Cross-Site Scripting (XSS)
Download as pptx, pdf3 likes5,317 views
Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. There are three main types of XSS attacks: reflected XSS, stored XSS, and DOM-based XSS. XSS has been one of the top vulnerabilities on the OWASP Top Ten list for many years. While XSS attacks can compromise user sessions and steal sensitive data, developers can prevent XSS through proper input sanitization and output encoding. As web applications continue to grow in use, jobs in web application security and penetration testing are also expected to increase significantly in the coming years.
More Related Content
What's hot (20)
Viewers also liked (15)
Similar to Cross-Site Scripting (XSS) (20)
Recently uploaded (20)
Cross-Site Scripting (XSS)
- 1. Cross-Site Scripting (XSS) Joni Hall and Daniel Tumser
- 2. Overview
- 3. Table of Contents ● Introduction ● Related Works ● Technical Aspects ● Types of XSS o Reflected XSS o Stored XSS o DOM-Based XSS o Prevention ● Careers and Jobs ● Social Impact ● Ethical Impact ● Future Expectations ● Conclusion ● References
- 4. Introduction ● Cross-Site Scripting (XSS) occurs when an attacker uses a web application to gather data from a user ● Attackers inject JavaScript into an application to fool a user to get data from them ● Every month roughly 10-25 XSS holes are found in commercial products and advisories are published explaining the threat.
- 5. Related Works ● 1995 - Netscape releases JavaScript ● 1999 - David Ross (Microsoft) publishes “Script Injection” paper ● 2000 - Microsoft works with CERT ● 2005 - Samy Kamkar attacks MySpace ● 2006 - Cross-Site Scripting Malware popular o port scanners, keyloggers, etc ● 2007 - XSS #1 on the Open Web Application Security Project (OWASP) Top Ten list ● 2010 - XSS #2 on OWASP Top Ten list ● 2013 - XSS #3 on OWASP Top Ten list
- 6. Technical Aspects ● Leverages JavaScript to attack the user o JS is a client-side processed scripting language ● General aim of the attack is Session Hijacking or Credentials Stealing o ex. Steal user cookie & use web app as them ● Can compromise the entire application through users
- 7. Reflected XSS ● Most common form of XSS vulnerability (roughly 75% of cases) ● Vulnerability o Improper filtering/sanitization of HTTP parameters or user input that are processed by server-side scripts and reflected in the HTML the client receives ● Exploit o Crafted input by malicious user is added to a URL and sent to target user o http://www.something.com/thing.cgi?param= ● Problem o Relies on target user having active session to hijack
- 8. Stored XSS ● Attack stored in application servers ● Vulnerability o Improper user input sanitization in forms and user-created content instead of HTTP request params ● Exploit o Malicious script is injected into the page content viewed by other users ex. MySpace content (by Samy), Ebay sale listing (by Shubham Upadhyay) '"--> ● Why it’s more dangerous o Other users will already have an active session with the application in order for malicious code to be processed on their browser
- 10. DOM-Based XSS ● All client-side processing, no server processing ● Vulnerability o Improper JS data handling. ● Exploit o Leverages Document Object Model, pulling data with AJAX, and client-side processing ● Example o Next slide from Open Web Application Security Project (OWASP)
- 11. DOM-Based XSS Example ● Expected URL in HTTP request, parameter decides default language to display o http://www.some.site/page.html?default=French ● Malicious URL o http://www.some.site/page.html?default= ● Script in HTTP response from server o document.write(""); o All processing references made to the Location object in the Document object for the web page in the browser (document.location) o Specifically to the value sent as the “default=” parameter
- 12. DOM-Based XSS Example Cont. ● Browser processes the script received by the server which ● injects the malicious URL parameter script into the DOM when rendering the page, which ● executes the malicious script
- 13. Preventing XSS
● Recursive sanitization
o When processing a client HTTP request or user supplied data it must be sanitized
o Why recursive?
Wrapping commonly sanitized characters or sub-strings
ex.
