Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Transcript of XSS-final
CROSS-SITE SCRIPTING ( )
University of Missouri
WHAT IS XSS?
An Injection attack, usually in the form of
Exploits the trust a user has for a site
Usually an indication of a much larger problem
<script src= “attacker.site.js” />
HOW PREVALENT IS XSS?
2006 Statistics (January 1 – December 31)
The overall statistics includes analysis results
of 32,717 sites and 69,476 vulnerabilities
2007 Statistics (January 1 - December 31)
233% increase in the number of malicious Web sites in the last six months; 671% increase in the last year.
77% of Web sites with malicious code are legitimate sites that have been compromised
61% of the top 100 sites either hosted malicious content or contained a masked redirect
95% of user-generated comments to blogs, chat rooms and message boards are spam or malicious
Very special thanks to Michael Fienen (@fienen) for telling me about prezi.com and to Josh Nichols (@MrBlank) for the presentation design
WHY IS YOUR SITE SO ATTRACTIVE TO ATTACKERS?
WHICH LINK WOULD YOU TRUST?
A report from North Carolina State University showed that most internet users are unable to tell the difference between genuine and fake pop-up messages.
Despite being told some of the messages were fake, people hit the OK button
of the time.
THREE TYPES OF XSS
Relies on Social Engineering
Web Forums, Social Media Sites, etc.
Less likely, but still dangerous
EXAMPLE OF REFLECTIVE
Applicants have to register at OAPA, and save sensitive data with their account.
OAPA is susceptible to a reflective XSS injection.
Sean sends Jane a spoofed email that contains a URL to OAPA (social engineering).
Embedded in the URL is the payload script.
If Jane visits the URL while already logged into OAPA, the script is able to run within the context of OAPA (bypassing the Same Origin Policy) and can send her data (session ID, etc.) back to Sean.
EXAMPLE OF PERSISTENT
OAPA has a web forum that is susceptible to XSS injection.
Sean posts a thread to the forum that contains an injection.
Jane views this thread and the injection is able to run within the context of the page (bypassing the Same Origin Policy) and can send back her information to Sean.
Everyone that views the thread is affected - no need for social engineering.
EXAMPLE OF LOCAL-BASED
Jane visits a compromised site
EXAMPLES OF XSS
SO WHAT CAN WE DO TO PROTECT OUR SITES???
PUT ON YOUR TIN FOIL HATS
Be paranoid, be very paranoid
Trust no one
Layers, layers, layers
HOW DO WE PROTECT OUR APPS?
Intrusion Detection System (IDS)
Tidy the output
HTML Purifier (http://htmlpurifier.org/)
PEOPLE TRUST YOUR SITE
Percentage of websites with an
URGENT, CRITICAL or HIGH severity vulnerability
@gilzow - twitter
N-Stalker Security Scanner
Acunetix Cross Site Scripting Scanner
Microsoft Anti-Cross Site Scripting Library V1.5
OWASP PHP Anti-XSS Library
THE DANGERS OF XSS
Can spread much faster than traditional viruses/malware
Whatever your devious little mind can imagine ...
XSS is usually just the first step in a larger attack