xss talk, attack and defense
DESCRIPTION
XSS? Sure, we all have heard about - XSS, stands for Cross Site Scripting, but XSS sounds lot more cool, huh? Have your account or website been hacked? Or you sure might have heard about such a compromised account or site from someone? Have you been ever tricked by a website? Have you ever noticed your everyday trusted site behaving abnormally, throwing weird content at you? Nowadays, these are very common incidents. Recently: Pentagon XSS Hack Facebook XSS Hack How hackers do it all? Why the hell do they do it? Would you like to check it out live, do some hands-on? And focus on how to secure against this nasty vulnerability. Come join us to see - HOW IT HAPPENS and MAKE IT HAPPEN YOURSELF.TRANSCRIPT
![Page 1: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/1.jpg)
Hacking and Information Security Group
Organised with TechNext
![Page 2: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/2.jpg)
Mr. Sandip Chaudhari
•13+ years experience in Software and Information Security Industry•6+ years worked as a Professional Software Security Analyst and Secure Code Auditor•100+ in-house vulnerabilities discovered and reported•Presented Security Research Paper at various security conferences around the globe including New York, USA, Luxembourg, Luxembourg, Tokyo, Japan, Bangalore, India•Undertook multiple responsibilities in various roles like – Security Analyst, Application Developer, Project Manager, Software Application Architect, Information Security Researcher, CTO•Proud to have worked along with, and be part of group that included – Dino Dai Zovi, Shane Macaulay, Adam Green, Jonathan Leonard and Jeremy Jethro
Organizer and Mentor
![Page 3: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/3.jpg)
We Are…The Speakers…
Sudarshan Pawar
Certified Security Expert(C.S.E.)Certified Information Security Specialist (C.I.S.S.)Security Xplained (TechNext Speaker)Pursuing B.E.(Computer)& a Security Professional
Prakashchandra Suthar
Cisco Certified Network AssociateRed Hat Linux Certified
Security Xplained (TechNext Speaker)Computer Engg
Security Researcher
![Page 4: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/4.jpg)
WHY are we in this room on weekend rather than enjoying hot beverage on a rainy day?
![Page 5: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/5.jpg)
Today’s Agenda
1. XSS: What does it mean?2. Birth 3. Stats4. Working5. The Havoc it Created6. Reason of attack7. Causes8. Types of XSS9. Vulnerabilities in web programming10. Solutions11. Prevention Mechanisms
Blah blah….
CAPTURE THE FLAGD.I.Y. (Do it yourself and experience the dark side of the Force...!!!)
Session 1 Session 2
![Page 6: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/6.jpg)
BIRTH OF XSS
• Netscape introduced JavaScript in 1995. Soon after, hackers realize that when someone surfs their website they can force load any website (webmail, banks, auction sites) in a frame and use JavaScript to cross boundaries between the two sites hence the name “cross site scripting.”
• The XSS explosion came in 2005 when the Samy worm took down MySpace.
![Page 7: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/7.jpg)
STATS
![Page 8: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/8.jpg)
STATS: XSS ATTACKS
![Page 9: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/9.jpg)
FEW AFFECTED ORGANISATIONS…Myspace
![Page 10: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/10.jpg)
Myspace Samy attack
![Page 11: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/11.jpg)
PayPal
![Page 12: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/12.jpg)
Annauniversity
![Page 13: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/13.jpg)
Avast.
![Page 14: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/14.jpg)
XSS Attack Scenario
![Page 15: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/15.jpg)
www.sometrustedwebsite.com
Asia America Europe
BEFORE ATTACK…
![Page 16: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/16.jpg)
www.sometrustedwebsite.com
Asia America Europe
AFTER ATTACK(Injects script)
Injected Script can be:• Malicious page•Explicit Images•Bots(to make zombies)•Redirecting links•Fake Login Pages•Etc. etc.
(NOTE: Names of Continents is JUST used as an example representing users accessing a trusted website)
![Page 17: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/17.jpg)
How much financial loss it costs?
How much it will cost if your online bank account is attacked ?
(Big Hint: Please be bold, take the lead, stand-up and share how much money you got in your bank right now)
![Page 18: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/18.jpg)
CAN U TAKE THIS TYPE OF CHANCE….??
![Page 19: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/19.jpg)
CAUSES
•A XSS vulnerability is majorly caused by the failure of a site to sanitize user input before returning it to the client’s web-browser
![Page 20: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/20.jpg)
REASON OF ATTACK
• Change Settings• Cookie theft• False Advertising• Steal Form Tokens to make XSRF Easier• And more, you have to be creative to exploit XSS
![Page 21: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/21.jpg)
There are Three Types of XSS• Persistent (Stored) XSS : Attack is stored on the website server• Non Persistent (reflected) XSS: user has to go through a special link to be exposed• DOM-based XSS: problem exists within the client-side script
XSS Types
![Page 22: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/22.jpg)
UNSANITIZED CODE: STORED XSS
<?php ?>
if(isset($_POST['btnSign'])) { $message = trim($_POST['mtxMessage']); $name = trim($_POST['txtName']); // Sanitize message input $message = stripslashes($message); $message = mysql_real_escape_string($message); // Sanitize name input $name = mysql_real_escape_string($name); $query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');"; $result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' ); }
![Page 23: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/23.jpg)
UNSANITIZED CODE: REFLECTED XSS
<?php { Else // else generates HTML page on user input {
echo '<pre>'; echo 'Hello ' . $_GET['name']; echo '</pre>'; }
?> $isempty = true;
}
if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == '') //checks for empty text...
