origin Policy - DOM
Same Origin Policy - DOM
Same Origin Policy - DOM
Reflected XSS Illustrated
Attacker send the victim a misleading email with a link containing malicious JavaScript
1
Reflected XSS Illustrated
Attacker send the victim a misleading email with a link containing malicious JavaScript
1
2
When the victim clicks on the link, the HTTP request is initiated from the victim's browser and sent to the vulnerable Web application.
Reflected XSS Illustrated
Attacker send the victim a misleading email with a link containing malicious JavaScript
1
2
When the victim clicks on the link, the HTTP request is initiated from the victim's browser and sent to the vulnerable Web application.
3
The malicious JavaScript is then reflected back to the victim's browser, where it is executed in the context of the victim user's session
DEMO – deployment diagram
LET’S HACK
Second sight
Prevention of XSS Attack – part 1
• Input Validation
• Canonicalize data first
• Prevent encoded attacks
• Black list testing is no solution
• Black lists are never complete!
• White list testing is better
• Only what you expect will pass
• Regular expressions
• HTML Encoding
• HTML encoding of all input when put into output pages
Prevention of XSS Attack – Multiple contexts
Browser have multiple contexts that must be considered!
HTML Body
HTML Attributes
<STYLE> Context
<SCRIPT> Context
URL Context
Prevention of XSS Attack – Session Hijacking
• Session hijacking
• “HttpOnly" Cookies
• "secure" Cookies. Cookies are only sent over SSL
• Disable TRACE
• References:
• http://www.owasp.org/index.php/XSS_(Cross Site Scripting) Prevention Che
at Sheet
• http://ha.ckers.org/xss.html
• http://www.owasp.org/index.php/ESAPI
Diamond Sponsors
Platinum Sponsors Gold Sponsors
Training Partners Media Partners Other Partners