XSS 101 Jason Clark 12 20 XSS Explained

XSS 101 Jason Clark 12/20

XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)

XSS Explained • Web app vulnerability that allows code injection and cross site commands • • Attack takes advantage of the way HTML code is interpreted by browser Majority of sites do not filter user input • • • Java, php, cgi, asp, html, dhtml i. e. Java. Script provides the ability to create an iframe within a site thus allowing cross site commands i. e. encoding ‘spaces’, #, <, >, XSS characters such as ; “ { (within

XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)

DOM Based • Document Object Model • • API which defines how documents are structured and accessed • i. e. allows XML to be presented as a document on various systems • Defines cross domain controls (scripts may not be run across domains, except local zone) DOM Based XSS • • • Code is not submitted to web server (in most cases) RSS pages, Inet. E local pages, Also referred to as client-side XSS Bypasses client-side sandbox Difficult to detect (and secure) http: //example. com#evil_code

DOM Based • Example • • Attacker chooses a vulnerable web page on a victim host • IE 7 navcancl. htm design flaw Attacker crafts a link which exploits navcancl. htm • • res: //ieframe. dll/navcancl. htm#http: //www. google. com/_____ res: //ieframe. dll/navcancl. htm#http: //192. 168. 1. 22/skypeshutdown. html Or simply http: //google. com# • XSS Attacker crafts a malicious link to site containing instruction script Malicious link is encoded to look “friendly” Malicious link is sent to end user via email with intriguing title Depending on end user security settings user either clicks on link or “auto load” Web server/application executes malicious javascript • Stolen cookies • Session hijacking • Attacker essentially has “rights” of victim

Non-Persistent XSS • Example • • • Attacker determines vulnerable non-persistent site • Script contains target iframe of 1. 0. 0. 0/8 as well as get_random for running through remainder of subnet (exploiting vulnerable sites) Note: there is a little more to this such as http: //” + address +”/index. php • Random address is inserted in address and index. php will (hopefully) be resident At this point each time the page is viewed script is executed which in turn runs through entire class A subnet prorogating XSS worm/virus

XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)

Determining Vulnerable Sites • • Public Sites • www. xssed. com Scanners • • • Scripts • • • Nikto Too many too mention… Use on search boxes, forms, web accounts, bank logins Fire. Fox • • • XSS ME Tamper Data Many more…

XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)

What now • What can I do with XSS? • • Cookie theft Session riding/hijacking (CSRF) False advertisements/Free advertising Hit stealing Identity theft Web page defacement XSS worm propagation Tools • • Be. EF XSS-Proxy Backframe Java, php, cgi, html, etc

XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples/Tools Mitigating XSS (Basics and Fortinet)

testlink res: //ieframe. dll/navcancl. htm#http: //192. 168. 1. 22/skypeshutdown. html about: cancel#http: //anysite/"); alert(“Hacked"); //