Cross Site Scripting (XSS)Cross Site Scripting (XSS)

David WhartonDavid Wharton

Intrusion Detection & PreventionIntrusion Detection & Prevention

Regions Financial Corp.Regions Financial Corp.

OverviewOverview

IntroductionIntroduction What is XSS?What is XSS? Is XSS Important?Is XSS Important? Exploiting XSSExploiting XSS Preventing XSSPreventing XSS BeEF DemoBeEF Demo ConclusionConclusion QuestionsQuestions

IntroductionIntroduction

What is XSS?What is XSS? XSS is a vulnerability that allows an attacker to run XSS is a vulnerability that allows an attacker to run

arbitrary JavaScript in the context of the vulnerable website.arbitrary JavaScript in the context of the vulnerable website. XSS bypasses same-origin policy protectionXSS bypasses same-origin policy protection

““The policy permits scripts running on pages originating The policy permits scripts running on pages originating from the same site to access each other's methods and from the same site to access each other's methods and properties with no specific restrictions, but prevents properties with no specific restrictions, but prevents access to most methods and properties across pages on access to most methods and properties across pages on different sites.“different sites.“

““The term ‘origin’ is defined using the domain name, The term ‘origin’ is defined using the domain name, application layer protocol, and (in most browsers) TCP application layer protocol, and (in most browsers) TCP port”port”

http://en.wikipedia.org/wiki/Same_origin_policyhttp://en.wikipedia.org/wiki/Same_origin_policy Requires some sort of social engineering to exploit.Requires some sort of social engineering to exploit.

Types of XSSTypes of XSS

Reflected XSSReflected XSS Stored XSS (a.k.a. “Persistent XSS”)Stored XSS (a.k.a. “Persistent XSS”) DOM Based XSSDOM Based XSS

Reflected XSSReflected XSS

Reflected XSS ExampleReflected XSS Example

Exploit URL:Exploit URL: http://www.nikebiz.com/search/?http://www.nikebiz.com/search/?

q=q=<script>alert('XSS')</<script>alert('XSS')</script>script>&x=0&y=0&x=0&y=0

HTML returned to victim:HTML returned to victim: <div id="pageTitleTxt"> <h2><span <div id="pageTitleTxt"> <h2><span

class="highlight">Search class="highlight">Search Results</span><br /> Search: Results</span><br /> Search: ""<script>alert('XSS')</script><script>alert('XSS')</script>"</h2> "</h2>

Reflected XSS ExampleReflected XSS Example

Stored XSSStored XSS

JavaScript supplied by the attacker is JavaScript supplied by the attacker is stored by the website (e.g. in a stored by the website (e.g. in a database)database)

Doesn’t require the victim to supply the Doesn’t require the victim to supply the JavaScript somehow, just visit the JavaScript somehow, just visit the exploited web pageexploited web page

More dangerous than Reflected XSSMore dangerous than Reflected XSS Has resulted in many XSS worms on high Has resulted in many XSS worms on high

profile sites like MySpace and Twitter profile sites like MySpace and Twitter (discussed later)(discussed later)

DOM Based XSSDOM Based XSS Occur in the content processing stages performed by the Occur in the content processing stages performed by the

clientclient <select><script><select><script> document.write("<OPTION document.write("<OPTION

value=1>"+document.location.href.substring(documevalue=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</nt.location.href.indexOf("default=")+8)+"</OPTION>");OPTION>");

</script></select></script></select>

http://www.some.site/page.html?default=ASP.NET http://www.some.site/page.html?default=ASP.NET /page.html?/page.html?

default=<script>alert(document.cookie)</script>default=<script>alert(document.cookie)</script> Source: http://en.wikipedia.org/wiki/Cross-site_scriptingSource: http://en.wikipedia.org/wiki/Cross-site_scripting Source: http://www.owasp.org/index.php/DOM_Based_XSSSource: http://www.owasp.org/index.php/DOM_Based_XSS

Is XSS Dangerous? Is XSS Dangerous?

YesYes OWASP Top 2OWASP Top 2 Defeats Same Origin PolicyDefeats Same Origin Policy Just think, any JavaScript you want Just think, any JavaScript you want

will be run in the victim’s browser in will be run in the victim’s browser in the context of the vulnerable web the context of the vulnerable web pagepage

Hmmm, what can you do with Hmmm, what can you do with JavaScript?JavaScript?

