srikar nadipally. outline finding and exploiting xss vulnerabilities standard reflected xss stored...
Post on 02-Jan-2016
Embed Size (px)
Finding and Exploiting XSS Vulnerabilities
Srikar NadipallyXSS Vulnerabilities
OutlineFinding and Exploiting XSS VulnerabilitiesStandardReflected XSSStored XSSDOM based XSSPrevention of XSS attackReflectStoredDOM
StandardUse standard proof of concept>alert(document.cookie)Submit the above request to each page and monitor the response. If cases appear attack string appears3Detecting Reflected XSSSystematic approach of finding reflected attackFind all the entry points of the user inputSubmit a benign alphabetical string in each entry pointIdentify all the locations where the string is reflected in the applications responseFor each reflection identify the syntactic context in which string appearsSubmit modified data tailored to the reflection syntactic context, attempting to introduce the arbitrary script in to response.If reflected data is blocked, try to understand and circumvent the application defensive filter
Example 1Tag attribute valueReturn page contains the code
Ways to craft XSS exploit >alert(1) onfoucus=alert(1)
Example 2Java Script StringIf return page code is var a=myxsstest; var b =123; Ways to craft XSS exploit; alert(1); var foo=
Techniques to test for stored XSSTesting for XSS in Web Mail applicationsSend all kinds of unusual HTML content within emails to test for bypasses in input filters.Restricting to standard email client will not give you enough control over the raw message content or the client may itself sanitize or clean up your malformed syntax.Using UNIX sendmail command a raw email can be created in a text editor and send it.Sendmail t email@example.com < email.txtExampleRaw email fileMIME-Version: 1.0From: firstname.lastname@example.orgContent-Type: text/html; charset=us-asciiContent-Transfer-Encoding: 7bitSubject: XSS test
Techniques to Detect stored XSSTesting for XSS in Uploaded FilesHybrid File attacks hybrid files - two different formatsExample: GIFAR (GIF + JAR)Uploaded file attack using GIFARThe attack using GIFAR files can be prevented in current versions of Java browser plug-in by validating whether JAR files being loaded actually content hybrid content.source of stored XSS vulnerabilities arises where an application allows users to upload les that can be downloaded and viewed by other users
Preventing XSS attacksDue to the different root causes different defense mechanisms needs to be applied for reflected and stored XSS on one hand and DOM-based on the other.Reflected and Stored XSSIdentify every instance within the application where user-controllable data is being copied into responses including data that is copied from immediate request and also any stored data that is originated from any user at any prior time, including via out-of-band channels.After identification, follow a threefold approach to prevent any actual vulnerabilities from arising.ContinuedThreefold approach-Validate inputValidate output (Encode the output)Eliminate dangerous insertion pointsValidate input: The application should perform context-dependent validation of data when application receives user-supplied data that may copy into one of its responses at any future point.Potential features to validate data is not too long, contains only a certain permitted character set, matches a particular regular expression. Different Validation rules should also be applied names, email ids, account numbers etc.
15ContinuedValidate OutputData should be HTML-encoded to sanitize potentially malicious characters.HTML encoding involves replacing literal characters with their corresponding HTML entities.HTML encodings of the primary problematic characters are as follows " '& &< >ContinuedEliminate dangerous insertion pointsInserting user-controllable data directly into existing script code should be avoided wherever possible. This applies to the code within tags, and also code within event handlers.Allowing limited HTML
ContinuedPreventing DOM-based XSSApplication should avoid using client-side scripts to process DOM data and insert it into the page.DOM-based XSS flaws can be prevented through two types of defenses-Validate inputValidate outputValidate input:Attack can be prevented by validating the data about to be inserted into the document containing only alphanumeric characters and white space.
var a = document.URL; a = a.substring(a.indexOf(message=) + 8, a.length); a = unescape(a); var regex=/^([A-Za-z0-9+\s])*$/; if (regex.test(a)) document .write(a);
ContinuedThis request results in the following being added to the messages page: daf fooCSRFAttacker creates the innocuous-looking website causes the users browser to submit a request directly to the vulnerable application to perform some unintended action that is beneficial to the attacker.CSRF attacks are one-way only.Consider an application in which administrators can create new user accounts using requests like the following:POST /auth/390/NewUserStep2.ashx HTTP/1.1Host: mdsec.netCookie: SessionId=8299BE6B260193DA076383A2385B07B9Content-Type: application/x-www-form-urlencodedContent-Length: 83realname=daf&username=daf&userrole=admin&password=letmein1&confirmpassword=letmein1ContinuedThis request has three key features that make it vulnerable to CSRF attacks:The request performs a privileged action. In the example shown, the request creates a new user with administrative privileges.The application relies solely on HTTP cookies for tracking sessions. No session-related tokens are transmitted elsewhere within the request.The attacker can determine all the parameters required to perform the action. Aside from the session token in the cookie, no unpredictable values need to be included in the requestContinuedAttacker can construct a web page that makes a cross-domain request to the vulnerable application containing