100 likes | 125 Views
Cross Site Scripting (XSS). Module (to be combined). Education Project. Cross-Site Scripting (XSS). Occurs any time… Raw data from attacker is sent to an innocent user Raw data… Stored in database Reflected from web input (form field, hidden field, url, etc…)
E N D
Cross Site Scripting (XSS) Module (to be combined) Education Project
Cross-Site Scripting (XSS) • Occurs any time… • Raw data from attacker is sent to an innocent user • Raw data… • Stored in database • Reflected from web input (form field, hidden field, url, etc…) • Sent directly into rich JavaScript client • Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie)
Allows to embed malicious code: • JavaScript (AJAX!), VBScript, ActiveX, HTML, or Flash • Threats: phishing, hijacking, changing of user settings, cookie theft/poisoning, false advertising , execution of code on the client, ...
XSS Types • Reflected • Link in other website / e-mail link • Stored • e.g. bulletin board, forum • DOM-Based
Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Cross-Site Scripting Illustrated 1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Victim views page – sees attacker profile 2 Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
Protection • Input validation • Output Encoding: • < < > > • ( ( ) ) • # # & & • Do not use "blacklist" validation • Specify the output encoding
1. Cross-Site Scripting (XSS) • References • OWASP – Cross site scripting, http://www.owasp.org/index.php/Cross_Site_Scripting • OWASP – Testing for XSS, http://www.owasp.org/index.php/Testing_for_Cross_site_scripting • OWASP Stinger Project (A Java EE validation filter) –http://www.owasp.org/index.php/Category:OWASP_Stinger_Project • OWASP PHP Filter Project - http://www.owasp.org/index.php/OWASP_PHP_Filters • OWASP Encoding Project - http://www.owasp.org/index.php/Category:OWASP_Encoding_Project • RSnake, XSS Cheat Sheet, http://ha.ckers.org/xss.html • Klein, A., DOM Based Cross Site Scripting, http://www.webappsec.org/projects/articles/071105.shtml • .NET Anti-XSS Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff-4f82-bfaf-e11625130c25&DisplayLang=en