XSS- an application security vulnerability

XSS (Cross-Site Scripting) - An application security vulnerability from Developers point of view

Soumyasanto Sen, #sitMUC

@soumyasanto

Wikipedia says "XSS enables attackers to inject client-side script into web pages viewed by other

users". 

OWASP(the free and open software security community) says "Cross-Site Scripting attacks are a type of injection problem, in which malicious

scripts are injected into the otherwise benign and trusted web sites."

"An XSS attack occurs when a script from an untrusted source is executed in rendering a page"

#sitMUC

Definition

#sitMUC

What is XSS?

Client side vulnerability but can Server side one. Based on injection through

JavaScript, VBScript, Flash, HTML, JSON, ActiveX etc.

Due to insufficient validation and sanitization.

Attacker’s Paradise Stealing Credentials, Private Info. Execute commands (CSRF), malicious scripts Redirection to malicious site Port Scanning, Phishing, Keylogging etc.

#sitMUC

What is XSS?

#sitMUC

According to latest White-hat Security report, 47% of web applications have XSS vulnerability

Why XSS?

#sitMUC

According to Google Vulnerability Reward Program's Statistics, XSS is the most reported issue

Why XSS?

#sitMUC

According to "Open Sourced Vulnerability Database"  XSS is at #1

Why XSS?

#sitMUC

TrustWave Global Security Report says XSS is again the highest

Why XSS?

#sitMUC

No Monkey Testing

Example: Based on Testing

Injection Points: Through which the Attacker can enter or injects scripts Insert /Edit Text Insert/Edit Image Insert/Edit URL Set Attributes Insert/Upload File Insert/Upload Video

What is Context? Context is an environment where user-supplied input or input from other application(s) eventually ends-up or starts living.

“Context Is King for All Areas of IT Security”#sitMUC

Example: Based on Testing (Definitions)

#sitMUC

http://www.ea.com/search?q=“XYZ

Example: Based on Testing (Contexts)

#sitMUC

http://www.ea.com/search?q=“JUNK

Example: Based on Testing (Contexts)

#sitMUC

http://search.health.com/results.html?Ntt=xxxxxxxxxx

Single Quotes Case

Double Quotes Case

Example: Based on Testing (Contexts)

#sitMUC

https://www.froala.com/wysiwyg-editor

Example: Based on Testing (Contexts)

#sitMUC

Example: Based on Testing (Contexts)

#sitMUC

Example: Based on Testing (Summary of Contexts)

#sitMUC

ATTACK METHODOLOGY

• Systematic in nature• Easy to understand• Context-Specific• Attack methodology is `complete` and one can guarantee that there is an XSS

or no XSS in a particular injection point.• With the help of attack methodology, one can make a secure per-context XSS

sanitizer• Can be applied to other server-side languages

Example: Based on Testing (Attack Methodology)

#sitMUC

SCRIPT CONTEXT ATTACK METHODOLOGY

Example: Based on Testing (Attack Methodology)

Demohttp://jsfiddle.net/4eqK4/5/

#sitMUC

ATTRIBUTE CONTEXT ATTACK METHODOLOGY

Example: Based on Testing (Attack Methodology)

Demohttp://www.drudgereportarchives.com/dsp/search.htm

http://jsfiddle.net/9t8UM/3/

#sitMUC

STYLE CONTEXT ATTACK METHODOLOGY

Example: Based on Testing (Attack Methodology)

#sitMUC

URL CONTEXT ATTACK METHODOLOGY

Example: Based on Testing (Attack Methodology)

#sitMUC

<a href="url">link text</a> <a href=javascript:alert(1)>link text</a>   <img src="pic_mountain.jpg"> <img src=javascript:while(1){}>

Example: Based on Testing (Attack Methodology)

#sitMUC

Encoding will not help in breaking the script context unless developers are doing some sort of explicit decoding.

Example: Based on Testing (Attack Methodology)

#sitMUC

Two arrays of black-listed keywordsOther names filterXSS and noXSS 

Example: Based on Testing (Customized XSS Solutions)

#sitMUC

Two arrays of black-listed keywords

Example: Based on Testing (Customized XSS Solutions)

Bypass:<img src=x id=confirm(1) onerror=eval(id)

#sitMUC

The goal of this function is to stop JavaScript execution via style.

Example: Based on Testing (Customized XSS Solutions)

Bypass: width:expression&#x28;alert&#x28;1&#x29;&#x29;

#sitMUC

Example: Based on Testing (Customized XSS Solutions)

Another popular customized XSS protection solution

#sitMUC

Example: Based on Testing (Summary of Bypasses)

#sitMUC

Example: Based on Testing (Real Solutions)

#sitMUC

Example: Based on Testing (Real Solutions)

Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Implementation of `urlContextCleaner()`

#sitMUC

Example: Based on Testing (Solutions -Make it Simple)

WYSIWYGWhat You See Is What You Get

· Forum Post· Private Messaging· Wiki Post· Support Ticket· Signature Creation· Comments

#sitMUC

Example: Based on Testing (Solutions -Make it Simple)

WYSIWYGWhat You See Is What You Get

#sitMUC

Example : Based on Real(Bypassing)

ABAP Case Study: ABAP Case

#sitMUC

Demo: Based on Games(Bypassing)

https://xss-game.appspot.com/

http://xssplaygroundforfunandlearn.netai.net/series1.html

https://html5sec.org/innerhtml/ (Mario Heiderich's Utility)

#sitMUC

Tools & Testing

XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP (HTML5 Security Clean Sheet)

Validation on XSS Input. Use White-Listing, Escaping and sanitization method.(Use Sanitizers)

“Do not trust anything ever, specially when it comes to user input”

Understanding common browser behaviors that lead to XSS

Learning the best practices for your technology

#sitMUC

Preventions

#sitMUC

Latest News

Salesforce plugs silly website XSS hole, hopes nobody spotted it (Mid August)

Critical PayPal XSS vulnerability left accounts open to attack (Late August)

eBay Fixes XSS Flaw in Subdomain (Early September)

Netflix Sleepy Puppy Awakens XSS Vulnerabilities in Secondary Applications (Early September)

Attackers exploit vulnerabilities in two WordPress plugins (Early May)

#sitMUC

Latest News

0-day XSS vulnerability on SAP website put customers’ data at risk of theft by hackers (Early

May)

SAP HANA Databases Vulnerable to XSS and SQL Injections (Late June)

Overall:Almost ALL websites have serious security vulnerabilities, study

shows

Lack enough Pen. Test

( 92% of the respondents perform penetration testing. 21% perform it annually, 26% perform it quarterly and 8% never perform penetration testing.)

Taking responsibility from the Developers

Unawareness of XSS vulnerability

Not taking seriously

#sitMUC

Challenges

XSS is unavoidable at least nowadays !Now its your job to raise the bar for attacker.

“XSS is Everywhere”(Short and Simple) 

Use Prevention, Go for Solutions in the forms of layers, Keep Updated & Do regular Penetration Testing

#sitMUC

Conclusion

#sitMUC

Learning

Thank You Soumyasanto Sen

@soumyasantoDr. Ashar Javed : http://slides.com/mscasharjaved/