Xss talk, attack and defense

40
Hacking and Information Security Group Organised with TechNext

description

XSS? Sure, we all have heard about - XSS, stands for Cross Site Scripting, but XSS sounds lot more cool, huh? Have your account or website been hacked? Or you sure might have heard about such a compromised account or site from someone? Have you been ever tricked by a website? Have you ever noticed your everyday trusted site behaving abnormally, throwing weird content at you? Nowadays, these are very common incidents. Recently: Pentagon XSS Hack Facebook XSS Hack How hackers do it all? Why the hell do they do it? Would you like to check it out live, do some hands-on? And focus on how to secure against this nasty vulnerability. Come join us to see - HOW IT HAPPENS and MAKE IT HAPPEN YOURSELF.

Transcript of Xss talk, attack and defense

Page 1: Xss talk, attack and defense

Hacking and Information Security Group

Organised with TechNext

Page 2: Xss talk, attack and defense

Mr. Sandip Chaudhari

•13+ years experience in Software and Information Security Industry•6+ years worked as a Professional Software Security Analyst and Secure Code Auditor•100+ in-house vulnerabilities discovered and reported•Presented Security Research Paper at various security conferences around the globe including New York, USA, Luxembourg, Luxembourg, Tokyo, Japan, Bangalore, India•Undertook multiple responsibilities in various roles like – Security Analyst, Application Developer, Project Manager, Software Application Architect, Information Security Researcher, CTO•Proud to have worked along with, and be part of group that included – Dino Dai Zovi, Shane Macaulay, Adam Green, Jonathan Leonard and Jeremy Jethro

Organizer and Mentor

Page 3: Xss talk, attack and defense

We Are…The Speakers…

Sudarshan Pawar

Certified Security Expert(C.S.E.)Certified Information Security Specialist (C.I.S.S.)Security Xplained (TechNext Speaker)Pursuing B.E.(Computer)& a Security Professional

Prakashchandra Suthar

Cisco Certified Network AssociateRed Hat Linux Certified

Security Xplained (TechNext Speaker)Computer Engg

Security Researcher

Page 4: Xss talk, attack and defense

WHY are we in this room on weekend rather than enjoying hot beverage on a rainy day?

Page 5: Xss talk, attack and defense

Today’s Agenda

1. XSS: What does it mean?2. Birth 3. Stats4. Working5. The Havoc it Created6. Reason of attack7. Causes8. Types of XSS9. Vulnerabilities in web programming10. Solutions11. Prevention Mechanisms

Blah blah….

CAPTURE THE FLAGD.I.Y. (Do it yourself and experience the dark side of the Force...!!!)

Session 1 Session 2

Page 6: Xss talk, attack and defense

BIRTH OF XSS

• Netscape introduced JavaScript in 1995. Soon after, hackers realize that when someone surfs their website they can force load any website (webmail, banks, auction sites) in a frame and use JavaScript to cross boundaries between the two sites hence the name “cross site scripting.”

• The XSS explosion came in 2005 when the Samy worm took down MySpace.

Page 7: Xss talk, attack and defense

STATS

Page 8: Xss talk, attack and defense

STATS: XSS ATTACKS

Page 9: Xss talk, attack and defense

FEW AFFECTED ORGANISATIONS…Myspace

Page 10: Xss talk, attack and defense

Myspace Samy attack

Page 11: Xss talk, attack and defense

PayPal

Page 12: Xss talk, attack and defense

Annauniversity

Page 13: Xss talk, attack and defense

Avast.

Page 14: Xss talk, attack and defense

XSS Attack Scenario

Page 15: Xss talk, attack and defense

www.sometrustedwebsite.com

Asia America Europe

BEFORE ATTACK…

Page 16: Xss talk, attack and defense

www.sometrustedwebsite.com

Asia America Europe

AFTER ATTACK(Injects script)

Injected Script can be:• Malicious page•Explicit Images•Bots(to make zombies)•Redirecting links•Fake Login Pages•Etc. etc.

(NOTE: Names of Continents is JUST used as an example representing users accessing a trusted website)

Page 17: Xss talk, attack and defense

How much financial loss it costs?

How much it will cost if your online bank account is attacked ?

(Big Hint: Please be bold, take the lead, stand-up and share how much money you got in your bank right now)

Page 18: Xss talk, attack and defense

CAN U TAKE THIS TYPE OF CHANCE….??

Page 19: Xss talk, attack and defense

CAUSES

•A XSS vulnerability is majorly caused by the failure of a site to sanitize user input before returning it to the client’s web-browser

Page 20: Xss talk, attack and defense

REASON OF ATTACK

• Change Settings• Cookie theft• False Advertising• Steal Form Tokens to make XSRF Easier• And more, you have to be creative to exploit XSS

Page 21: Xss talk, attack and defense

There are Three Types of XSS• Persistent (Stored) XSS : Attack is stored on the website server• Non Persistent (reflected) XSS: user has to go through a special link to be exposed• DOM-based XSS: problem exists within the client-side script

XSS Types

Page 22: Xss talk, attack and defense

UNSANITIZED CODE: STORED XSS

<?php ?>

if(isset($_POST['btnSign'])) {    $message = trim($_POST['mtxMessage']);    $name    = trim($_POST['txtName']);        // Sanitize message input    $message = stripslashes($message);    $message = mysql_real_escape_string($message);        // Sanitize name input    $name = mysql_real_escape_string($name);       $query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');";        $result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' ); }

Page 23: Xss talk, attack and defense

UNSANITIZED CODE: REFLECTED XSS

<?php { Else // else generates HTML page on user input {

      echo '<pre>';   echo 'Hello ' . $_GET['name'];   echo '</pre>';      }

?>  $isempty = true;

}

if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == '') //checks for empty text...

