1 / 59

XSS The Gloves are Off

XSS The Gloves are Off. Andy Prow Managing Director, Aura Software Security Ltd Andy@AuraSoftwareSecurity.co.nz . Kirk Jackson Senior Developer Xero kirk@xero.com . The Message. “XSS can fully compromise your site’s users’ machine – which might include you”

ryu
Download Presentation

XSS The Gloves are Off

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XSSThe Gloves are Off Andy Prow Managing Director, Aura Software Security Ltd Andy@AuraSoftwareSecurity.co.nz Kirk Jackson Senior Developer Xero kirk@xero.com

  2. The Message “XSS can fully compromise your site’s users’ machine – which might include you” “XSS is easy to protect against as long as take the right precautions”

  3. Who are we? Andy Prow – Managing Director of Aura Software Security Ltd Security Consultants - Penetration Testers Performed web application pen-testing for both NZ, Ausy and UK companies. Govt, corporate and banking Wellington based. BSc Hons in Comp Sci and Soft Eng – 14 years software dev experience.

  4. Who are we? Kirk Jackson – Developer & Security Officer, Xero http://www.xero.com Microsoft MVP – ASP.NET Organises the Wellington .NET user group – 25 user groups nationwide: http://www.dot.net.nz Blog: http://pageofwords.com

  5. Are the Threats Real? XSS attacks include: Twitter, FaceBook, PayPal, Google, MySpace, WordPress, etc................... XSS attacks have / can: Inject rude images and abusive pop-ups Targeted CSRF “Own” their browser – example in a mo... Perform port scans from their machine Download full malware to compromise their machine

  6. XSS 101

  7. XSS 101 http://www.owasp.org/index.php/XSS

  8. XSS Shell The Victim...

  9. XSS Shell The Command and Control Console...

  10. XSS Attack and Defence The gloves are off...

  11. XSS Attack and Defence NOTE: slides 11 (this slide) to slide 49 are taken from the Live demo, using a .Net 3.5 web-application. Each set of slides shows Andy’s XSS attacks and then Kirk updates to the code – rebuild – rerun and therefore DEFEND the attack. The real preso slides start again at 50.

  12. XSS Attack and Defence Attack: XSS 101 for dummies... <script>alert('xss');</script> Defence: sInput.Replace("<script>", "&lt;script&gt;“) Comments: Poor choice – only replacing the “<script>” tag is too specific, there are many ways around...

  13. XSS Attack and Defence Attack: So if they’re checking for “<script>” we’ll change it... <ScRiPt>alert(‘XSS’);</ScRiPt> Defence: OK – ToLower() should fix that... Comments: Still very easily bypassed.

  14. XSS Attack and Defence Attack: Try something other than “script” <IMG onmouseover="javascript:alert('XSS')" SRC="http://www.aurasoftwaresecurity.co.nz/images/Logo.jpg"> Defence: Replace a larger set of strings... Comments: So it picks up on of the recognisable text, but what about encoded values?

  15. XSS Attack and Defence Attack: Perhaps HEX or UTF8 encoded <IMG onmouseover="&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29” SRC="http://www.aurasoftwaresecurity.co.nz/images/Logo.jpg"> Defence: HEX decode, then replace a larger set of strings... Comments: So it picks up on of the recognisable text, even encoded...But couldn’t it be simpler?

  16. XSS Attack and Defence Attack: Any variation... Defence: http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet Comments: Now it picks up all HTML special characters, whether encoded or not However, there are alternatives...

  17. XSS Attack and Defence Attack: Any variation... Defence: Microsoft AntiXSS Library (for .Net) Comments: All done for you, and seems to work!

  18. XSS Attack and Defence Attack: So the web-pages are secure – what about the web-services? Defence: Copy input cleansing to web-service, or move to data-layer. Picks up data entry points. Comments: It’s an option...

  19. Etc, etc...

  20. XSS Attack and Defence Attack: So all web-services and web-pages are secure. Perhaps we’ve got in via a back-end legacy system? Defence: Assume you cannot your own DB – cleanse the output to the browser. Comments: It’s an option...

  21. XSS Attack and Defence Attack: All data-stores, input and output are clean. So if persistant XSS fails try reflected. Defence: Check EVERY input parameter, both on the querystring and from form data! Comments: Trust nothing, from anywhere!

  22. Note: IE8 is blocking our reflected XSS! Good!

  23. Unfortunately Firefox does NOT block our reflected XSS...

  24. Encoding • Encoding is "the process of transforming information from one format into another" [Wikipedia] • Taking some input text and making it appropriate to use in a given context • Untrusted input  Safe to output • User enters: Kirk <script>... • We output: Kirk &lt;script&gt;....

More Related