cross site scripting (xss) david wharton intrusion detection & prevention regions financial corp
TRANSCRIPT
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
David WhartonDavid Wharton
Intrusion Detection & PreventionIntrusion Detection & Prevention
Regions Financial Corp.Regions Financial Corp.
OverviewOverview
IntroductionIntroduction What is XSS?What is XSS? Is XSS Important?Is XSS Important? Exploiting XSSExploiting XSS Preventing XSSPreventing XSS BeEF DemoBeEF Demo ConclusionConclusion QuestionsQuestions
IntroductionIntroduction
What is XSS?What is XSS? XSS is a vulnerability that allows an attacker to run XSS is a vulnerability that allows an attacker to run
arbitrary JavaScript in the context of the vulnerable website.arbitrary JavaScript in the context of the vulnerable website. XSS bypasses same-origin policy protectionXSS bypasses same-origin policy protection
““The policy permits scripts running on pages originating The policy permits scripts running on pages originating from the same site to access each other's methods and from the same site to access each other's methods and properties with no specific restrictions, but prevents properties with no specific restrictions, but prevents access to most methods and properties across pages on access to most methods and properties across pages on different sites.“different sites.“
““The term ‘origin’ is defined using the domain name, The term ‘origin’ is defined using the domain name, application layer protocol, and (in most browsers) TCP application layer protocol, and (in most browsers) TCP port”port”
http://en.wikipedia.org/wiki/Same_origin_policyhttp://en.wikipedia.org/wiki/Same_origin_policy Requires some sort of social engineering to exploit.Requires some sort of social engineering to exploit.
Types of XSSTypes of XSS
Reflected XSSReflected XSS Stored XSS (a.k.a. “Persistent XSS”)Stored XSS (a.k.a. “Persistent XSS”) DOM Based XSSDOM Based XSS
Reflected XSSReflected XSS
Reflected XSS ExampleReflected XSS Example
Exploit URL:Exploit URL: http://www.nikebiz.com/search/?http://www.nikebiz.com/search/?
q=q=<script>alert('XSS')</<script>alert('XSS')</script>script>&x=0&y=0&x=0&y=0
HTML returned to victim:HTML returned to victim: <div id="pageTitleTxt"> <h2><span <div id="pageTitleTxt"> <h2><span
class="highlight">Search class="highlight">Search Results</span><br /> Search: Results</span><br /> Search: ""<script>alert('XSS')</script><script>alert('XSS')</script>"</h2> "</h2>
Reflected XSS ExampleReflected XSS Example
Stored XSSStored XSS
JavaScript supplied by the attacker is JavaScript supplied by the attacker is stored by the website (e.g. in a stored by the website (e.g. in a database)database)
Doesn’t require the victim to supply the Doesn’t require the victim to supply the JavaScript somehow, just visit the JavaScript somehow, just visit the exploited web pageexploited web page
More dangerous than Reflected XSSMore dangerous than Reflected XSS Has resulted in many XSS worms on high Has resulted in many XSS worms on high
profile sites like MySpace and Twitter profile sites like MySpace and Twitter (discussed later)(discussed later)
DOM Based XSSDOM Based XSS Occur in the content processing stages performed by the Occur in the content processing stages performed by the
clientclient <select><script><select><script> document.write("<OPTION document.write("<OPTION
value=1>"+document.location.href.substring(documevalue=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</nt.location.href.indexOf("default=")+8)+"</OPTION>");OPTION>");
</script></select></script></select>
http://www.some.site/page.html?default=ASP.NET http://www.some.site/page.html?default=ASP.NET /page.html?/page.html?
default=<script>alert(document.cookie)</script>default=<script>alert(document.cookie)</script> Source: http://en.wikipedia.org/wiki/Cross-site_scriptingSource: http://en.wikipedia.org/wiki/Cross-site_scripting Source: http://www.owasp.org/index.php/DOM_Based_XSSSource: http://www.owasp.org/index.php/DOM_Based_XSS
Is XSS Dangerous? Is XSS Dangerous?
YesYes OWASP Top 2OWASP Top 2 Defeats Same Origin PolicyDefeats Same Origin Policy Just think, any JavaScript you want Just think, any JavaScript you want
will be run in the victim’s browser in will be run in the victim’s browser in the context of the vulnerable web the context of the vulnerable web pagepage
Hmmm, what can you do with Hmmm, what can you do with JavaScript?JavaScript?
