Post on 14-Apr-2017
transcript
Cross Site Scripting(XSS)What the heck?!
Harinee MuralinathKarthik Krishnan
Agenda
❏What is our intent?
❏What is XSS?
❏Prevention techniques
❏Testing tools
What is our intent?
❏security-related jargons - one at a time
❏generate interest
❏give you a guided, hands-on experience
❏apply on projects
❏take your time to learn
What this session will NOT be
❏Make you security experts
❏Tool-oriented
Source: owasp.org
What is Cross-site Scripting (XSS)?
❏ Concept of planting scripts by misusing the powers of HTML, CSS, javascript etc.
❏ When web applications take data from users and dynamically include it in Web pages without first properly validating the data
❏ The victim of XSS is usually another user, instead of the host server itself (which is just a medium)
Demo
Forms of XSS❏Reflective XSS
❏Persistent XSS
Reflective XSS
Persistent XSS
Demo
Prevention Techniques
❏Input validation
❏Output encoding
Possible Solutions?
Solution #1Validate Input for HTML tag characters (< >)
Solution #2Blacklist script Tags
Solution #3Output encode HTML Tags
Solution #4Content Security Policy
Content Security Policy
No inline scripts or JS event handlers
Before:<head>
<script>alert(“Hi, I’m an inline script”);</script></head>
Now:<head>
<script src=”non-inline-script.js”></script></head>
Content Security Policy
Whitelist domains
Before:<head>
<script src=”http://attacker.com/evil.js”></script></head>Now:<head>
<script src=”https://trusted.com/safe.js”></script></head>
Content-Security-Policy:script-src https://trusted.com
Tools to identify obvious XSS
❏ XSS Me :: Add-ons for Firefox
❏ ZAProxy - OWASP ZAP
❏ Burp Suite
❏ ...and others
Demo
Future references❏XSS Cheat Sheet
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
❏XSS Prevention Cheat Sheethttps://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Thank you!Please reach out to
Harinee Muralinath - harineem@thoughtworks.comKarthik Krishnan - karthik.krishnan@thoughtworks.com