1 / 18

CROSS-SITE SCRIPTING AND XSS

CROSS-SITE SCRIPTING AND XSS. OVERVIEW. INTRODUCTION XSS VULNERABILITIES OTHER VULNERABILITIES AVOIDING XSS VULNERABILITIES CONCLUSION REFERENCES. CROSS-SITE SCRIPTING (XSS). Cross-site scripting or XSS is a defined as a computer security vulnerability found in web applications .

adolfo
Download Presentation

CROSS-SITE SCRIPTING AND XSS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CROSS-SITE SCRIPTING AND XSS

  2. OVERVIEW • INTRODUCTION • XSS VULNERABILITIES • OTHER VULNERABILITIES • AVOIDING XSS VULNERABILITIES • CONCLUSION • REFERENCES

  3. CROSS-SITE SCRIPTING (XSS) • Cross-site scripting or XSS is a defined as a computer security vulnerability found in web applications. • XSS allows for code injection by malicious web users into Internet pages viewed by other users. • In an XSS attack, the attacker gains the ability to see private user IDs, passwords, credit card information and other personal identification.

  4. XSS VULNERABILITIES • Cross-Site Scripting stems from the notion that a malicious web site has the ability to load another web site into another frame or window. • This is accomplished by JavaScript which is used to read or write data on the other web site. • There are three types of XSS vulnerabilities: • Non-Persistent • Persistent • DOM-Based

  5. NON-PERSISTENT • These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user • When unvalidated user-supplied data has been included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. • An example could be when an attacker convinces a user to follow a malicious URL that injects code into the results page; thus giving the attacker full access to that page's content.

  6. PERSISTENT • The Persistent or Type 2 XSS vulnerability allows the most powerful kinds of attacks. • This form of vulnerability exists when data provided to a web application by a user is first stored on the server (database, filesystem, other location). • Eventually, this will be displayed to users in a web page without being encoded using HTML entities.

  7. DOM-BASED • Piece of JavaScript accesses a URL request parameter and uses this information to write some HTML to its own page • This information is not encoded using HTML entities, an XSS hole will likely be present. • This written data will be re-interpreted by browsers such as HTML and could include additional client-side script .

  8. OTHER VULNERABILITIES • Cross-zone scripting • HTTP header injection • HTTP response splitting • Cross-site request forgery (CSRF/XSRF)

  9. AVOIDING XSS VULNERABILITIES • Eliminating scripts • Cookie security • Input validation • Escaping and filtering

  10. ELIMINATING SCRIPTS • In order to reduce the risk of identifying malicious script, hackers encode with a different encoding method, such as HEX. • Some web applications are written to function without the need for client-side scripts. • In this way, potentially malicious client-side scripts could be inserted unescaped on a page, and users would not be susceptible to XSS attacks.

  11. COOKIE SECURITY • Many web applications rely on session cookies for authentication between individual HTTP requests. • Because client-side scripts have access to cookies, XSS exploits are able steal these cookies and hinder business functions. • Web applications tie session cookies to the IP address of the user who originally logged in; only that IP address is permitted to use the particular cookie.

  12. INPUT VALIDATION • Input Validation is a common theme in application development. • It helps decipher other injection attacks such as SQL injection. • Effective for most types of input, yet when an application by design must be able to accept special HTML characters, HTML entity encoding is the desired choice.

  13. ESCAPING AND FILTERING • One way to eliminate XSS vulnerabilities is to encode locally or at the server all user-supplied HTML special characters. • Transform these character entities, in order to prevent them from being interpreted as HTML. • Due to the flexibility and complexity of HTML, other standards, and the continuous addition of new features, it is impossible to determine if all possible injections are terminated.

  14. AVOIDING XSS VULNERABILITIES • Do not follow links from sites that navigate to security-sensitive pages referencing personal or business information. • Always practice obtaining a list of attacks that have occurred on particular sites or messages boards.

  15. AVOIDING XSS VULNERABILITIES • User’s can disable scripting when not required in order to reduce an XSS-style attack. • Do not trust links given on other sites such as e-mail or message boards. • Always access any site with sensitive information through its address and not third party sites

  16. CONCLUISON • Always practice using testing tools during the design phase to eliminate XSS holes in the application. • Remedies such as input validation and HTML escaping are essential, yet that must be applied at all application points accepting data. • There is a misconception sometimes applied to XSS holes in general which leads to a disagreement in the security community as to the importance of cross-site scripting vulnerabilities.

  17. CONCLUSION • In order to alleviate this nuisance, one must recognize the areas sensitive to an XSS-style intrusion. • When developing web pages, webmasters should convert all non-alphanumeric characters to HTML character entities prior to displaying user input in search engines and forums. • Problems range from identity theft to major financial and security issues for consumers and businesses.

  18. REFERENCES • http://www.acunetix.com • http://en.wikipedia.org/wiki/Cross-site_scriptinghttp://www.google.com • http://www.google.com • http://www.ibm.com

More Related