Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

XSS-final

description
by

Paul Gilzow

on 16 June 2010

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of XSS-final

#mnetXSS
CROSS-SITE SCRIPTING ( )
VULNERABILITIES
XSS
Paul Gilzow
Web Communications
University of Missouri
Presented by
WHAT IS XSS?
HTML Code


Clients-side scripts
An Injection attack, usually in the form of
Exploits the trust a user has for a site

Usually an indication of a much larger problem
<img src=“javascript:commands” />
<script src= “attacker.site.js” />
HOW PREVALENT IS XSS?
2006
2007
2006 Statistics (January 1 – December 31)
http://webappsec.org/projects/statistics/
The overall statistics includes analysis results
of 32,717 sites and 69,476 vulnerabilities
2007 Statistics (January 1 - December 31)
http://webappsec.org/projects/statistics/
Q1-Q2 2009
233% increase in the number of malicious Web sites in the last six months; 671% increase in the last year.

77% of Web sites with malicious code are legitimate sites that have been compromised

61% of the top 100 sites either hosted malicious content or contained a masked redirect

95% of user-generated comments to blogs, chat rooms and message boards are spam or malicious
Very special thanks to Michael Fienen (@fienen) for telling me about prezi.com and to Josh Nichols (@MrBlank) for the presentation design
WHY IS YOUR SITE SO ATTRACTIVE TO ATTACKERS?
WHICH LINK WOULD YOU TRUST?
http://go.unl.edu/u2z
or
http://is.gd/1RiNU
A report from North Carolina State University showed that most internet users are unable to tell the difference between genuine and fake pop-up messages.


Despite being told some of the messages were fake, people hit the OK button










of the time.
THREE TYPES OF XSS
Non-Persistent/Reflective




Persistent/Stored



Local
Most common

Relies on Social Engineering




Web Forums, Social Media Sites, etc.




Less likely, but still dangerous
EXAMPLE OF REFLECTIVE
Applicants have to register at OAPA, and save sensitive data with their account.

OAPA is susceptible to a reflective XSS injection.

Sean sends Jane a spoofed email that contains a URL to OAPA (social engineering).

Embedded in the URL is the payload script.

If Jane visits the URL while already logged into OAPA, the script is able to run within the context of OAPA (bypassing the Same Origin Policy) and can send her data (session ID, etc.) back to Sean.
EXAMPLE OF PERSISTENT
OAPA has a web forum that is susceptible to XSS injection.

Sean posts a thread to the forum that contains an injection.

Jane views this thread and the injection is able to run within the context of the page (bypassing the Same Origin Policy) and can send back her information to Sean.

Everyone that views the thread is affected - no need for social engineering.
EXAMPLE OF LOCAL-BASED
Jane visits a compromised site

Malicious JavaScript on the page launches an HTML file on Jane’s computer that also contains malicious JavaScript

That JavaScript can now run with the same privileges that Jane’s user account has on that computer
EXAMPLES OF XSS
Reflective demo



Persistent demo
SO WHAT CAN WE DO TO PROTECT OUR SITES???
PUT ON YOUR TIN FOIL HATS
Be paranoid, be very paranoid

Trust no one

Layers, layers, layers
HOW DO WE PROTECT OUR APPS?
Input filtering

Input validation

Output encoding

Intrusion Detection System (IDS)



Tidy the output
PHPIDS (http://php-ids.org/)



HTML Purifier (http://htmlpurifier.org/)

AntiSamy (http://www.owasp.org/index.php/AntiSamy/)
QUESTIONS/DISCUSSION
CSRF
PEOPLE TRUST YOUR SITE
2008
63%
Percentage of websites with an
URGENT, CRITICAL or HIGH severity vulnerability
http://www.websense.com/site/docs/whitepapers/en/WSL_Q1_Q2_2009_FNL.PDF
http://news.ncsu.edu/releases/new-study-highlights-risk-of-fake-popup-warnings-for-internet-users/
@gilzow - twitter
gilzow@missouri.edu
SOFTWARE TOOLS

N-Stalker Security Scanner
www.nstalker.com/products/free/download-free-edition/

Acunetix Cross Site Scripting Scanner
www.acunetix.com/cross-site-scripting/scanner.htm

Tamper IE
http://www.bayden.com/TamperIE/

Fiddler2
http://www.fiddler2.com/fiddler2/

Microsoft Anti-Cross Site Scripting Library V1.5
http://www.microsoft.com/downloads/details.aspx?FamilyId=EFB9C819-53FF-4F82-BFAF-E11625130C25&displaylang=en

OWASP PHP Anti-XSS Library
http://www.owasp.org/index.php/Category:OWASP_PHP_AntiXSS_Library_Project

Hackerfox Addons
http://www.owasp.org/index.php/Ultimate_Hackerfox_Addons



PRACTICE

http://hackme.ntobjectives.com/

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://www.whitehatsec.com/home/assets/WPstats0808.pdf
THE DANGERS OF XSS
Platform independent
Can spread much faster than traditional viruses/malware
Whatever your devious little mind can imagine ...
Identity Theft
Spam
Phishing
Defacement
XSS is usually just the first step in a larger attack
Full transcript