What can you do with What can you do with JavaScript?JavaScript? Pop-up alerts and promptsPop-up alerts and prompts
Access/Modify DOMAccess/Modify DOM Access cookies/session tokensAccess cookies/session tokens ““Circumvent” same-origin policyCircumvent” same-origin policy Virtually deface web pageVirtually deface web page
Detect installed programsDetect installed programs Detect browser historyDetect browser history Capture keystrokes (and other trojan Capture keystrokes (and other trojan
functionality)functionality) Port scan the local networkPort scan the local network
What can you do with What can you do with JavaScript? (cont)JavaScript? (cont) Induce user actionsInduce user actions
Redirect to a different web siteRedirect to a different web site Determine if they are logged on to a Determine if they are logged on to a
particular siteparticular site Capture clipboard contentCapture clipboard content Detect if the browser is being run in a virtual Detect if the browser is being run in a virtual
machinemachine Rewrite the status barRewrite the status bar Exploit browser vulnerabilitiesExploit browser vulnerabilities Launch executable files (in some cases)Launch executable files (in some cases)
Example: Form InjectionExample: Form Injection
Example: Virtual Example: Virtual DefacementDefacement
Example: Pop-Up AlertExample: Pop-Up Alert
Example: Cookie StealingExample: Cookie Stealing
Example: XSS WormsExample: XSS Worms Samy WormSamy Worm Affected MySpaceAffected MySpace Leveraged Stored XSS vulnerability so that for Leveraged Stored XSS vulnerability so that for
every visitor to Samy’s MySpace page, the every visitor to Samy’s MySpace page, the following would silently happen:following would silently happen: The visitor would be added as Sammy’s friendThe visitor would be added as Sammy’s friend The visitor would get an update to their page that The visitor would get an update to their page that
infected it with the same JavaScript and left a infected it with the same JavaScript and left a message saying, “but most of all, Samy is my hero”.message saying, “but most of all, Samy is my hero”.
Worm spread exponentiallyWorm spread exponentially Over 1 million friend requests in less than 20 Over 1 million friend requests in less than 20
hourshours
Cause of Injection Cause of Injection Vulnerabilities:Vulnerabilities:
Improper Handling of User-Improper Handling of User-Supplied DataSupplied Data >= 80% of web security issues >= 80% of web security issues
caused by this!caused by this! NEVER Trust User/Client Input!NEVER Trust User/Client Input!
Client-side checks/controls have to be Client-side checks/controls have to be invoked on the server too.invoked on the server too.
Improper Input ValidationImproper Input Validation Improper Output ValidationImproper Output Validation More details in next sectionMore details in next section
Preventing Injection Preventing Injection Vulnerabilities In Your Vulnerabilities In Your
AppsApps Validate InputValidate Input
Letters in a number field?Letters in a number field? 10 digits for 4 digit year field?10 digits for 4 digit year field? Often only need alphanumericOften only need alphanumeric Careful with < > " ' and = Careful with < > " ' and = Whitelist (e.g. /[a-zA-Z0-9]{0,20}/)Whitelist (e.g. /[a-zA-Z0-9]{0,20}/) Reject, don’t try and sanitizeReject, don’t try and sanitize
Preventing XSS In Your Preventing XSS In Your ApplicationsApplications Validate OutputValidate Output
Encode HTML Output Encode HTML Output If data came from user input, a database, or a fileIf data came from user input, a database, or a file Response.Write(HttpUtility.HtmlEncode(Request.Form["nResponse.Write(HttpUtility.HtmlEncode(Request.Form["n
ame"]));ame"])); Not 100% effective but prevents most vulnerabilitiesNot 100% effective but prevents most vulnerabilities
Encode URL OutputEncode URL Output If returning URL stringsIf returning URL strings Response.Write(HttpUtility.UrlEncode(urlString)); Response.Write(HttpUtility.UrlEncode(urlString));
How To: Prevent Cross-Site Scripting in ASP.NET How To: Prevent Cross-Site Scripting in ASP.NET http://msdn.microsoft.com/en-us/library/ms998274.aspxhttp://msdn.microsoft.com/en-us/library/ms998274.aspx
