A talk by ,

Transcription

1 A talk by ,

2

3

4

5

6 A researcher in uhr niversity ochum, A student of XSS who is working towards his PhD in XSS An XSSer / An XSS Enthusiast Listed in top sites' hall of fame A proud father of two & OWASP Seminar@RSA Europe 2013 A Twitter

7

8

9

10

11

12

13 50$ per-context bypass (output reflects in 5 contexts)

14 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS solutions and top PHP-based web frameworks ) 6. Results of Alexa Survey of Top 100 sites 7. Conclusion

15

16

17

18

19

20

21

22

23

24

25

26

27 %202013%20-%20RC1.pdf

28

29

30

31

32 #tweetbleed is the term coined here:

33

34

35

36

37

38

39 Simulate Real Web Applications Testing conducted in five common contexts (HTML, Script, Attribute, Style & URL)

40

41

42 filter_function === general term

43

44

45

46

47

48

49

50

51 Double Quotes Case

52 Single Quotes Case

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68 Systematic in nature Easy to understand Context-Specific Attack methodology is ` ` and one can guarantee that there is an XSS or no XSS in a particular injection point. With the help of attack methodology, one can make a secure per-context XSS sanitizer Can be applied to other server-side languages e.g., ASP, Ruby etc

69 Only for attendees... :)

70 "; confirm(1); // OR '; confirm(1); //

71

72

73

74

75 It simply does not work. Encoding will not help you in breaking the script context unless developers are doing some sort of explicit decoding.

76

77

78

79

80 Only for attendees :)

81

82

83

84

85 ``onmouseover=alert(1) `` === back tick

86

87 Very useful in breaking attribute context if site is properly filtering single and double quotes

88 Mario Heiderich Another useful tool by him is and must read research paper by him if you are interested in innerhtml and mutation XSS CCS13.pdf

89

90

91

92

93

94

95

96

97

98

99

100

101

102 src=%20http%3a%2f%2fvideo.ch9.ms%2fsessions%2fbuild%2f2 559.pptx

103 see demo

104 Only for attendees :)

105 Magento-When-Style-helps-you

106 Only for attendees :)

107 Twitter-Translation

108

109

110

111

112

113 A quick search on GitHub reveals...

114 A quick search on GitHub reveals... (false positives are also there but still give you an idea of popularity)

115 A quick search on GitHub shows...

116 Only for attendees :)

117

118 Developers are also calling it with names like and A quick search on GitHub reveals

119 Two arrays of black-listed keywords :)

120

121

122 All event handlers that are not part of black-listed array will bypass this protection e.g.,

123

124

125

126

127 A very popular but sorry to say BAD XSS protection... A quick search on GitHub reveals...

128

129

130

131

132

133 The goal of this function is to stop JavaScript execution via style.

134

135

136

137

138 Another popular customized XSS protection solution.

139

140 A popular XSLT-powered open source content management system is using function.

141

142

143

144

145

146

147

148 A Fully Baked PHP Framework

149

150 (Snapshot from the latest CodeIgniter version available at GitHub)

151

152

153

154 (old test-bed) (new test- bed)

155 Sanitize Naughty HTML elements Old list of naughty elements before I started bypassing...

156 <math><a/xlink:href=javascript&colon;confirm(1)>click</a> (old test-bed) (new test- bed)

157

158

159

160 Removes Invisible characters e.g., %00 i.e., NULL

161

162

163

164

165

166

167

168 demo:

169 HxD

170

171

172

173

174 Only for attendees :)

175 I surveyed top 10 sites from the following 10 categories...

176

177

178

179 Our large scale survey of PHP-based sanitisation routines shows SAD state of web security as far as XSS is concerned. The proposed attack and testing methodology is general and may be applied to other server-side languages. What if we automate this context-specific attack methodology and unleash automation tool on a large scale survey of deep web... :)

180 @metromoxie

181

182

183