Page 24: Xss talk, attack and defense

DOM-Based XSS

Var html= [ ‘<form class = “config”>’, ‘<fieldset>’ ,

‘<label for=“appSuite”>enter url:</label>’,

‘<input type=“text” name=“appSuite” id=“appSuite”

value=“ ‘ ,options.appendUrl || ”,’ “/>’

‘</fieldset>’, </form>].join(‘ ’),

dlg=$((html)appendTo($body));

Page 25: Xss talk, attack and defense

Solutions Fast Track

Filtering

1.Filtering can deliver unexpected results if you aren’t careful to monitor the output.

2.Using a loop can reduce the risks associated with filtering out content.

3.Filtering alone can introduce new risks by creating new types of attacks. Therefore, it is critical to understand the order in which filters are applied and how they interact with one another.

Page 26: Xss talk, attack and defense

Input Encoding1. Input encoding can create a single choke point for all encoding.2.Things like SQL injection and command injection can also be checked prior to storing information in a database.3. Input encoding cannot stop persistent XSS once stored.

Output Encoding1. Output encoding is more granular and can take context into account.2. Developers must perform output encoding potentially many times for each location the information is outputted.

Page 27: Xss talk, attack and defense

Web Browser’s Security

1. Beware of long or overly complex URLs. Often these are the most likely to contain vulnerabilities.2. Do not click on unknown URLs in e-mail if at all possible.3. Choose a secure browser and customize your security settings to reduce the risk of exploitation.

Page 28: Xss talk, attack and defense

CODE SOLUTION: Stored xss<?php

if(isset($_POST['btnSign'])) {

$message = trim($_POST['mtxMessage']); $name = trim($_POST['txtName']); // Sanitize message input $message = stripslashes($message); $message = mysql_real_escape_string($message); $message = htmlspecialchars($message); // Sanitize name input $name = stripslashes($name); $name = mysql_real_escape_string($name); $name = htmlspecialchars($name); $query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');"; $result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' ); }

?>

Page 29: Xss talk, attack and defense

SOLUTION:Reflected XSS

<?php if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == '')

{

$isempty = true;

}

Else { echo '<pre>';

echo 'Hello ' . htmlspecialchars($_GET['name']); echo '</pre>';

}

?>

Page 30: Xss talk, attack and defense

DOM-Based

Var html= ‘<form class = “config”>’, ‘<fieldset>’ ,

‘<label for=“appSuite”>enter url:</label>’,

‘<input type=“text” name=“appSuite” id=“appSuite”

value=“ ‘ ,options.appendUrl || ”,’ “/>’

‘</fieldset>’, </form>.join(‘ ’),

dlg=$(html)appendTo($(‘body’));

appSuite.val(options.appSuiteUrl || ‘ ‘);

Page 31: Xss talk, attack and defense

Rebels?

Tinkering?

Go beyond programming

Attack attacker’s attack

Attitude! Matters. But beware of the Dark Side

About You…

Page 32: Xss talk, attack and defense

Any Doubts….

Page 33: Xss talk, attack and defense

FAQ’s

1.Is there a safe browser?

2. Are you safe if you turn off JavaScript?

3. How can I stop myself from becoming a victim of a JavaScript worm?

4.It’s hopeless. I can’t trust a single Web application. Why did you do this to me?

5. I think I am infected. What can I do?

Page 34: Xss talk, attack and defense

6. Does my anti-virus software protect me from XSS attacks?

7. Can XSS worm propagate on my system?

8. XSS attacks can compromise my online account but not my network.Is that true?

9. What is the best technique to evade XSS filters?

10. Are persistent XSS vulnerabilities more severe than non-persistent ones?

Page 35: Xss talk, attack and defense

11. How many URL’s can be tested in the various history stealing hacks?

12. I run XYZ program that creates an HTML report. How can I determine if it is vulnerable?

13. Is the browser-hijacking feature in XSS-proxy persistent?

Page 36: Xss talk, attack and defense

XSS Lab

• Now is your chance to try some hands on!

• Experience the thrill of hacking

• You’ve got to hack a blogger web application using XSS

• For site URL refer the white-board

Page 37: Xss talk, attack and defense

XSS Lab - Goal

• Goal of the lab is to steal the session cookie of the logged in user (demo) on the blogger application

• Use that cookie locally and login as the demo user

• Demo user has an un-published secret post, saved as draft, that has some secret content

• All posts – published and drafts are accessible after logging in, using menu link – Manage Posts

• Call us as soon as you are able to access the secret post!

Page 38: Xss talk, attack and defense

XSS Lab – Code Review: Vulnerability & Fix

Page 39: Xss talk, attack and defense

Questions?

• What you want to ask, many already have that same question on their mind. Be bold and lead

• OK, if you don’t want to speak and keep shut and keep thinking about it in your mind and take those questions home, make sure you email those to us and sleep well at night!

Page 40: Xss talk, attack and defense

What should be our topic for the next meet?

I hate to ask but, how can we make this better?