1 / 8

A2: Cross Site Scripting

Introduction to the OWASP Top 10. A2: Cross Site Scripting. Cross Site Scripting (XSS). Comes in several flavors: Stored Reflective DOM-Based. Stored XSS. Malicious code is posted to a site (blog, guestbook, etc) which will be displayed back to other site visitors

daria
Download Presentation

A2: Cross Site Scripting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to the OWASP Top 10 A2: Cross Site Scripting

  2. Cross Site Scripting (XSS) • Comes in several flavors: • Stored • Reflective • DOM-Based

  3. Stored XSS • Malicious code is posted to a site (blog, guestbook, etc) which will be displayed back to other site visitors • Code is executed by the browser whenever someone views the page with the stored XSS code

  4. Reflective XSS • Malicious code is embedded into a URL • Following the URL sends the code to the server, which displays (reflects) the code back to the browser • The browser trusts the code because it comes from a “trusted” source • Normally this requires a web form using GET method, but there is a workaround

  5. DOM-Based XSS • Modification to Document Object Model object within the client’s browser • Server may never handle malicious code • Malicious code is embedded in a DOM parameter modification • Ex: http://www.some.site/page.html#language=<script>alert(document.cookie)</script> • Payload is executed by client when document.location.href.indexOf(“language=") is processed

  6. XSS Risks • Display an alert box – pretty benign • Redirect the user to another server • Pass session and other cookies to another server • Hijack the user’s session

  7. XSS Defenses • Never use untrusted data within <script> tags, <!-- comments -->, <div attribute_names =val />, or < tag_nameshref=“/url” /> • Escape all untrusted content to be used in HTML context • “whitelist” input validation • Only allow input from a predefined set • Your Framework may do some or all of this for you • Libraries are available as well

  8. References • OWASP XSS Wiki Page • http://www.owasp.org/index.php/Top_10_2010-A2 • DOM XSS • http://www.webappsec.org/projects/articles/071105.shtml • Anatomy of a XSS Attack • http://www.infosecwriters.com/hhworld/hh8/csstut.htm • XSS Prevention • http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

More Related