Cross Site Scripting(XSS)What the heck?!

Harinee MuralinathKarthik Krishnan

Agenda

❏What is our intent?

❏What is XSS?

❏Prevention techniques

❏Testing tools

What is our intent?

❏security-related jargons - one at a time

❏generate interest

❏give you a guided, hands-on experience

❏apply on projects

❏take your time to learn

What this session will NOT be

❏Make you security experts

❏Tool-oriented

Source: owasp.org

What is Cross-site Scripting (XSS)?

❏ Concept of planting scripts by misusing the powers of HTML, CSS, javascript etc.

❏ When web applications take data from users and dynamically include it in Web pages without first properly validating the data

❏ The victim of XSS is usually another user, instead of the host server itself (which is just a medium)

Demo

Forms of XSS❏Reflective XSS

❏Persistent XSS

Reflective XSS

Persistent XSS

Demo

Prevention Techniques

❏Input validation

❏Output encoding

Possible Solutions?

Solution #1Validate Input for HTML tag characters (< >)

Solution #2Blacklist script Tags

Solution #3Output encode HTML Tags

Solution #4Content Security Policy

Content Security Policy

No inline scripts or JS event handlers

Before:<head>

<script>alert(“Hi, I’m an inline script”);</script></head>

Now:<head>

<script src=”non-inline-script.js”></script></head>

Content Security Policy

Whitelist domains

Before:<head>

<script src=”http://attacker.com/evil.js”></script></head>Now:<head>

<script src=”https://trusted.com/safe.js”></script></head>

Content-Security-Policy:script-src https://trusted.com

Tools to identify obvious XSS

❏ XSS Me :: Add-ons for Firefox

❏ ZAProxy - OWASP ZAP

❏ Burp Suite

❏ ...and others

Demo

Future references❏XSS Cheat Sheet

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

❏XSS Prevention Cheat Sheethttps://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Thank you!Please reach out to

Harinee Muralinath - harineem@thoughtworks.comKarthik Krishnan - karthik.krishnan@thoughtworks.com