Upload
kory-gibbs
View
212
Download
0
Embed Size (px)
Citation preview
A2: CROSS SITE SCRIPTINGIntroduction to the OWASP Top 10
Cross Site Scripting (XSS) Comes in several flavors:
Stored Reflective DOM-Based
Stored XSS
Malicious code is posted to a site (blog, guestbook, etc) which will be displayed back to other site visitors
Code is executed by the browser whenever someone views the page with the stored XSS code
Reflective XSS
Malicious code is embedded into a URL
Following the URL sends the code to the server, which displays (reflects) the code back to the browser
The browser trusts the code because it comes from a “trusted” source
Normally this requires a web form using GET method, but there is a workaround
DOM-Based XSS
Modification to Document Object Model object within the client’s browser Server may never handle malicious code
Malicious code is embedded in a DOM parameter modification
Ex: http://www.some.site/page.html#language=<script>alert(document.cookie)</script>
Payload is executed by client when document.location.href.indexOf(“language=") is processed
XSS Risks
Display an alert box – pretty benign Redirect the user to another server Pass session and other cookies to
another server Hijack the user’s session
XSS Defenses
Never use untrusted data within <script> tags, <!-- comments -->, <div attribute_names =val />, or < tag_names href=“/url” />
Escape all untrusted content to be used in HTML context
“whitelist” input validation Only allow input from a predefined set
Your Framework may do some or all of this for you
Libraries are available as well
References
OWASP XSS Wiki Page http://www.owasp.org/index.php/Top_10_
2010-A2 DOM XSS
http://www.webappsec.org/projects/articles/071105.shtml
Anatomy of a XSS Attack http://www.infosecwriters.com/hhworld/h
h8/csstut.htm XSS Prevention
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet