XSS-final

Very special thanks to Michael Fienen (@fienen) for telling me about prezi.com and to Josh Nichols (@MrBlank) for the presentation design

63%

Be paranoid, be very paranoid

Trust no one

Layers, layers, layers

OAPA has a web forum that is susceptible to XSS injection.

Sean posts a thread to the forum that contains an injection.

Jane views this thread and the injection is able to run within the context of the page (bypassing the Same Origin Policy) and can send back her information to Sean.

Everyone that views the thread is affected - no need for social engineering.

EXAMPLE OF PERSISTENT

EXAMPLES OF XSS

Reflective demo

Persistent demo

Applicants have to register at OAPA, and save sensitive data with their account.

OAPA is susceptible to a reflective XSS injection.

Sean sends Jane a spoofed email that contains a URL to OAPA (social engineering).

Embedded in the URL is the payload script.

If Jane visits the URL while already logged into OAPA, the script is able to run within the context of OAPA (bypassing the Same Origin Policy) and can send her data (session ID, etc.) back to Sean.

EXAMPLE OF REFLECTIVE

Jane visits a compromised site

Malicious JavaScript on the page launches an HTML file on Jane’s computer that also contains malicious JavaScript

That JavaScript can now run with the same privileges that Jane’s user account has on that computer

EXAMPLE OF LOCAL-BASED

Most common

Relies on Social Engineering

Web Forums, Social Media Sites, etc.

Less likely, but still dangerous

Non-Persistent/Reflective

Persistent/Stored

Local

THREE TYPES OF XSS

#mnetXSS

SO WHAT CAN WE DO TO PROTECT OUR SITES???

http://news.ncsu.edu/releases/new-study-highlights-risk-of-fake-popup-warnings-for-internet-users/

PUT ON YOUR TIN FOIL HATS

A report from North Carolina State University showed that most internet users are unable to tell the difference between genuine and fake pop-up messages.

Despite being told some of the messages were fake, people hit the OK button

of the time.

http://go.unl.edu/u2z

or

http://is.gd/1RiNU

WHICH LINK WOULD YOU TRUST?

HOW DO WE PROTECT OUR APPS?

Input filtering

Input validation

Output encoding

Intrusion Detection System (IDS)

Tidy the output

PHPIDS (http://php-ids.org/)

HTML Purifier (http://htmlpurifier.org/)

AntiSamy (http://www.owasp.org/index.php/AntiSamy/)

PEOPLE TRUST YOUR SITE

WHY IS YOUR SITE SO ATTRACTIVE TO ATTACKERS?

XSS

CROSS-SITE SCRIPTING ( )

VULNERABILITIES

Presented by

Paul Gilzow

Web Communications

University of Missouri

@gilzow - twitter

gilzow@missouri.edu

WHAT IS XSS?

An Injection attack, usually in the form of

<img src=“javascript:commands” />

HTML Code

Clients-side scripts

<script src= “attacker.site.js” />

Exploits the trust a user has for a site

Usually an indication of a much larger problem

SOFTWARE TOOLS

N-Stalker Security Scanner

www.nstalker.com/products/free/download-free-edition/

Acunetix Cross Site Scripting Scanner

www.acunetix.com/cross-site-scripting/scanner.htm

Tamper IE

http://www.bayden.com/TamperIE/

Fiddler2

http://www.fiddler2.com/fiddler2/

Microsoft Anti-Cross Site Scripting Library V1.5

http://www.microsoft.com/downloads/details.aspx?FamilyId=EFB9C819-53FF-4F82-BFAF-E11625130C25&displaylang=en

OWASP PHP Anti-XSS Library

http://www.owasp.org/index.php/Category:OWASP_PHP_AntiXSS_Library_Project

Hackerfox Addons

http://www.owasp.org/index.php/Ultimate_Hackerfox_Addons

PRACTICE

http://hackme.ntobjectives.com/

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

HOW PREVALENT IS XSS?

2006

2006 Statistics (January 1 – December 31)

http://webappsec.org/projects/statistics/

Whatever your devious little mind can imagine ...

Phishing

CSRF

Spam

Platform independent

Can spread much faster than traditional viruses/malware

Defacement

Identity Theft

QUESTIONS/DISCUSSION

XSS is usually just the first step in a larger attack

THE DANGERS OF XSS

2007

Q1-Q2 2009

2007 Statistics (January 1 - December 31)

http://webappsec.org/projects/statistics/

The overall statistics includes analysis results

of 32,717 sites and 69,476 vulnerabilities

233% increase in the number of malicious Web sites in the last six months; 671% increase in the last year.

77% of Web sites with malicious code are legitimate sites that have been compromised

61% of the top 100 sites either hosted malicious content or contained a masked redirect

95% of user-generated comments to blogs, chat rooms and message boards are spam or malicious

2008

Percentage of websites with an

URGENT, CRITICAL or HIGH severity vulnerability

http://www.whitehatsec.com/home/assets/WPstats0808.pdf

http://www.websense.com/site/docs/whitepapers/en/WSL_Q1_Q2_2009_FNL.PDF