XSS Prevention Cheat Sheet:XSS Prevention Cheat Sheet: http://www.owasp.org/index.php/XSS_http://www.owasp.org/index.php/XSS_
%28Cross_Site_Scripting%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet%29_Prevention_Cheat_Sheet
RULE #0 - Never Insert Untrusted RULE #0 - Never Insert Untrusted Data Except in Allowed Locations Data Except in Allowed Locations
(see rules 1-5)(see rules 1-5) <script><script>...NEVER PUT UNTRUSTED ...NEVER PUT UNTRUSTED
DATA HERE...DATA HERE...</script> directly in a script </script> directly in a script
<!--<!--...NEVER PUT UNTRUSTED DATA ...NEVER PUT UNTRUSTED DATA HERE...HERE...--> inside an HTML comment --> inside an HTML comment
<div <div ...NEVER PUT UNTRUSTED DATA ...NEVER PUT UNTRUSTED DATA HERE...HERE...=test /> in an attribute name =test /> in an attribute name
<<...NEVER PUT UNTRUSTED DATA ...NEVER PUT UNTRUSTED DATA HERE...HERE... href="/test" /> in a tag name href="/test" /> in a tag name
RULE #1 - HTML Escape RULE #1 - HTML Escape Before Inserting Untrusted Before Inserting Untrusted Data into HTML Element Data into HTML Element
ContentContent <body><body>...ESCAPE UNTRUSTED ...ESCAPE UNTRUSTED
DATA BEFORE PUTTING HERE…DATA BEFORE PUTTING HERE…</body></body>
<div><div>…ESCAPE UNTRUSTED DATA …ESCAPE UNTRUSTED DATA
BEFORE PUTTING HERE…BEFORE PUTTING HERE…</div></div>
any other normal HTML elementsany other normal HTML elements
RULE #1 (continued)RULE #1 (continued)
Escape these characters:Escape these characters: & --> && --> & < --> < < --> < > --> >> --> > " --> "" --> " ' --> '' --> ' '' is not recommended is not recommended / --> // --> /
forward slash is included as it helps end an forward slash is included as it helps end an HTML entityHTML entity
Remember HttpUtility.HtmlEncode()Remember HttpUtility.HtmlEncode()
RULE #2 - Attribute Escape RULE #2 - Attribute Escape Before Inserting Untrusted Before Inserting Untrusted Data into HTML Common Data into HTML Common
AttributesAttributes <div attr=<div attr=…ESCAPE UNTRUSTED DATA …ESCAPE UNTRUSTED DATA
BEFORE PUTTING HERE…BEFORE PUTTING HERE…>content</div>>content</div> inside UNquoted attributeinside UNquoted attribute
<div attr='<div attr='…ESCAPE UNTRUSTED DATA …ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE…BEFORE PUTTING HERE…'>content</div> '>content</div> inside single quoted attributeinside single quoted attribute
<div attr="<div attr="…ESCAPE UNTRUSTED DATA …ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE…BEFORE PUTTING HERE…">content</div> ">content</div> inside double quoted attributeinside double quoted attribute
Except for alphanumeric characters, escape all Except for alphanumeric characters, escape all characters with ASCII values less than 256 with characters with ASCII values less than 256 with the &#xHH; format or named entity if the &#xHH; format or named entity if available. Examples: " 'available. Examples: " '
RULE #3 - JavaScript RULE #3 - JavaScript Escape Before Inserting Escape Before Inserting
Untrusted Data into HTML Untrusted Data into HTML JavaScript Data Values JavaScript Data Values The only safe place to put untrusted data into these event The only safe place to put untrusted data into these event
handlers as a quoted "data value.“handlers as a quoted "data value.“
<script>alert('<script>alert('...ESCAPE UNTRUSTED DATA BEFORE ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'PUTTING HERE...')</script> inside a quoted string)</script> inside a quoted string
<script>x='<script>x='...ESCAPE UNTRUSTED DATA BEFORE ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'PUTTING HERE...'</script> one side of a quoted </script> one side of a quoted expressionexpression
<div onmouseover="x='<div onmouseover="x='...ESCAPE UNTRUSTED DATA ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'BEFORE PUTTING HERE...'"</div> inside quoted event "</div> inside quoted event handler handler
Except for alphanumeric characters, escape all characters less Except for alphanumeric characters, escape all characters less than 256 with the \xHH format. Example: \x22 not \”than 256 with the \xHH format. Example: \x22 not \”
RULE #3 (continued)RULE #3 (continued)
But be careful!But be careful!
