Upload
thuydang
View
602
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Here is the presentation of Khoi- Portal team and VHa CPT team from eXo Platform SEA.
Citation preview
www.exoplatform.com
Copyright 2011 eXo Platform1
XSS and eXo Products
Portal & TQA teamsOct 2011
2www.exoplatform.com
Copyright 2011 eXo Platform
Agenda
» Introduction to XSS
» XSS sample cases
» Preventing XSS Attacks
» XSS in eXo products
www.exoplatform.com
Copyright 2011 eXo Platform3
3
Introduction to XSS
4www.exoplatform.com
Copyright 2011 eXo Platform
What is XSS?
» XSS stand for Cross Site Scripting
» Allows execution of arbitrary code
» Often involves tricking the end user
» Over 70% of websites may be vulnerable
5www.exoplatform.com
Copyright 2011 eXo Platform
How Does XSS Work?
» Scenario 1:
• You get an email with an URL looks like
http://example.com?username=%3C%53%43%52%49%50%54%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3B%3C%2F%53%43%52%49%50%54%3E
• Click on it and the web page display the username with result as
6www.exoplatform.com
Copyright 2011 eXo Platform
How Does XSS Work?
» Scenario 2:
• There is a comment form on a web page. You paste the String into the form
This is my comment <SCRIPT>alert(“XSS”);</SCRIPT>
• Every user who visit the page will get the alert
www.exoplatform.com
Copyright 2011 eXo Platform7
7
XSS Sample Cases
8www.exoplatform.com
Copyright 2011 eXo Platform
XSS Cases
Sample video
9www.exoplatform.com
Copyright 2011 eXo Platform
XSS types
» Non-persistent (reflected)
• The most common type of XSS injection
• Requires server side interpretation of the query
• Third-party required
» Persistent (stored)
• The most dangerous type of XSS injection
• Requires server side interpretation of the query and data storing
• Third-party may not be required
» DOM-Based
• The newest type of XSS injection
• Requires client side interpretation
• Usually non-persistent
10www.exoplatform.com
Copyright 2011 eXo Platform
The Impact of XSS
» Redirection
» Clickjacking
» URL Spoofing
» Session Hijacking
» Cookie Stuffing
» Ad Hijacking
» History stealling
» Key & Mouse logging
11www.exoplatform.com
Copyright 2011 eXo Platform
The Impact of XSS
» Redirection
» Redirect your victim. Ex, document.localtion = http://xxxsite.com
» Create fake traffic
» Popular
» Clickjacking
» Describes one websites that poses as another
» Used in phishing, gives high credibility
» Extremely popular
12www.exoplatform.com
Copyright 2011 eXo Platform
The Impact of XSS
» Session Hijacking
» Also known as ‘Cookie Stealling’
» Usually use with document.cookie
» Help you to gain control over other logged session
» Needs a cookie grabber
» Cookie Stuffing
» Also known as ‘Cookie Dropping’
» Used in black hat online marketing
» Generates illegitimate affiliate sellings by hijacking cookies
» Uses popups, frames and iframes, images, js, css or flash for accomplising cookie dropping
13www.exoplatform.com
Copyright 2011 eXo Platform
The Impact of XSS
» Key & Mouse logging
» Log all keystrokes or mouse moves and send remotely
» document.onkeypress / document.onmousemove event
14www.exoplatform.com
Copyright 2011 eXo Platform
The Impact of XSS
» And many, many dangerous thing come from XSS issue......
www.exoplatform.com
Copyright 2011 eXo Platform15
15
Preventing XSS attacks
16www.exoplatform.com
Copyright 2011 eXo Platform
Preventing XSS attacks
» Filtering
» Never trust user input and always filter metacharacters
» This method is less effective on the input side because content can be entered into a DB via methods other than HTTP.
Filtering should be done as part of the data output process, just before it’s rendered
» Encoding
» It’s recommended because it does not require dev to make a decision about what characters could legitimately be entered and need to be pass through
» May be a performance impact on some web servers
» Rely on org.exoplatform.commons.utils.HTMLEntityEncoder# encodeHTML(String) or
» org.exoplatform.commons.utils.HTMLEntityEncoder# encodeHTMLAttribute(String)
17www.exoplatform.com
Copyright 2011 eXo Platform
Preventing XSS attacks
» Secure cookies using the HttpOnly attribute
» Associate session with IP addresses
» Install an application firewall
» Educate users
www.exoplatform.com
Copyright 2011 eXo Platform18
18
XSS in eXo Products
Examples of how to detect XSS vulnerabilities
19www.exoplatform.com
Copyright 2011 eXo Platform
Use case of Reflected XSS
Package: WCM 2.2.0
Attack steps:
See defect description in this link
https://jira.exoplatform.org/browse/ECMS-1773
Browsers: Internet Explorer 7, Firefox 3
Consequence: session hijacking & more
20www.exoplatform.com
Copyright 2011 eXo Platform
Use case of Stored XSS
Package: Social 1.2.0
Attack steps:
See defect description in this link
https://jira.exoplatform.org/browse/SOC-1532
Browsers: Internet Explorer 7, Firefox 3
Consequence: session hijacking & more
21www.exoplatform.com
Copyright 2011 eXo Platform
Use case of DOM-based XSS
Package: ECMS 2.3.x
Attack steps:
See defect description in this link
https://jira.exoplatform.org/browse/ECMS-2791
Browsers: Internet Explorer 7, Firefox 3
Consequence: session hijacking & more
22www.exoplatform.com
Copyright 2011 eXo Platform
XSS exploit basing on logic vulnerability
Package: PLF 3.5.0
Attack steps:
See defect description in this link
https://jira.exoplatform.org/browse/ECMS-2723
https://jira.exoplatform.org/browse/ECMS-2736
Browsers: Internet Explorer 7, Firefox 3
Consequence: session hijacking & more
Question for listeners:
what is the best solution for this situation?
23www.exoplatform.com
Copyright 2011 eXo Platform
References for audiences
1. Guideline of Secure coding standards
http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6-1
2. EXOWiki security links
EXO-RedHat Collaboration Study
https://wiki-int.exoplatform.org/display/rhcollab/XSS
TQA Security Test
https://wiki-int.exoplatform.org/display/TQA/SECURITY
Deployment & Configuration rules (ITOP)
https://wiki-int.exoplatform.org/display/ITOP/eXo+Applications+and+security
www.exoplatform.com
Copyright 2011 eXo Platform24
DISCUSSION