What can you do with What can you do with JavaScript?JavaScript? Pop-up alerts and promptsPop-up alerts and prompts

Access/Modify DOMAccess/Modify DOM Access cookies/session tokensAccess cookies/session tokens ““Circumvent” same-origin policyCircumvent” same-origin policy Virtually deface web pageVirtually deface web page

Detect installed programsDetect installed programs Detect browser historyDetect browser history Capture keystrokes (and other trojan Capture keystrokes (and other trojan

functionality)functionality) Port scan the local networkPort scan the local network

What can you do with What can you do with JavaScript? (cont)JavaScript? (cont) Induce user actionsInduce user actions

Redirect to a different web siteRedirect to a different web site Determine if they are logged on to a Determine if they are logged on to a

particular siteparticular site Capture clipboard contentCapture clipboard content Detect if the browser is being run in a virtual Detect if the browser is being run in a virtual

machinemachine Rewrite the status barRewrite the status bar Exploit browser vulnerabilitiesExploit browser vulnerabilities Launch executable files (in some cases)Launch executable files (in some cases)

Example: Form InjectionExample: Form Injection

Example: Virtual Example: Virtual DefacementDefacement

Example: Pop-Up AlertExample: Pop-Up Alert

Example: Cookie StealingExample: Cookie Stealing

Example: XSS WormsExample: XSS Worms Samy WormSamy Worm Affected MySpaceAffected MySpace Leveraged Stored XSS vulnerability so that for Leveraged Stored XSS vulnerability so that for

every visitor to Samy’s MySpace page, the every visitor to Samy’s MySpace page, the following would silently happen:following would silently happen: The visitor would be added as Sammy’s friendThe visitor would be added as Sammy’s friend The visitor would get an update to their page that The visitor would get an update to their page that

infected it with the same JavaScript and left a infected it with the same JavaScript and left a message saying, “but most of all, Samy is my hero”.message saying, “but most of all, Samy is my hero”.

Worm spread exponentiallyWorm spread exponentially Over 1 million friend requests in less than 20 Over 1 million friend requests in less than 20

hourshours

Cause of Injection Cause of Injection Vulnerabilities:Vulnerabilities:

Improper Handling of User-Improper Handling of User-Supplied DataSupplied Data >= 80% of web security issues >= 80% of web security issues

caused by this!caused by this! NEVER Trust User/Client Input!NEVER Trust User/Client Input!

Client-side checks/controls have to be Client-side checks/controls have to be invoked on the server too.invoked on the server too.

Improper Input ValidationImproper Input Validation Improper Output ValidationImproper Output Validation More details in next sectionMore details in next section

Preventing Injection Preventing Injection Vulnerabilities In Your Vulnerabilities In Your

AppsApps Validate InputValidate Input

Letters in a number field?Letters in a number field? 10 digits for 4 digit year field?10 digits for 4 digit year field? Often only need alphanumericOften only need alphanumeric Careful with < > " ' and = Careful with < > " ' and = Whitelist (e.g. /[a-zA-Z0-9]{0,20}/)Whitelist (e.g. /[a-zA-Z0-9]{0,20}/) Reject, don’t try and sanitizeReject, don’t try and sanitize

Preventing XSS In Your Preventing XSS In Your ApplicationsApplications Validate OutputValidate Output

Encode HTML Output Encode HTML Output If data came from user input, a database, or a fileIf data came from user input, a database, or a file Response.Write(HttpUtility.HtmlEncode(Request.Form["nResponse.Write(HttpUtility.HtmlEncode(Request.Form["n

ame"]));ame"])); Not 100% effective but prevents most vulnerabilitiesNot 100% effective but prevents most vulnerabilities

Encode URL OutputEncode URL Output If returning URL stringsIf returning URL strings Response.Write(HttpUtility.UrlEncode(urlString)); Response.Write(HttpUtility.UrlEncode(urlString));

How To: Prevent Cross-Site Scripting in ASP.NET How To: Prevent Cross-Site Scripting in ASP.NET http://msdn.microsoft.com/en-us/library/ms998274.aspxhttp://msdn.microsoft.com/en-us/library/ms998274.aspx

