Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014
Ethics
• Only hack into sites you own
– Or you have permission
• Popular sites may have bug bounty
program
– github
• You will get caught
Doupé - 11/24/14
Many Vulnerabilities
• Cross-Site Scripting (XSS)
• SQL Injection
• Cross-Site Request Forgery (XSRF)
• HTTP Parameter Pollution (HPP)
• Command Injection
• Parameter Manipulation
• File Exposure
• Directory Traversal
• Forced Browsing
• Logic Flaws
• Execution After Redirect (EAR)
Doupé - 11/24/14
Many Vulnerabilities
• Cross-Site Scripting (XSS)
• SQL Injection
• Cross-Site Request Forgery (XSRF)
• HTTP Parameter Pollution (HPP)
• Command Injection
• Parameter Manipulation
• File Exposure
• Directory Traversal
• Forced Browsing
• Logic Flaws
• Execution After Redirect (EAR)
Doupé - 11/24/14
HTTP Client Request
GET / HTTP/1.1
User-Agent: curl/7.37.1
Host: www.facebook.com
Accept: */*
Doupé - 11/24/14
HTTP Server Response
HTTP/1.1 200 OK
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Set-Cookie: datr=cohyVEAwQmq5jJh2cWZ9pZc9; expires=Wed, 23-Nov-2016 01:22:58 GMT; Max-Age=63072000; path=/; domain=.facebook.com; httponly
Set-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
<!DOCTYPE html>
<html lang="en" id="facebook" class="no_js">
<head>
<script>
...
</script>
<title id="pageTitle">Welcome to Facebook - Log In, Sign Up or Learn More</title>
Doupé - 11/24/14
JavaScript
• Makes the page dynamic
• Full control over page
– Layout
– Asynchronous requests
– Event handlers
• Code from the website running on your
browser
Doupé - 11/24/14
Same Origin Policy
• Browser JavaScript Security Policy
• (protocol, host, port)
https://www.facebook.com/ (https, www.facebook.com, 443) http://www.cnn.com/ (http, www.cnn.com, 80)
Doupé - 11/24/14
Same Origin Policy
• Cookies (document.cookie)
• DOM
• localStorage
• XMLHttpRequests
• img
Doupé - 11/24/14
Cross-Site Scripting (XSS)
• Malicious JavaScript running in the context
of your web application
Doupé - 11/24/14
Doupé - 11/24/14
http://example.com/test.php?name=adam
<html>
<body>
<p>Hello <?= $name ?></p>
</body>
</html>
Doupé - 11/24/14
http://example.com/test.php?name=adam
<html>
<body>
<p>Hello adam</p>
</body>
</html>
Doupé - 11/24/14
http://example.com/test.php?name=adam
<html>
<body>
<p>Hello adam</p>
</body>
</html>
Doupé - 11/24/14
http://example.com/test.php?name=<script>alert(‘xss’)</script>
<html>
<body>
<p>Hello <?= $name ?></p>
</body>
</html>
Doupé - 11/24/14
<html> <body> <p>Hello <script>alert(‘xss’)</script> </p> </body> </html>
http://example.com/test.php?name=<script>alert(‘xss’)</script>
Doupé - 11/24/14
<html> <body> <p>Hello <script>alert(‘xss’)</script> </p> </body> </html>
http://example.com/test.php?name=<script>alert(‘xss’)</script>
Exploits – Phishing
• Malicious JavaScript can completely
control the DOM
• Change current page to login page where
the login sends credentials to the attacker
Doupé - 11/24/14
Exploits – Session Theft
• HTTP is session-less
– No HTTP-native way to tie requests to the
same user
• Web applications typically use cookies to
create a session
– Session describes who the user is, if they’ve
passed authentication
• JavaScript has access to cookies…
Doupé - 11/24/14
Exploits – Unauthorized Actions
• JavaScript can make requests to the web
application
– Browser sends cookies
– Appears as if the user made the request
(clicked the link or filled out the form)
• Malicious JavaScript can make requests to
the web application on your behalf
Doupé - 11/24/14
Exploits – Worms
• Stored XSS vulnerability + Unauthorized
Actions
– Self-propagating worm
• Social networks particularly susceptible
– “samy is my hero” (2005)
– Tweetdeck (2014)
Doupé - 11/24/14
XSS – Prevention
• Sanitize all user inputs using known
sanitization routine
• Depends on where output is in HTML page
– < and > necessary in HTML
– Only need ‘ in JavaScript
Doupé - 11/24/14
<html> <script> var test = “<?= $name ?>”; </script> <div <?= $name ?>> < < < %27 http://example.com/?adam=$name onload=“javascript:alert(xss);” “”alert(‘xss’);//”
Doupé - 11/24/14
Tools
• Browser Developer Tools
• Wireshark
• Burp Proxy
• SQLMap
• OWASP Broken Web Apps Project
• Google Gruyere
Doupé - 11/24/14