- 14. Careers and Jobs Job Growth Projection (2012-2022) ● Jobs in 2012 / 2022 o 141,400 / 169,900 ● 10-year Growth o +20% / +28,500 Web Developer Pay (2012) ● Median wage (Web Devs.) o $62,500 ● vs Median wage (all occupations) o x1.8 Web Developer
- 15. Careers and Jobs Skills ● HTML ● JavaScript ● PHP ● C# ● jQuery ● CSS Web Developer ● Java ● SQL ● Ruby on Rails ● .NET ● ASP.NET ● MySQL
- 16. Careers and Jobs Skills ● Web Security and Encryption ● Network Security management Penetration Tester ● Security Testing and Auditing ● Computer Security
- 17. Careers and Jobs Minimum Qualifications ● Bachelor's degree and 3 years of professional work experience (or a master's degree) Additional Qualifications ● Experience in o developing web applications in Java, Ruby or JavaScript o OWASP or NIST 800-64 o application security assessment tools o IT Security user groups or security certification (CISSP, CEH, OSCP, etc.) (MathWorks job listing) Web Application Security Engineer
- 18. Careers and Jobs Firefox Platform Engineer Minimum Qualifications ● Experience o writing code. College degree is not necessary or sufficient. o Expertise in any of C++, JavaScript, or Python. o Experience debugging or profiling. Desired Skills ● C++; JavaScript; x86, x86_64, or ARM ● Experience with cryptographic signing and verification. ● Experience with security threat models. ● and more Platform/Browser Engineer & Security Engineer Platform Security Engineer Minimum Qualifications ● BS in Computer Science (or equivalent) plus 3-5 years industry experience ● Strong knowledge of C++ and JavaScript ● Strong privacy or security background ● Experience working in security or development team ● Experience in contributing to large open source projects is a plus ● Excellent verbal and written communication skills
- 19. Social Impact ● Link mistrust? o Users still lax and ignorant o Hackers/hacking still a very opaque subject to most ● Train users? o Organizations already do o They get the training wrong o Users are still making dumb mistakes (ex. Only hover over a link to check if the domain matches)
- 20. Ethical Impact Don’t do it(without permission) It’s unethical and very illegal. Unless you like fines, 5-20 years in prison (Title 18 U.S. Code § 1030(C)) and civil litigation. Offensive/Malicious Perspective
- 21. Ethical Impact ● Developers have an ethical and sometimes legal responsibility to their clients. o XSS can result in the compromise of the entire application in addition to client accounts o Client compromise can disclose PII, and App compromise can mean total data breach and network compromise ● Data breach disclosure is required by law in every state but New Mexico, Alabama and South Dakota o Very damaging for a company financially and to client trust relationships Defensive/Developer Perspective Secure your code!
- 22. Future Expectations ● One estimate is that 94% of web applications are vulnerable to XSS o Every month roughly 10-25 XSS holes are found in commercial products ● Jobs o the bureau of labor statistics expects a 37% increase for InfoSec professionals 2012-2022 ● Prevention by consumer education is key!
- 23. Conclusion ● Almost all web applications are vulnerable to XSS ● XSS has been on OWASP’s Top Ten list for 8 years ● Repercussions to XSS? o possible to probable jail-time and fines ● Preventing XSS? o biggest burden lies in consumer/user education ● Jobs? o expecting increase of 37% (2012-2022) all computer systems need security
- 24. References
1. Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker's Handbook Finding and Exploiting Security Flaws. 2nd ed. Indianapolis: Wiley,
2011. Print.
2. "The Cross-Site Scripting (XSS) FAQ." 'Web and Application Security News' Web. 17 June 2015. http://www.cgisecurity.com/xss-faq.html.
3. "XSS (Cross Site Scripting) Prevention Cheat Sheet." - OWASP. Web. 17 June 2015.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.
4. "A Short History of JavaScript." - Web Education Community Group. Web. 17 June 2015.
https://www.w3.org/community/webed/wiki/A_Short_History_of_JavaScript.
5. "History of Cross Site Scripting." Increased Visibility. Web. 17 June 2015. http://intellavis.com/blog/?p=284.
6. "Types of Cross-Site Scripting." - OWASP. Web. 17 June 2015. https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting.
7. "Securing Your Web Browser." Securing Your Web Browser. CERT. Web. 17 June 2015. https://www.us-cert.gov/publications/securing-your-web-
browser.
8. Saxena, Prateek. "Systematic Techniques for Finding and Preventing Script Injection Vulnerabilities." Electrical Engineering and Computer Sciences
University of California at Berkeley, 29 June 2012. Web. 17 June 2015. http://www.eecs.berkeley.edu/Pubs/TechRpts/2012/EECS-2012-170.pdf.
9. Klein, Amit. "Cross Site Scripting Explained." Sanctum Security Group, 1 June 2002. Web. 17 June 2015.
https://crypto.stanford.edu/cs155/papers/CSS.pdf.
10. "Web Application Security Engineer." - MathWorks Jobs. MathWorks. Web. 17 June 2015.
http://www.mathworks.com/company/jobs/opportunities/web-application-security-engineer-14497?source=10192.
11. "Web Application Security Engineer Salary." Web Application Security Engineer Salary. Indeed. Web. 17 June 2015.
http://www.indeed.com/salary?q1=Web Application Security Engineer&l1=.
12. "Web Application Developer Salary (United States)." Web Application Developer Salary (United States). PayScale. Web. 17 June 2015.
http://www.payscale.com/research/US/Job=Web_Application_Developer/Salary.
13. "Web Developers." U.S. Bureau of Labor Statistics. U.S. Bureau of Labor Statistics, 8 Jan. 2014. Web. 17 June
2015.http://www.bls.gov/ooh/computer-and-information-technology/web-developers.htm.
14. "Penetration Tester Salary (United States)." Penetration Tester Salary (United States). PayScale. Web. 17 June 2015.
http://www.payscale.com/research/US/Job=Penetration_Tester/Salary.
15. "18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers." 18 U.S. Code § 1030. Cornell University. Web. 17 June 2015.
- 25. Cross-Site Scripting (XSS) Joni Hall and Daniel Tumser