Xss talk, attack and defense
-
Upload
prakashchandra-suthar -
Category
Education
-
view
19.692 -
download
6
description
Transcript of Xss talk, attack and defense
Hacking and Information Security Group
Organised with TechNext
Mr. Sandip Chaudhari
•13+ years experience in Software and Information Security Industry•6+ years worked as a Professional Software Security Analyst and Secure Code Auditor•100+ in-house vulnerabilities discovered and reported•Presented Security Research Paper at various security conferences around the globe including New York, USA, Luxembourg, Luxembourg, Tokyo, Japan, Bangalore, India•Undertook multiple responsibilities in various roles like – Security Analyst, Application Developer, Project Manager, Software Application Architect, Information Security Researcher, CTO•Proud to have worked along with, and be part of group that included – Dino Dai Zovi, Shane Macaulay, Adam Green, Jonathan Leonard and Jeremy Jethro
Organizer and Mentor
We Are…The Speakers…
Sudarshan Pawar
Certified Security Expert(C.S.E.)Certified Information Security Specialist (C.I.S.S.)Security Xplained (TechNext Speaker)Pursuing B.E.(Computer)& a Security Professional
Prakashchandra Suthar
Cisco Certified Network AssociateRed Hat Linux Certified
Security Xplained (TechNext Speaker)Computer Engg
Security Researcher
WHY are we in this room on weekend rather than enjoying hot beverage on a rainy day?
Today’s Agenda
1. XSS: What does it mean?2. Birth 3. Stats4. Working5. The Havoc it Created6. Reason of attack7. Causes8. Types of XSS9. Vulnerabilities in web programming10. Solutions11. Prevention Mechanisms
Blah blah….
CAPTURE THE FLAGD.I.Y. (Do it yourself and experience the dark side of the Force...!!!)
Session 1 Session 2
BIRTH OF XSS
• Netscape introduced JavaScript in 1995. Soon after, hackers realize that when someone surfs their website they can force load any website (webmail, banks, auction sites) in a frame and use JavaScript to cross boundaries between the two sites hence the name “cross site scripting.”
• The XSS explosion came in 2005 when the Samy worm took down MySpace.
STATS
STATS: XSS ATTACKS
FEW AFFECTED ORGANISATIONS…Myspace
Myspace Samy attack
PayPal
Annauniversity
Avast.
XSS Attack Scenario
www.sometrustedwebsite.com
Asia America Europe
BEFORE ATTACK…
www.sometrustedwebsite.com
Asia America Europe
AFTER ATTACK(Injects script)
Injected Script can be:• Malicious page•Explicit Images•Bots(to make zombies)•Redirecting links•Fake Login Pages•Etc. etc.
(NOTE: Names of Continents is JUST used as an example representing users accessing a trusted website)
How much financial loss it costs?
How much it will cost if your online bank account is attacked ?
(Big Hint: Please be bold, take the lead, stand-up and share how much money you got in your bank right now)
CAN U TAKE THIS TYPE OF CHANCE….??
CAUSES
•A XSS vulnerability is majorly caused by the failure of a site to sanitize user input before returning it to the client’s web-browser
REASON OF ATTACK
• Change Settings• Cookie theft• False Advertising• Steal Form Tokens to make XSRF Easier• And more, you have to be creative to exploit XSS
There are Three Types of XSS• Persistent (Stored) XSS : Attack is stored on the website server• Non Persistent (reflected) XSS: user has to go through a special link to be exposed• DOM-based XSS: problem exists within the client-side script
XSS Types
UNSANITIZED CODE: STORED XSS
<?php ?>
if(isset($_POST['btnSign'])) { $message = trim($_POST['mtxMessage']); $name = trim($_POST['txtName']); // Sanitize message input $message = stripslashes($message); $message = mysql_real_escape_string($message); // Sanitize name input $name = mysql_real_escape_string($name); $query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');"; $result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' ); }
UNSANITIZED CODE: REFLECTED XSS
<?php { Else // else generates HTML page on user input {
echo '<pre>'; echo 'Hello ' . $_GET['name']; echo '</pre>'; }
?> $isempty = true;
}
if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == '') //checks for empty text...
