1 / 8

Cross Site Scripting (XSS)

Cross Site Scripting (XSS). Module (to be combined). Education Project. Cross-Site Scripting (XSS). Occurs any time… Raw data from attacker is sent to an innocent user Raw data… Stored in database Reflected from web input (form field, hidden field, url, etc…)

beverlyspencer
Download Presentation

Cross Site Scripting (XSS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cross Site Scripting (XSS) Module (to be combined) Education Project

  2. Cross-Site Scripting (XSS) • Occurs any time… • Raw data from attacker is sent to an innocent user • Raw data… • Stored in database • Reflected from web input (form field, hidden field, url, etc…) • Sent directly into rich JavaScript client • Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie)

  3. Allows to embed malicious code: • JavaScript (AJAX!), VBScript, ActiveX, HTML, or Flash • Threats: phishing, hijacking, changing of user settings, cookie theft/poisoning, false advertising , execution of code on the client, ...

  4. XSS Types • Reflected • Link in other website / e-mail link • Stored • e.g. bulletin board, forum • DOM-Based

  5. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Cross-Site Scripting Illustrated 1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Victim views page – sees attacker profile 2 Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie

  6. Example

  7. Protection • Input validation • Output Encoding: • < &lt; > &gt; • ( &#40; ) &#41; • # &#35; & &#38; • Do not use "blacklist" validation • Specify the output encoding

  8. 1. Cross-Site Scripting (XSS) • References • OWASP – Cross site scripting, http://www.owasp.org/index.php/Cross_Site_Scripting • OWASP – Testing for XSS, http://www.owasp.org/index.php/Testing_for_Cross_site_scripting • OWASP Stinger Project (A Java EE validation filter) –http://www.owasp.org/index.php/Category:OWASP_Stinger_Project • OWASP PHP Filter Project - http://www.owasp.org/index.php/OWASP_PHP_Filters • OWASP Encoding Project - http://www.owasp.org/index.php/Category:OWASP_Encoding_Project • RSnake, XSS Cheat Sheet, http://ha.ckers.org/xss.html • Klein, A., DOM Based Cross Site Scripting, http://www.webappsec.org/projects/articles/071105.shtml • .NET Anti-XSS Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff-4f82-bfaf-e11625130c25&DisplayLang=en

More Related