SlideShare a Scribd company logo

XSS (Cross Site Scripting)

Download as PPTX, PDF
Shubham Gupta
Shubham Gupta

This document provides an introduction and overview of cross-site scripting (XSS) attacks. It discusses the impact of XSS, the different types (non-persistent, persistent, DOM-based), how XSS works by injecting client-side code through web requests, and includes demos. The document concludes with recommendations for preventing XSS, including validating and encoding input and output to avoid injecting malicious scripts.

1 of 23
XSS (Cross Site Scripting)
#ABOUT ME • Shubham Gupta (@hackerspider1) • IT – Security Analyst at Broctagon Solutions. • Bug Bounty Hunter. • Capture The Flag (CTF) player. • Acknowledged by more then 200 Organization. 2
TODAYS TALK • Introduction • Impact • Types of XSS • How XSS works • Demo • XSS Prevention • Q&A? 3
INTRODUCTION TO XSS •XSS is a code injection attack allowing the injection of malicious code into a website •Currently one of the most common attack •Every website needs to turn on Javascript •Caused by insufficient input validation •JavaScript, VBScript, ActiveX, HTML, or Flash 4
IMPACT • Stealing other user’s cookies • Stealing their private information • Performing actions on behalf of other users • Redirecting to other websites • Showing ads in hidden iframes and pop-ups 5
TYPES OF XSS • Non-persistent XSS • Persistent XSS • Dom based XSS 6
NON-PERSISTENT XSS • Non-persistent XSS or Reflected XSS • Query in HTTP parameters or HTML form • Affects XSS without properly sanitizing the request 7
PERSISTENT XSS • Persistent XSS or Stored XSS • Occurs when data is saved on server side • Classic example: message board 8
DOM BASED XSS •DOM (Document Object Model) •Cross-site scripting vulnerability •Appears in the DOM instead of part of the HTML •The payload cannot be found in the response •Observed on runtime or by investigating the DOM of the page 9 Example … var pos = document.URL.indexOf("name=")+5 ; document.write(document.URL.sub string(pos,document.URL.length));
HOW XSS WORKS? • Web server gets data from web client (POST, GET, COOKIES etc.) with the request • Malicious user can include client sidecode snippets (javascript) into the data 10 Example : Shubham<script>alert(“hacked”)</ script>
11 Server Hacker’s Browser http request with XSS JavaScript http response with XSS JavaScript
XSS OUTPUT 12
DEMO 13
REFLECTED XSS 14
15
STORED XSS 16
17
DOM BASED XSS 18
PREVENTIONS •MORE THAN 70% OF WEB SECURITY ISSUES CAUSED BY XSS •NEVER TRUST USER/CLIENT INPUT! • CLIENT-SIDE CHECKS/CONTROLS HAVE TO BE INVOKED ON THE SERVER TOO. •IMPROPER INPUT VALIDATION •IMPROPER OUTPUT VALIDATION 19
20 •VALIDATE INPUT •LETTERS IN A NUMBER FIELD? •10 DIGITS FOR 4 DIGIT YEAR FIELD? •OFTEN ONLY NEED ALPHANUMERIC •CAREFUL WITH < > " ' AND = •WHITELIST (E.G. /[A-ZA-Z0-9]{0,20}/) •REJECT, DON’T TRY AND SANITIZE
21 • VALIDATE OUTPUT •ENCODE HTML OUTPUT • IF DATA CAME FROM USER INPUT, A DATABASE, OR A FILE • RESPONSE.WRITE(HTTPUTILITY.HTMLENCODE(REQUEST.FORM["NAME "])); • NOT 100% EFFECTIVE BUT PREVENTS MOST VULNERABILITIES •ENCODE URL OUTPUT • IF RETURNING URL STRINGS • RESPONSE.WRITE(HTTPUTILITY.URLENCODE(URLSTRING));
THANKS 22
Q&A? 23

More Related Content

XSS (Cross Site Scripting)