XSS Prevention Cheat Sheet:XSS Prevention Cheat Sheet: http://www.owasp.org/index.php/XSS_http://www.owasp.org/index.php/XSS_

%28Cross_Site_Scripting%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet%29_Prevention_Cheat_Sheet

RULE #0 - Never Insert Untrusted RULE #0 - Never Insert Untrusted Data Except in Allowed Locations Data Except in Allowed Locations

(see rules 1-5)(see rules 1-5) <script><script>...NEVER PUT UNTRUSTED ...NEVER PUT UNTRUSTED

DATA HERE...DATA HERE...</script> directly in a script </script> directly in a script

<!--<!--...NEVER PUT UNTRUSTED DATA ...NEVER PUT UNTRUSTED DATA HERE...HERE...--> inside an HTML comment --> inside an HTML comment

<div <div ...NEVER PUT UNTRUSTED DATA ...NEVER PUT UNTRUSTED DATA HERE...HERE...=test /> in an attribute name =test /> in an attribute name

<<...NEVER PUT UNTRUSTED DATA ...NEVER PUT UNTRUSTED DATA HERE...HERE... href="/test" /> in a tag name href="/test" /> in a tag name

RULE #1 - HTML Escape RULE #1 - HTML Escape Before Inserting Untrusted Before Inserting Untrusted Data into HTML Element Data into HTML Element

ContentContent <body><body>...ESCAPE UNTRUSTED ...ESCAPE UNTRUSTED

DATA BEFORE PUTTING HERE…DATA BEFORE PUTTING HERE…</body></body>

<div><div>…ESCAPE UNTRUSTED DATA …ESCAPE UNTRUSTED DATA

BEFORE PUTTING HERE…BEFORE PUTTING HERE…</div></div>

any other normal HTML elementsany other normal HTML elements

RULE #1 (continued)RULE #1 (continued)

Escape these characters:Escape these characters: & --> &amp;& --> &amp; < --> &lt; < --> &lt; > --> &gt;> --> &gt; " --> &quot;" --> &quot; ' --> &#x27;' --> &#x27; &apos;&apos; is not recommended is not recommended / --> &#x2F;/ --> &#x2F;

forward slash is included as it helps end an forward slash is included as it helps end an HTML entityHTML entity

Remember HttpUtility.HtmlEncode()Remember HttpUtility.HtmlEncode()

RULE #2 - Attribute Escape RULE #2 - Attribute Escape Before Inserting Untrusted Before Inserting Untrusted Data into HTML Common Data into HTML Common

AttributesAttributes <div attr=<div attr=…ESCAPE UNTRUSTED DATA …ESCAPE UNTRUSTED DATA

BEFORE PUTTING HERE…BEFORE PUTTING HERE…>content</div>>content</div> inside UNquoted attributeinside UNquoted attribute

<div attr='<div attr='…ESCAPE UNTRUSTED DATA …ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE…BEFORE PUTTING HERE…'>content</div> '>content</div> inside single quoted attributeinside single quoted attribute

<div attr="<div attr="…ESCAPE UNTRUSTED DATA …ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE…BEFORE PUTTING HERE…">content</div> ">content</div> inside double quoted attributeinside double quoted attribute

Except for alphanumeric characters, escape all Except for alphanumeric characters, escape all characters with ASCII values less than 256 with characters with ASCII values less than 256 with the &#xHH; format or named entity if the &#xHH; format or named entity if available. Examples: &quot; &#39;available. Examples: &quot; &#39;

RULE #3 - JavaScript RULE #3 - JavaScript Escape Before Inserting Escape Before Inserting

Untrusted Data into HTML Untrusted Data into HTML JavaScript Data Values JavaScript Data Values The only safe place to put untrusted data into these event The only safe place to put untrusted data into these event

handlers as a quoted "data value.“handlers as a quoted "data value.“

<script>alert('<script>alert('...ESCAPE UNTRUSTED DATA BEFORE ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'PUTTING HERE...')</script> inside a quoted string)</script> inside a quoted string

<script>x='<script>x='...ESCAPE UNTRUSTED DATA BEFORE ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'PUTTING HERE...'</script> one side of a quoted </script> one side of a quoted expressionexpression

<div onmouseover="x='<div onmouseover="x='...ESCAPE UNTRUSTED DATA ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'BEFORE PUTTING HERE...'"</div> inside quoted event "</div> inside quoted event handler handler

Except for alphanumeric characters, escape all characters less Except for alphanumeric characters, escape all characters less than 256 with the \xHH format. Example: \x22 not \”than 256 with the \xHH format. Example: \x22 not \”

RULE #3 (continued)RULE #3 (continued)

But be careful!But be careful!

