Cross-Site Scripting Vulnerabilities

Adam Doupé

11/24/2014

Doupé - 11/24/14

Ethics

• Only hack into sites you own– Or you have permission

• Popular sites may have bug bounty program– Facebook– github– Google

• You will get caught

Doupé - 11/24/14

Tech

• HTTP

• HTML

• CSS

• JavaScript

• SQL

• Server-Side Code (Python/PHP/Ruby)

Doupé - 11/24/14

Many Vulnerabilities

• Cross-Site Scripting (XSS)• SQL Injection• Cross-Site Request Forgery (XSRF)• HTTP Parameter Pollution (HPP)• Command Injection• Parameter Manipulation• File Exposure• Directory Traversal• Forced Browsing• Logic Flaws• Execution After Redirect (EAR)

Doupé - 11/24/14

Many Vulnerabilities

• Cross-Site Scripting (XSS)• SQL Injection• Cross-Site Request Forgery (XSRF)• HTTP Parameter Pollution (HPP)• Command Injection• Parameter Manipulation• File Exposure• Directory Traversal• Forced Browsing• Logic Flaws• Execution After Redirect (EAR)

Doupé - 11/24/14

Tech

• HTTP

• HTML

• CSS

• JavaScript

• SQL

• Server-Side (Python/PHP/Ruby)

Doupé - 11/24/14

Doupé - 11/24/14

HTTP SQL

Web Applications

Doupé - 11/24/14

JavaScript

HTTP SQL

Web Applications

Doupé - 11/24/14

JavaScript

HTTP SQL

Web Applications

HTTP Client Request

GET / HTTP/1.1

User-Agent: curl/7.37.1

Host: www.facebook.com

Accept: */*

Doupé - 11/24/14

HTTP Server ResponseHTTP/1.1 200 OKExpires: Sat, 01 Jan 2000 00:00:00 GMTSet-Cookie: datr=cohyVEAwQmq5jJh2cWZ9pZc9; expires=Wed, 23-Nov-2016 01:22:58 GMT; Max-Age=63072000; path=/; domain=.facebook.com; httponlySet-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.facebook.comSet-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.comSet-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.comContent-Type: text/html; charset=utf-8 <!DOCTYPE html><html lang="en" id="facebook" class="no_js"><head><script>... </script><title id="pageTitle">Welcome to Facebook - Log In, Sign Up or Learn More</title>

Doupé - 11/24/14

JavaScript

• Makes the page dynamic

• Full control over page– Layout– Asynchronous requests– Event handlers

• Code from the website running on your browser

Doupé - 11/24/14

Doupé - 11/24/14

Doupé - 11/24/14

Same Origin Policy

• Browser JavaScript Security Policy

• (protocol, host, port)

https://www.facebook.com/(https, www.facebook.com, 443)

http://www.cnn.com/(http, www.cnn.com, 80)

Doupé - 11/24/14

Same Origin Policy

• Cookies (document.cookie)

• DOM

• localStorage

• XMLHttpRequests

• img

Doupé - 11/24/14

Cross-Site Scripting (XSS)

• Malicious JavaScript running in the context of your web application

Doupé - 11/24/14

XSS – Example

<html><body><p>Hello <?= $name ?></p>

</body></html>

Doupé - 11/24/14

Doupé - 11/24/14

http://example.com/test.php?name=adam

<html> <body> <p>Hello <?= $name ?></p> </body></html>

Doupé - 11/24/14

http://example.com/test.php?name=adam

<html> <body> <p>Hello adam</p> </body></html>

Doupé - 11/24/14

http://example.com/test.php?name=adam

<html> <body> <p>Hello adam</p> </body></html>

Doupé - 11/24/14

Doupé - 11/24/14

http://example.com/test.php?name=<script>alert(‘xss’)</script>

<html> <body> <p>Hello <?= $name ?></p> </body></html>

Doupé - 11/24/14

<html> <body> <p>Hello <script>alert(‘xss’)</script></p> </body></html>

http://example.com/test.php?name=<script>alert(‘xss’)</script>

Doupé - 11/24/14

<html> <body> <p>Hello <script>alert(‘xss’)</script></p> </body></html>

http://example.com/test.php?name=<script>alert(‘xss’)</script>

Doupé - 11/24/14

Doupé - 11/24/14

http://example.com/test.php?name=

Doupé - 11/24/14

HTTP

http://example.com/test.php?name=

JavaScript

Reflected XSS

Doupé - 11/24/14

SQL

http://example.com/test.php?title=

Doupé - 11/24/14

HTTP SQL

JavaScript

Stored XSS

Exploits – Phishing

• Malicious JavaScript can completely control the DOM

• Change current page to login page where the login sends credentials to the attacker

Doupé - 11/24/14

Doupé - 11/24/14

Exploits – Session Theft

• HTTP is session-less– No HTTP-native way to tie requests to the

same user

• Web applications typically use cookies to create a session– Session describes who the user is, if they’ve

passed authentication

• JavaScript has access to cookies…

Doupé - 11/24/14

JavaScript

Doupé - 11/24/14

HTTP SQL

Exploits – Session Theft

Exploits – Unauthorized Actions

• JavaScript can make requests to the web application– Browser sends cookies– Appears as if the user made the request

(clicked the link or filled out the form)

• Malicious JavaScript can make requests to the web application on your behalf

Doupé - 11/24/14

JavaScript

Doupé - 11/24/14

Exploits – Worms

• Stored XSS vulnerability + Unauthorized Actions– Self-propagating worm

• Social networks particularly susceptible– “samy is my hero” (2005)– Tweetdeck (2014)

Doupé - 11/24/14

Doupé - 11/24/14

Doupé - 11/24/14

Doupé - 11/24/14

XSS – Prevention

• Sanitize all user inputs using known sanitization routine

• Depends on where output is in HTML page– < and > necessary in HTML– Only need ‘ in JavaScript

Doupé - 11/24/14

<html><script> var test = “<?= $name ?>”;</script><div <?= $name ?>>< &lt;< %27http://example.com/?adam=$nameonload=“javascript:alert(xss);”“”alert(‘xss’);//”

Doupé - 11/24/14

Tools

• Browser Developer Tools

• Wireshark

• Burp Proxy

• SQLMap

• OWASP Broken Web Apps Project

• Google Gruyere

Doupé - 11/24/14

Questions?

doupe@asu.eduhttp://adamdoupe.com/

Doupé - 11/24/14