<script> <script> window.setInterval('window.setInterval('...EVEN IF YOU ...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...'ARE XSSED HERE...'); </script> ); </script>
RULE #4 - CSS Escape RULE #4 - CSS Escape Before Inserting Untrusted Before Inserting Untrusted
Data into HTML Style Data into HTML Style Property ValuesProperty Values
<style>selector { property : <style>selector { property : ...ESCAPE ...ESCAPE UNTRUSTED DATA BEFORE PUTTING UNTRUSTED DATA BEFORE PUTTING HERE...HERE...; } </style> property value ; } </style> property value
<span style=property : <span style=property : ...ESCAPE ...ESCAPE UNTRUSTED DATA BEFORE PUTTING UNTRUSTED DATA BEFORE PUTTING HERE...HERE...;>text</style> property value ;>text</style> property value
Except for alphanumeric characters, escape Except for alphanumeric characters, escape all characters with ASCII values less than 256 all characters with ASCII values less than 256 with the \HH escaping format. Example: \22 with the \HH escaping format. Example: \22 not \”not \”
RULE #5 - URL Escape RULE #5 - URL Escape Before Inserting Untrusted Before Inserting Untrusted
Data into HTML URL Data into HTML URL Parameter ValuesParameter Values
<a href="http://www.somesite.com?<a href="http://www.somesite.com?test=test=...URL ESCAPE UNTRUSTED DATA ...URL ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."BEFORE PUTTING HERE...">link</a >>link</a >
Except for alphanumeric characters, escape Except for alphanumeric characters, escape all characters with ASCII values less than 256 all characters with ASCII values less than 256 with the %HH escaping format. Example: %22with the %HH escaping format. Example: %22
Remember HttpUtility.UrlEncode()Remember HttpUtility.UrlEncode()
Reduce Impact of XSS Reduce Impact of XSS VulnerabilitiesVulnerabilities
If Cookies Are Used:If Cookies Are Used: Scope as strict as possibleScope as strict as possible Set ‘secure’ flagSet ‘secure’ flag Set ‘HttpOnly’ flagSet ‘HttpOnly’ flag
On the client, consider disabling On the client, consider disabling JavaScript (if possible) or use JavaScript (if possible) or use something like the NoScript Firefox something like the NoScript Firefox extension.extension.
Further ResourcesFurther Resources XSS Prevention Cheat SheetXSS Prevention Cheat Sheet
http://www.owasp.org/index.php/XSS_http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet%29_Prevention_Cheat_Sheet
XSS Attacker Cheat SheetXSS Attacker Cheat Sheet http://ha.ckers.org/xss.html http://ha.ckers.org/xss.html
OWASP Enterprise Security APIsOWASP Enterprise Security APIs http://www.owasp.org/index.php/http://www.owasp.org/index.php/
Category:OWASP_Enterprise_Security_APICategory:OWASP_Enterprise_Security_API OWASP XSS PageOWASP XSS Page
http://www.owasp.org/index.php/Cross-http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29site_Scripting_%28XSS%29
Demo: BeEFDemo: BeEF
Browser Exploitation FrameworkBrowser Exploitation Framework Written by Wade AlcornWritten by Wade Alcorn http://www.bindshell.net/tools/beef/http://www.bindshell.net/tools/beef/ Architecture:Architecture:
ConclusionConclusion
XSS vulnerabilities are bad.XSS vulnerabilities are bad. Avoid introducing XSS Avoid introducing XSS
vulnerabilities in your code.vulnerabilities in your code. Please. They will only cause delays in Please. They will only cause delays in
getting your apps into production.getting your apps into production. Give me your email, I have a link you Give me your email, I have a link you
*really* need to see. *really* need to see.
Questions?Questions?
Contact info:Contact info:
David WhartonDavid Wharton
[email protected]@regions.com
205.261.5219205.261.5219