<script> <script> window.setInterval('window.setInterval('...EVEN IF YOU ...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...'ARE XSSED HERE...'); </script> ); </script>

RULE #4 - CSS Escape RULE #4 - CSS Escape Before Inserting Untrusted Before Inserting Untrusted

Data into HTML Style Data into HTML Style Property ValuesProperty Values

<style>selector { property : <style>selector { property : ...ESCAPE ...ESCAPE UNTRUSTED DATA BEFORE PUTTING UNTRUSTED DATA BEFORE PUTTING HERE...HERE...; } </style> property value ; } </style> property value

<span style=property : <span style=property : ...ESCAPE ...ESCAPE UNTRUSTED DATA BEFORE PUTTING UNTRUSTED DATA BEFORE PUTTING HERE...HERE...;>text</style> property value ;>text</style> property value

Except for alphanumeric characters, escape Except for alphanumeric characters, escape all characters with ASCII values less than 256 all characters with ASCII values less than 256 with the \HH escaping format. Example: \22 with the \HH escaping format. Example: \22 not \”not \”

RULE #5 - URL Escape RULE #5 - URL Escape Before Inserting Untrusted Before Inserting Untrusted

Data into HTML URL Data into HTML URL Parameter ValuesParameter Values

<a href="http://www.somesite.com?<a href="http://www.somesite.com?test=test=...URL ESCAPE UNTRUSTED DATA ...URL ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."BEFORE PUTTING HERE...">link</a >>link</a >

Except for alphanumeric characters, escape Except for alphanumeric characters, escape all characters with ASCII values less than 256 all characters with ASCII values less than 256 with the %HH escaping format. Example: %22with the %HH escaping format. Example: %22

Remember HttpUtility.UrlEncode()Remember HttpUtility.UrlEncode()

Reduce Impact of XSS Reduce Impact of XSS VulnerabilitiesVulnerabilities

If Cookies Are Used:If Cookies Are Used: Scope as strict as possibleScope as strict as possible Set ‘secure’ flagSet ‘secure’ flag Set ‘HttpOnly’ flagSet ‘HttpOnly’ flag

On the client, consider disabling On the client, consider disabling JavaScript (if possible) or use JavaScript (if possible) or use something like the NoScript Firefox something like the NoScript Firefox extension.extension.

Further ResourcesFurther Resources XSS Prevention Cheat SheetXSS Prevention Cheat Sheet

http://www.owasp.org/index.php/XSS_http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet%29_Prevention_Cheat_Sheet

XSS Attacker Cheat SheetXSS Attacker Cheat Sheet http://ha.ckers.org/xss.html http://ha.ckers.org/xss.html

OWASP Enterprise Security APIsOWASP Enterprise Security APIs http://www.owasp.org/index.php/http://www.owasp.org/index.php/

Category:OWASP_Enterprise_Security_APICategory:OWASP_Enterprise_Security_API OWASP XSS PageOWASP XSS Page

http://www.owasp.org/index.php/Cross-http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29site_Scripting_%28XSS%29

Demo: BeEFDemo: BeEF

Browser Exploitation FrameworkBrowser Exploitation Framework Written by Wade AlcornWritten by Wade Alcorn http://www.bindshell.net/tools/beef/http://www.bindshell.net/tools/beef/ Architecture:Architecture:

ConclusionConclusion

XSS vulnerabilities are bad.XSS vulnerabilities are bad. Avoid introducing XSS Avoid introducing XSS

vulnerabilities in your code.vulnerabilities in your code. Please. They will only cause delays in Please. They will only cause delays in

getting your apps into production.getting your apps into production. Give me your email, I have a link you Give me your email, I have a link you

*really* need to see. *really* need to see.

Questions?Questions?

Contact info:Contact info:

David WhartonDavid Wharton

david.r.wharton@regions.comdavid.r.wharton@regions.com

205.261.5219205.261.5219