Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

XSS (Cross Site Scripting)

155 views

Published on

Basic of XSS with some of my POC.

Published in: Education
  • Login to see the comments

  • Be the first to like this

XSS (Cross Site Scripting)

  1. 1. #ABOUT ME • Shubham Gupta (@hackerspider1) • IT – Security Analyst at Broctagon Solutions. • Bug Bounty Hunter. • Capture The Flag (CTF) player. • Acknowledged by more then 200 Organization. 2
  2. 2. TODAYS TALK • Introduction • Impact • Types of XSS • How XSS works • Demo • XSS Prevention • Q&A? 3
  3. 3. INTRODUCTION TO XSS •XSS is a code injection attack allowing the injection of malicious code into a website •Currently one of the most common attack •Every website needs to turn on Javascript •Caused by insufficient input validation •JavaScript, VBScript, ActiveX, HTML, or Flash 4
  4. 4. IMPACT • Stealing other user’s cookies • Stealing their private information • Performing actions on behalf of other users • Redirecting to other websites • Showing ads in hidden iframes and pop-ups 5
  5. 5. TYPES OF XSS • Non-persistent XSS • Persistent XSS • Dom based XSS 6
  6. 6. NON-PERSISTENT XSS • Non-persistent XSS or Reflected XSS • Query in HTTP parameters or HTML form • Affects XSS without properly sanitizing the request 7
  7. 7. PERSISTENT XSS • Persistent XSS or Stored XSS • Occurs when data is saved on server side • Classic example: message board 8
  8. 8. DOM BASED XSS •DOM (Document Object Model) •Cross-site scripting vulnerability •Appears in the DOM instead of part of the HTML •The payload cannot be found in the response •Observed on runtime or by investigating the DOM of the page 9 Example … var pos = document.URL.indexOf("name=")+5 ; document.write(document.URL.sub string(pos,document.URL.length));
  9. 9. HOW XSS WORKS? • Web server gets data from web client (POST, GET, COOKIES etc.) with the request • Malicious user can include client sidecode snippets (javascript) into the data 10 Example : Shubham<script>alert(“hacked”)</ script>
  10. 10. 11 Server Hacker’s Browser http request with XSS JavaScript http response with XSS JavaScript
  11. 11. XSS OUTPUT 12
  12. 12. DEMO 13
  13. 13. REFLECTED XSS 14
  14. 14. 15
  15. 15. STORED XSS 16
  16. 16. 17
  17. 17. DOM BASED XSS 18
  18. 18. PREVENTIONS •MORE THAN 70% OF WEB SECURITY ISSUES CAUSED BY XSS •NEVER TRUST USER/CLIENT INPUT! • CLIENT-SIDE CHECKS/CONTROLS HAVE TO BE INVOKED ON THE SERVER TOO. •IMPROPER INPUT VALIDATION •IMPROPER OUTPUT VALIDATION 19
  19. 19. 20 •VALIDATE INPUT •LETTERS IN A NUMBER FIELD? •10 DIGITS FOR 4 DIGIT YEAR FIELD? •OFTEN ONLY NEED ALPHANUMERIC •CAREFUL WITH < > " ' AND = •WHITELIST (E.G. /[A-ZA-Z0-9]{0,20}/) •REJECT, DON’T TRY AND SANITIZE
  20. 20. 21 • VALIDATE OUTPUT •ENCODE HTML OUTPUT • IF DATA CAME FROM USER INPUT, A DATABASE, OR A FILE • RESPONSE.WRITE(HTTPUTILITY.HTMLENCODE(REQUEST.FORM["NAME "])); • NOT 100% EFFECTIVE BUT PREVENTS MOST VULNERABILITIES •ENCODE URL OUTPUT • IF RETURNING URL STRINGS • RESPONSE.WRITE(HTTPUTILITY.URLENCODE(URLSTRING));
  21. 21. THANKS 22
  22. 22. Q&A? 23

×