DOM-Based XSS
Var html= [ ‘<form class = “config”>’, ‘<fieldset>’ ,
‘<label for=“appSuite”>enter url:</label>’,
‘<input type=“text” name=“appSuite” id=“appSuite”
value=“ ‘ ,options.appendUrl || ”,’ “/>’
‘</fieldset>’, </form>].join(‘ ’),
dlg=$((html)appendTo($body));
Solutions Fast Track
Filtering
1.Filtering can deliver unexpected results if you aren’t careful to monitor the output.
2.Using a loop can reduce the risks associated with filtering out content.
3.Filtering alone can introduce new risks by creating new types of attacks. Therefore, it is critical to understand the order in which filters are applied and how they interact with one another.
Input Encoding1. Input encoding can create a single choke point for all encoding.2.Things like SQL injection and command injection can also be checked prior to storing information in a database.3. Input encoding cannot stop persistent XSS once stored.
Output Encoding1. Output encoding is more granular and can take context into account.2. Developers must perform output encoding potentially many times for each location the information is outputted.
Web Browser’s Security
1. Beware of long or overly complex URLs. Often these are the most likely to contain vulnerabilities.2. Do not click on unknown URLs in e-mail if at all possible.3. Choose a secure browser and customize your security settings to reduce the risk of exploitation.
CODE SOLUTION: Stored xss<?php
if(isset($_POST['btnSign'])) {
$message = trim($_POST['mtxMessage']); $name = trim($_POST['txtName']); // Sanitize message input $message = stripslashes($message); $message = mysql_real_escape_string($message); $message = htmlspecialchars($message); // Sanitize name input $name = stripslashes($name); $name = mysql_real_escape_string($name); $name = htmlspecialchars($name); $query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');"; $result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' ); }
?>
SOLUTION:Reflected XSS
<?php if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == '')
{
$isempty = true;
}
Else { echo '<pre>';
echo 'Hello ' . htmlspecialchars($_GET['name']); echo '</pre>';
}
?>
DOM-Based
Var html= ‘<form class = “config”>’, ‘<fieldset>’ ,
‘<label for=“appSuite”>enter url:</label>’,
‘<input type=“text” name=“appSuite” id=“appSuite”
value=“ ‘ ,options.appendUrl || ”,’ “/>’
‘</fieldset>’, </form>.join(‘ ’),
dlg=$(html)appendTo($(‘body’));
appSuite.val(options.appSuiteUrl || ‘ ‘);
Rebels?
Tinkering?
Go beyond programming
Attack attacker’s attack
Attitude! Matters. But beware of the Dark Side
About You…
Any Doubts….
FAQ’s
1.Is there a safe browser?
2. Are you safe if you turn off JavaScript?
3. How can I stop myself from becoming a victim of a JavaScript worm?
4.It’s hopeless. I can’t trust a single Web application. Why did you do this to me?
5. I think I am infected. What can I do?
6. Does my anti-virus software protect me from XSS attacks?
7. Can XSS worm propagate on my system?
8. XSS attacks can compromise my online account but not my network.Is that true?
9. What is the best technique to evade XSS filters?
10. Are persistent XSS vulnerabilities more severe than non-persistent ones?
11. How many URL’s can be tested in the various history stealing hacks?
12. I run XYZ program that creates an HTML report. How can I determine if it is vulnerable?
13. Is the browser-hijacking feature in XSS-proxy persistent?
XSS Lab
• Now is your chance to try some hands on!
• Experience the thrill of hacking
• You’ve got to hack a blogger web application using XSS
• For site URL refer the white-board
XSS Lab - Goal
• Goal of the lab is to steal the session cookie of the logged in user (demo) on the blogger application
• Use that cookie locally and login as the demo user
• Demo user has an un-published secret post, saved as draft, that has some secret content
• All posts – published and drafts are accessible after logging in, using menu link – Manage Posts
• Call us as soon as you are able to access the secret post!
XSS Lab – Code Review: Vulnerability & Fix
Questions?
• What you want to ask, many already have that same question on their mind. Be bold and lead
• OK, if you don’t want to speak and keep shut and keep thinking about it in your mind and take those questions home, make sure you email those to us and sleep well at night!
What should be our topic for the next meet?
I hate to ask but, how can we make this better?