Developing Secure Web ApplicationCross-Site Scripting (XSS)Cezar CocaEndava

10th of November 2012

Agenda

• Why?

• Formal description

• Same Origin Policy

• How to perform an XSS attack

• Demo

• Prevention of XSS attacks

OWASP Top Ten (2010 Edition)

http://www.owasp.org/index.php/Top_10

At first sight

=

Second sight

XSS formal description

Types – at least two primary flavors • Non-persistent (or reflected)

• Persistent (or stored)

Typical impact

• Steal user’s session (hijack session)

• Rewrite web page

• Redirect user to phishing or malware site

• Most Severe: Install XSS proxy

Same Origin Policy – Security Domain

Same Origin Policy - DOM

Same Origin Policy - DOM

Same Origin Policy - DOM

Reflected XSS Illustrated

Attacker send the victim a misleading email with a link containing malicious JavaScript

1

Reflected XSS Illustrated

Attacker send the victim a misleading email with a link containing malicious JavaScript

1

2

When the victim clicks on the link, the HTTP request is initiated from the victim's browser and sent to the vulnerable Web application.

Reflected XSS Illustrated

Attacker send the victim a misleading email with a link containing malicious JavaScript

1

2

When the victim clicks on the link, the HTTP request is initiated from the victim's browser and sent to the vulnerable Web application.

3

The malicious JavaScript is then reflected back to the victim's browser, where it is executed in the context of the victim user's session

DEMO – deployment diagram

LET’S HACK

Second sight

Prevention of XSS Attack – part 1

• Input Validation

• Canonicalize data first

• Prevent encoded attacks

• Black list testing is no solution

• Black lists are never complete!

• White list testing is better

• Only what you expect will pass

• Regular expressions

• HTML Encoding

• HTML encoding of all input when put into output pages

Prevention of XSS Attack – Multiple contexts

Browser have multiple contexts that must be considered!

HTML Body

HTML Attributes

<STYLE> Context

<SCRIPT> Context

URL Context

Prevention of XSS Attack – Session Hijacking

• Session hijacking

• “HttpOnly" Cookies

• "secure" Cookies. Cookies are only sent over SSL

• Disable TRACE

• References:

• http://www.owasp.org/index.php/XSS_(Cross Site Scripting) Prevention Che

at Sheet

• http://ha.ckers.org/xss.html

• http://www.owasp.org/index.php/ESAPI

Diamond Sponsors

Platinum Sponsors Gold Sponsors

Training Partners Media Partners Other Partners