Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014 Doupé - 11/24/14 Ethics • Only hack into sites you own – Or you have permission • Popular sites may have bug bounty program – Facebook – github – Google • You will get caught Doupé - 11/24/14 Tech • • • • • • HTTP HTML CSS JavaScript SQL Server-Side Code (Python/PHP/Ruby) Doupé - 11/24/14 Many Vulnerabilities • • • • • • • • • • • Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR) Doupé - 11/24/14 Many Vulnerabilities • • • • • • • • • • • Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR) Doupé - 11/24/14 Tech • • • • • • HTTP HTML CSS JavaScript SQL Server-Side (Python/PHP/Ruby) Doupé - 11/24/14 Web Applications HTTP SQL Doupé - 11/24/14 Web Applications HTTP SQL JavaScript Doupé - 11/24/14 Web Applications HTTP SQL JavaScript Doupé - 11/24/14 HTTP Client Request GET / HTTP/1.1 User-Agent: curl/7.37.1 Host: www.facebook.com Accept: */* Doupé - 11/24/14 HTTP Server Response HTTP/1.1 200 OK Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: datr=cohyVEAwQmq5jJh2cWZ9pZc9; expires=Wed, 23-Nov-2016 01:22:58 GMT; Max-Age=63072000; path=/; domain=.facebook.com; httponly Set-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 <!DOCTYPE html> <html lang="en" id="facebook" class="no_js"> <head> <script> ... </script> <title id="pageTitle">Welcome to Facebook - Log In, Sign Up or Learn More</title> Doupé - 11/24/14 JavaScript • Makes the page dynamic • Full control over page – Layout – Asynchronous requests – Event handlers • Code from the website running on your browser Doupé - 11/24/14 Doupé - 11/24/14 Doupé - 11/24/14 Same Origin Policy • Browser JavaScript Security Policy • (protocol, host, port) https://www.facebook.com/ (https, www.facebook.com, 443) http://www.cnn.com/ (http, www.cnn.com, 80) Doupé - 11/24/14 Same Origin Policy • • • • • Cookies (document.cookie) DOM localStorage XMLHttpRequests img Doupé - 11/24/14 Cross-Site Scripting (XSS) • Malicious JavaScript running in the context of your web application Doupé - 11/24/14 XSS – Example <html> <body> <p>Hello <?= $name ?></p> </body> </html> Doupé - 11/24/14 http://example.com/test.php?name=adam <html> <body> <p>Hello <?= $name ?></p> </body> </html> Doupé - 11/24/14 http://example.com/test.php?name=adam <html> <body> <p>Hello adam</p> </body> </html> Doupé - 11/24/14 http://example.com/test.php?name=adam <html> <body> <p>Hello adam</p> </body> </html> Doupé - 11/24/14 Doupé - 11/24/14 http://example.com/test.php?name=<script>alert(‘xss’)</script> <html> <body> <p>Hello <?= $name ?></p> </body> </html> Doupé - 11/24/14 http://example.com/test.php?name=<script>alert(‘xss’)</script> <html> <body> <p>Hello <script>alert(‘xss’)</script> </p> </body> </html> Doupé - 11/24/14 http://example.com/test.php?name=<script>alert(‘xss’)</script> <html> <body> <p>Hello <script>alert(‘xss’)</script> </p> </body> </html> Doupé - 11/24/14 Doupé - 11/24/14 http://example.com/test.php?name= Doupé - 11/24/14 http://example.com/test.php?name= HTTP Reflected XSS JavaScript Doupé - 11/24/14 http://example.com/test.php?title= SQL Doupé - 11/24/14 HTTP Stored XSS JavaScript Doupé - 11/24/14 SQL Exploits – Phishing • Malicious JavaScript can completely control the DOM • Change current page to login page where the login sends credentials to the attacker Doupé - 11/24/14 Doupé - 11/24/14 Exploits – Session Theft • HTTP is session-less – No HTTP-native way to tie requests to the same user • Web applications typically use cookies to create a session – Session describes who the user is, if they’ve passed authentication • JavaScript has access to cookies… Doupé - 11/24/14 Exploits – Session Theft HTTP SQL JavaScript Doupé - 11/24/14 Exploits – Unauthorized Actions • JavaScript can make requests to the web application – Browser sends cookies – Appears as if the user made the request (clicked the link or filled out the form) • Malicious JavaScript can make requests to the web application on your behalf Doupé - 11/24/14 JavaScript Doupé - 11/24/14 Exploits – Worms • Stored XSS vulnerability + Unauthorized Actions – Self-propagating worm • Social networks particularly susceptible – “samy is my hero” (2005) – Tweetdeck (2014) Doupé - 11/24/14 Doupé - 11/24/14 Doupé - 11/24/14 Doupé - 11/24/14 XSS – Prevention • Sanitize all user inputs using known sanitization routine • Depends on where output is in HTML page – < and > necessary in HTML – Only need ‘ in JavaScript Doupé - 11/24/14 <html> <script> var test = “<?= $name ?>”; </script> <div <?= $name ?>> < < < %27 http://example.com/?adam=$name onload=“javascript:alert(xss);” “”alert(‘xss’);//” Doupé - 11/24/14 Tools • • • • • • Browser Developer Tools Wireshark Burp Proxy SQLMap OWASP Broken Web Apps Project Google Gruyere Doupé - 11/24/14 Questions? [email protected] http://adamdoupe.com/ Doupé - 11/24/14