Cross Site Scripting: Prevention and Detection(XSS)

Cross Site Scripting
Detection and Prevention
~Aman Kumar
Cross Site Scripting
Detection and
Prevention

What is cross-site scripting?
• Cross-Site Scripting (referred to as XSS) is a type of web application attack
where malicious client-side script is injected into the application output and
subsequently executed by the user’s browser.
• It can be used to take over a user’s browser in a variety of ways
2

Why should I care about cross-site scripting?
•There was a time not too long ago when XSS was considered a low-risk
type of security issue, because when compared to a server-side exploit, it
seemed relatively low.
•As other issues like PHP remote file inclusions have become harder to
exploit, XSS attacks have increased in prominence and sophistication.
3

Who’s affected by cross-site scripting?
Everyone. No, really – almost every site you can think of has had XSS problems
at one time or another (and probably still does)
Don’t believe me?
• Universal XSS in Internet Explorer (2015) [1]
• Tweetdeck (2014) [2]
• PayPal (2013) – BONUS: discovered by a 17 year old kid [3]
• Google Finance (2013) [4]
• 25 “Verasign-secured” online stores (2012) [5]
• McAfee (2011) [6]
• Visa (2010) [7]
4

5
Some sites you might recognize
http://www.xssed.com/files/image/News/paypalevsslxss.PNG

Object Placeholder
6www.rackspace.com
http://3.bp.blogspot.com/-IpLMWEVPnRc/UmYV_19hnNI/AAAAAAAADfc/caJdmBEsyaE/s1600/1.png

Object Placeholder
7
https://isc.sans.edu/diaryimages/youtube.png

Boooooring…
The classic proof-of-concept for XSS is a little alert box with some arbitrary text in
it, or a picture of something silly. This doesn’t seem nearly dangerous enough to
warrant concern.
What else you got?
8

•Steal cookies
•Play a sound
•Get user-agent string
•See enabled plugins (e.g. Chrome PDF viewer, Java, etc.)
9
Basic Client-side Attacks

•Man-in-the-browser
•Forge user requests
•Get form values / HTML contents
•Fake notifications (Chrome plugin bar, LastPass login, etc.)
•Tabnabbing
10
More Advanced Client-Side Attacks
www.rackspace.com

•Man-in-the-browser
•Forge user requests
•Get form values / HTML contents
•Fake notifications (Chrome plugin bar, LastPass login, etc.)
•Tabnabbing
11
More Advanced Client-Side Attacks
www.rackspace.com

• Never trust the user
So what should I do to prevent XSS?
12

• Almost all client-side script injection comes down to the following characters:
< > ( ) { } [ ] " ' ; /
• There are various ways to take care of these characters, but it is too context-
dependent to give a one-size-fits-all answer
• The shortest answer is, make sure you’re only getting characters you expect
when a user enters any kind of information - make sure you never display a
user-entered string without properly encoding it.
So what should I do to prevent XSS? (No, really)
13www.rackspace.com

Here’s some sample vulnerable JavaScript.
<html>
<script>
var lol = function () {
var a = document.getElementById('a').value;
document.write(a);
}
</script>
<input type="text" name="a" id="a">
<input type="submit" onclick="lol();">
</html>
14
Examples of XSS in code

Hmm, there’s the problem…
<html>
<script>
var lol = function () {
var a = document.getElementById('a').value;
document.write(a); // Too easy
}
</script>
<input type="text" name="a" id="a">
<input type="submit" onclick="lol();">
</html>
15

Now for something a little more interesting. Remember, we also have to
remember the third-party libraries you’re using.
Some innocent-looking jQuery code:
$(location.hash) // Wait, that’s it?
16

But you’re not only securing the code you write, but all the code you used…
$(location.hash) // WHERE’S THE VULNERABLE PART?!
Well, if we’re using jQuery 1.6.1 and we visit the page
http://app/#<img src=/ onerror=alert(1)>
…this will pop up one of those alert boxes [8].
17

Here are some examples of how to filter HTML characters in a few simple
scenarios in PHP (there should be similar functions in any language; check the
links at the end of the PPT)
$int = intval($_GET['a']); // This will never return anything other than an integer
$str = htmlentities($_GET['b']); // This will encode any character for which there is
// an HTML entity equivalent (e.g. > < ")
// This is NOT always enough! [9]
18
Tips for filtering XSS

Pop quiz! What’s wrong with this PHP code:
echo('<a href="' . htmlentities($_GET['var']) . '">link</a>');
19
Getting around prevention measures

Pop quiz! What’s wrong with this PHP code:
echo('<a href="' . htmlentities($_GET['var']) . '">link</a>');
What if we set $_GET['var'] to javascript:alert(/xss/);
20
Getting around prevention measures

• OWASP Links
– Guide to Cross-site Scripting - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
– XSS Prevention Cheat Sheet - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
– DOM based XSS Prevention Cheat Sheet - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
22
Resources

• [1] http://seclists.org/fulldisclosure/2015/Feb/0
• [2] http://techcrunch.com/2014/06/11/tweetdeck-fixes-xss-vulnerability/
• [3] http://threatpost.com/paypal-site-vulnerable-to-xss-attack
• [4] http://miki.it/blog/2013/7/30/xss-in-google-finance/
• [5] http://nakedsecurity.sophos.com/2012/02/28/verisign-xss-holes/
• [6] http://www.scmagazine.com/mcafee-working-to-fix-xss-information-disclosure-flaws/article/199505/
• [7] http://news.softpedia.com/news/XSS-Weakness-Found-on-Visa-USA-Website-157115.shtml
• [8] http://ma.la/jquery_xss/
• [9] http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
23
References

Cross Site Scripting: Prevention and Detection(XSS)

Related slideshows

More Related Content

Cross Site Scripting: Prevention and Detection(XSS)