  • 2. #ABOUT ME • Shubham Gupta (@hackerspider1) • IT – Security Analyst at Broctagon Solutions. • Bug Bounty Hunter. • Capture The Flag (CTF) player. • Acknowledged by more then 200 Organization. 2
  • 3. TODAYS TALK • Introduction • Impact • Types of XSS • How XSS works • Demo • XSS Prevention • Q&A? 3
  • 4. INTRODUCTION TO XSS •XSS is a code injection attack allowing the injection of malicious code into a website •Currently one of the most common attack •Every website needs to turn on Javascript •Caused by insufficient input validation •JavaScript, VBScript, ActiveX, HTML, or Flash 4
  • 5. IMPACT • Stealing other user’s cookies • Stealing their private information • Performing actions on behalf of other users • Redirecting to other websites • Showing ads in hidden iframes and pop-ups 5
  • 6. TYPES OF XSS • Non-persistent XSS • Persistent XSS • Dom based XSS 6
  • 7. NON-PERSISTENT XSS • Non-persistent XSS or Reflected XSS • Query in HTTP parameters or HTML form • Affects XSS without properly sanitizing the request 7
  • 8. PERSISTENT XSS • Persistent XSS or Stored XSS • Occurs when data is saved on server side • Classic example: message board 8
  • 9. DOM BASED XSS •DOM (Document Object Model) •Cross-site scripting vulnerability •Appears in the DOM instead of part of the HTML •The payload cannot be found in the response •Observed on runtime or by investigating the DOM of the page 9 Example … var pos = document.URL.indexOf("name=")+5 ; document.write(document.URL.sub string(pos,document.URL.length));
  • 10. HOW XSS WORKS? • Web server gets data from web client (POST, GET, COOKIES etc.) with the request • Malicious user can include client sidecode snippets (javascript) into the data 10 Example : Shubham<script>alert(“hacked”)</ script>
  • 11. 11 Server Hacker’s Browser http request with XSS JavaScript http response with XSS JavaScript
  • 15. 15
  • 17. 17
  • 19. PREVENTIONS •MORE THAN 70% OF WEB SECURITY ISSUES CAUSED BY XSS •NEVER TRUST USER/CLIENT INPUT! • CLIENT-SIDE CHECKS/CONTROLS HAVE TO BE INVOKED ON THE SERVER TOO. •IMPROPER INPUT VALIDATION •IMPROPER OUTPUT VALIDATION 19
  • 20. 20 •VALIDATE INPUT •LETTERS IN A NUMBER FIELD? •10 DIGITS FOR 4 DIGIT YEAR FIELD? •OFTEN ONLY NEED ALPHANUMERIC •CAREFUL WITH < > " ' AND = •WHITELIST (E.G. /[A-ZA-Z0-9]{0,20}/) •REJECT, DON’T TRY AND SANITIZE
  • 21. 21 • VALIDATE OUTPUT •ENCODE HTML OUTPUT • IF DATA CAME FROM USER INPUT, A DATABASE, OR A FILE • RESPONSE.WRITE(HTTPUTILITY.HTMLENCODE(REQUEST.FORM["NAME "])); • NOT 100% EFFECTIVE BUT PREVENTS MOST VULNERABILITIES •ENCODE URL OUTPUT • IF RETURNING URL STRINGS • RESPONSE.WRITE(HTTPUTILITY.URLENCODE(URLSTRING));

Editor's Notes

  1. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request. Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. 
  2. It occurs when the data provided by the attacker is saved by the server, and then permanently displayed on “normal” pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.
  3. DOM Based XSS simply means a Cross-site scripting vulnerability that appears in the DOM (Document Object Model) instead of part of the HTML. In reflective and stored Cross-site scripting attacks you can see the vulnerability payload in the response page but in DOM based cross-site scripting, the HTML source code and response of the attack will be exactly the same, i.e. the payload cannot be found in the response. It can only be observed on runtime or by investigating the DOM of the page. Example … var pos = document.URL.indexOf("name=")+5; document.write(document.URL.substring(pos,document.URL.length));