Xss.e xopresentation from eXo SEA

www.exoplatform.com

Copyright 2011 eXo Platform1

XSS and eXo Products

Portal & TQA teamsOct 2011

2www.exoplatform.com

Copyright 2011 eXo Platform

Agenda

» Introduction to XSS

» XSS sample cases

» Preventing XSS Attacks

» XSS in eXo products

www.exoplatform.com


3

Introduction to XSS



What is XSS?

» XSS stand for Cross Site Scripting

» Allows execution of arbitrary code

» Often involves tricking the end user

» Over 70% of websites may be vulnerable



How Does XSS Work?

» Scenario 1:

• You get an email with an URL looks like

http://example.com?username=%3C%53%43%52%49%50%54%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3B%3C%2F%53%43%52%49%50%54%3E

• Click on it and the web page display the username with result as



How Does XSS Work?

» Scenario 2:

• There is a comment form on a web page. You paste the String into the form

This is my comment <SCRIPT>alert(“XSS”);</SCRIPT>

• Every user who visit the page will get the alert

www.exoplatform.com


7

XSS Sample Cases



XSS Cases

Sample video



XSS types

» Non-persistent (reflected)

• The most common type of XSS injection

• Requires server side interpretation of the query

• Third-party required

» Persistent (stored)

• The most dangerous type of XSS injection

• Requires server side interpretation of the query and data storing

• Third-party may not be required

» DOM-Based

• The newest type of XSS injection

• Requires client side interpretation

• Usually non-persistent



The Impact of XSS

» Redirection

» Clickjacking

» URL Spoofing

» Session Hijacking

» Cookie Stuffing

» Ad Hijacking

» History stealling

» Key & Mouse logging



The Impact of XSS

» Redirection

» Redirect your victim. Ex, document.localtion = http://xxxsite.com

» Create fake traffic

» Popular

» Clickjacking

» Describes one websites that poses as another

» Used in phishing, gives high credibility

» Extremely popular



The Impact of XSS

» Session Hijacking

» Also known as ‘Cookie Stealling’

» Usually use with document.cookie

» Help you to gain control over other logged session

» Needs a cookie grabber

» Cookie Stuffing

» Also known as ‘Cookie Dropping’

» Used in black hat online marketing

» Generates illegitimate affiliate sellings by hijacking cookies

» Uses popups, frames and iframes, images, js, css or flash for accomplising cookie dropping



The Impact of XSS

» Key & Mouse logging

» Log all keystrokes or mouse moves and send remotely

» document.onkeypress / document.onmousemove event



The Impact of XSS

» And many, many dangerous thing come from XSS issue......

www.exoplatform.com


15

Preventing XSS attacks




» Filtering

» Never trust user input and always filter metacharacters

» This method is less effective on the input side because content can be entered into a DB via methods other than HTTP.

Filtering should be done as part of the data output process, just before it’s rendered

» Encoding

» It’s recommended because it does not require dev to make a decision about what characters could legitimately be entered and need to be pass through

» May be a performance impact on some web servers

» Rely on org.exoplatform.commons.utils.HTMLEntityEncoder# encodeHTML(String) or

» org.exoplatform.commons.utils.HTMLEntityEncoder# encodeHTMLAttribute(String)




» Secure cookies using the HttpOnly attribute

» Associate session with IP addresses

» Install an application firewall

» Educate users

www.exoplatform.com


18

XSS in eXo Products

Examples of how to detect XSS vulnerabilities



Use case of Reflected XSS

Package: WCM 2.2.0

Attack steps:

See defect description in this link

https://jira.exoplatform.org/browse/ECMS-1773

Browsers: Internet Explorer 7, Firefox 3

Consequence: session hijacking & more



Use case of Stored XSS

Package: Social 1.2.0

Attack steps:


https://jira.exoplatform.org/browse/SOC-1532





Use case of DOM-based XSS

Package: ECMS 2.3.x

Attack steps:







XSS exploit basing on logic vulnerability

Package: PLF 3.5.0

Attack steps:






Question for listeners:

what is the best solution for this situation?



References for audiences

1. Guideline of Secure coding standards

http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6-1

2. EXOWiki security links

EXO-RedHat Collaboration Study

https://wiki-int.exoplatform.org/display/rhcollab/XSS

TQA Security Test

https://wiki-int.exoplatform.org/display/TQA/SECURITY

Deployment & Configuration rules (ITOP)

https://wiki-int.exoplatform.org/display/ITOP/eXo+Applications+and+security

www.exoplatform.com


DISCUSSION

News & Politics

Xss.e xopresentation from eXo SEA