![Page 24: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/24.jpg)
DOM-Based XSS
Var html= [ ‘<form class = “config”>’, ‘<fieldset>’ ,
‘<label for=“appSuite”>enter url:</label>’,
‘<input type=“text” name=“appSuite” id=“appSuite”
value=“ ‘ ,options.appendUrl || ”,’ “/>’
‘</fieldset>’, </form>].join(‘ ’),
dlg=$((html)appendTo($body));
![Page 25: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/25.jpg)
Solutions Fast Track
Filtering
1.Filtering can deliver unexpected results if you aren’t careful to monitor the output.
2.Using a loop can reduce the risks associated with filtering out content.
3.Filtering alone can introduce new risks by creating new types of attacks. Therefore, it is critical to understand the order in which filters are applied and how they interact with one another.
![Page 26: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/26.jpg)
Input Encoding1. Input encoding can create a single choke point for all encoding.2.Things like SQL injection and command injection can also be checked prior to storing information in a database.3. Input encoding cannot stop persistent XSS once stored.
Output Encoding1. Output encoding is more granular and can take context into account.2. Developers must perform output encoding potentially many times for each location the information is outputted.
![Page 27: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/27.jpg)
Web Browser’s Security
1. Beware of long or overly complex URLs. Often these are the most likely to contain vulnerabilities.2. Do not click on unknown URLs in e-mail if at all possible.3. Choose a secure browser and customize your security settings to reduce the risk of exploitation.
![Page 28: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/28.jpg)
CODE SOLUTION: Stored xss<?php
if(isset($_POST['btnSign'])) {
$message = trim($_POST['mtxMessage']); $name = trim($_POST['txtName']); // Sanitize message input $message = stripslashes($message); $message = mysql_real_escape_string($message); $message = htmlspecialchars($message); // Sanitize name input $name = stripslashes($name); $name = mysql_real_escape_string($name); $name = htmlspecialchars($name); $query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');"; $result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' ); }
?>
![Page 29: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/29.jpg)
SOLUTION:Reflected XSS
<?php if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == '')
{
$isempty = true;
}
Else { echo '<pre>';
echo 'Hello ' . htmlspecialchars($_GET['name']); echo '</pre>';
}
?>
![Page 30: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/30.jpg)
DOM-Based
Var html= ‘<form class = “config”>’, ‘<fieldset>’ ,
‘<label for=“appSuite”>enter url:</label>’,
‘<input type=“text” name=“appSuite” id=“appSuite”
value=“ ‘ ,options.appendUrl || ”,’ “/>’
‘</fieldset>’, </form>.join(‘ ’),
dlg=$(html)appendTo($(‘body’));
appSuite.val(options.appSuiteUrl || ‘ ‘);
![Page 31: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/31.jpg)
Rebels?
Tinkering?
Go beyond programming
Attack attacker’s attack
Attitude! Matters. But beware of the Dark Side
About You…
![Page 32: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/32.jpg)
Any Doubts….
![Page 33: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/33.jpg)
FAQ’s
1.Is there a safe browser?
2. Are you safe if you turn off JavaScript?
3. How can I stop myself from becoming a victim of a JavaScript worm?
4.It’s hopeless. I can’t trust a single Web application. Why did you do this to me?
5. I think I am infected. What can I do?
![Page 34: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/34.jpg)
6. Does my anti-virus software protect me from XSS attacks?
7. Can XSS worm propagate on my system?
8. XSS attacks can compromise my online account but not my network.Is that true?
9. What is the best technique to evade XSS filters?
10. Are persistent XSS vulnerabilities more severe than non-persistent ones?
![Page 35: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/35.jpg)
11. How many URL’s can be tested in the various history stealing hacks?
12. I run XYZ program that creates an HTML report. How can I determine if it is vulnerable?
13. Is the browser-hijacking feature in XSS-proxy persistent?
![Page 36: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/36.jpg)
XSS Lab
• Now is your chance to try some hands on!
• Experience the thrill of hacking
• You’ve got to hack a blogger web application using XSS
• For site URL refer the white-board
![Page 37: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/37.jpg)
XSS Lab - Goal
• Goal of the lab is to steal the session cookie of the logged in user (demo) on the blogger application
• Use that cookie locally and login as the demo user
• Demo user has an un-published secret post, saved as draft, that has some secret content
• All posts – published and drafts are accessible after logging in, using menu link – Manage Posts
• Call us as soon as you are able to access the secret post!
![Page 38: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/38.jpg)
XSS Lab – Code Review: Vulnerability & Fix
![Page 39: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/39.jpg)
Questions?
• What you want to ask, many already have that same question on their mind. Be bold and lead
• OK, if you don’t want to speak and keep shut and keep thinking about it in your mind and take those questions home, make sure you email those to us and sleep well at night!
![Page 40: Xss talk, attack and defense](https://reader033.vdocuments.site/reader033/viewer/2022061223/54c329654a795953608b4578/html5/thumbnails/40.jpg)
What should be our topic for the next meet?
I hate to ask but, how can we make this better?