Getting Developers to Take XSS Seriously

Similar documents
ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

WEB ATTACKS AND COUNTERMEASURES

Web Application Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Still Aren't Doing. Frank Kim

The Top Web Application Attacks: Are you vulnerable?

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

Cross-Site Scripting

OWASP Top Ten Tools and Tactics

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Blackbox Reversing of XSS Filters

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Hacking de aplicaciones Web

OWASP TOP 10 ILIA

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Web Application Security

Magento Security and Vulnerabilities. Roman Stepanov

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Adobe Systems Incorporated

Check list for web developers

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.

Gateway Apps - Security Summary SECURITY SUMMARY


FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Enterprise Application Security Workshop Series

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Application security testing: Protecting your application and data

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Introduction: 1. Daily 360 Website Scanning for Malware

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Ruby on Rails Secure Coding Recommendations

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Hack Proof Your Webapps

An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities

Intrusion detection for web applications

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Cross Site Scripting Prevention

Complete Cross-site Scripting Walkthrough

Simon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470

Rational AppScan & Ounce Products

Where every interaction matters.

Sitefinity Security and Best Practices

Penetration Test Report

Introduction to Computer Security

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web-Application Security

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Passing PCI Compliance How to Address the Application Security Mandates

How to hack a website with Metasploit

Network Security Web Security

Common Security Vulnerabilities in Online Payment Systems

Application Security Testing. Generic Test Strategy

Institutionen för datavetenskap

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Web Application Guidelines

Web Application Security

Web application security

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Attack and Penetration Testing 101

Web Application Security Assessment and Vulnerability Mitigation Tests

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

SQL Injection and XSS

Cross Site Scripting in Joomla Acajoom Component

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

The risks borne by one are shared by all: web site compromises

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Essential IT Security Testing

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

Cross Site Scripting (XSS) Exploits & Defenses. OWASP Denver, Colorado USA. The OWASP Foundation. David Campbell Eric Duprey.

CS 558 Internet Systems and Technologies

Next Generation Clickjacking

Security Testing with Selenium

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Engineering Web Application Security Issues

Ethical Hacking Penetrating Web 2.0 Security

(WAPT) Web Application Penetration Testing

Testnet Summerschool. Web Application Security Testing. Dave van Stein

Application Security Vulnerabilities, Mitigation, and Consequences

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

APPLICATION SECURITY AND ITS IMPORTANCE

Security features of ZK Framework

Web application security: Testing for vulnerabilities

Transcription:

Cross-Site Scripting Getting Developers to Take XSS Seriously Use Social Engineering to Enhance Your Vulnerability Reporting XSS

Contact Information Jason Pubal Website www.intellavis.com/blog E-mail jpubal@gmail.com Social http://www.linkedin.com/in/pubal http://www.twitter.com/pubal

Cross-Site Scripting Outline What is XSS? XSS History Detecting XSS Preventing XSS Reporting Tricks

Cross-Site Scripting Cross Site Scripting (XSS) is an attack against the user of a website. It is a technique that forces a website to display malicious code, which then executes in the user s web browser. The attacker uses a vulnerable website to send malicious code to another end user of the site. The vulnerability arises when the website takes data in some way from a user and dynamically includes it in a web page without first validating that data. account hijacking rewrite portions of the page log keystrokes steal browser information Steal client machine data attack the user s network

Persistent Cross-Site Scripting

Reflected Cross-Site Scripting

Websites with Cross-Site Scripting WhiteHat Website Security Statistic Report, Winter 2011

Attacks Using Cross-Site Scripting Web Hacking Incident Database

Real World Examples Hacker Redirects Barack Obama s site to hillaryclinton.com During the 2008 democratic primaries, XSS in Obama s website was exploited to redirect visitors to Hillary Clinton s website. Users who went to Obama s community blog were instead taken to www.hillaryclinton.com. Apache.org hit by targeted XSS attack, passwords compromised A targeted attack against JIRA admins used XSS to steal administrative cookies. Using those privileges, they installed backdoors and scripts to collect passwords at login. Thanks to people s tendency to use the same password on several websites and applications, the attacker was able to use those credentials get root access to other servers. New XSS Facebook Worm Allows Automatic Wall Posts An XSS in the Facebook s mobile API allowed a maliciously prepared iframe element containing JavaScript to post to user s walls.

History of Cross-Site Scripting

Samy I m sorry MySpace and FOX. I love you guys, all the great things MySpace provides, and all the great shows FOX has, my favorite being Nip/Tuck. Oh wait, Nip/Tuck is FX? My bad, but FOX, I m sure you still have some good stuff. But maybe you should start picking up Nip/Tuck reruns? Just a thought. I m kidding! Please don t sue me.

Samy Fastest Spreading Worm in History

JavaScript Malware Cross Site Scripting (XSS) is an attack against the user of a website. It is a technique that forces a website to display malicious code, which then executes in the user s web browser. The attacker uses a vulnerable website to send malicious code to another end user of the site. The vulnerability arises when the website takes data in some way from a user and dynamically includes it in a web page without first validating that data. account hijacking rewrite portions of the page log keystrokes steal browser information Steal client machine data attack the user s network ANYTHING A USER CAN DO OR ACCESS FROM THE BROWSER!

Manual Testing <SCRIPT>alert( XSS )</SCRIPT> XSS Cheat-Sheet: http://ha.ckers.org/xss.html OWASP Broken Web Applications (Vulnerable Applications to Hack): https://www.owasp.org/index.php/owasp_broken_web_applications_project

Browser Plugins

Web Application Vulnerability Scanners

Web Application Vulnerability Scanners

Preventing Cross-Site Scripting https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet Input Validation Output Encoding / Escaping Accept known good (whitelist) Reject known bad (blacklist) Sanitize (change input to acceptable format) Characters will still render in a browser correctly; escaping simply lets the interpreter know the data is not meant to be executed. & & < < > > " " ' &#x27; / /

Preventing Cross-Site Scripting Use Libraries ESAPI https://www.owasp.org/index.php/esapi MS Anti-XSS Library - http://wpl.codeplex.com

Cross-Site Scripting Reporting Seriously? The value of the search_txt request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload <script>alert(xss)</script> was submitted in the search_txt parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Browser Exploitation Framework (BeEF) http://beefproject.com/

Cross-Site Scripting Exploitation

Socially Engineering your Report Exploit the Vulnerability! Report the Impact!

Socially Engineering your Report Exploit the Vulnerability! Report the Impact!

Socially Engineering your Report Exploit the Vulnerability! Report the Impact!

Copy Machine Experiment The Power of Because May I use the Xerox machine? Giving no reason - 60% May I use the Xerox machine, because I have to make copies? Giving no real reason - 93% May I use the Xerox machine, because I m in a rush? Giving a reason - 94%

Commander s Intent Give Them a Reason!

Bystander Apathy Assign a JIRA Ticket!

Contrast Frame NLP The Ponemon Institute puts the cost per record of a breach at $214, with an average cost of 7.2 million dollars. By contrast, a week of development time seems cheap. Options 1 - $5,000 95% Effective 2 - $500 80% Effective

Herd Effect You re all sheep. Best Practices Amazon and Facebook employ CAPTCHA 93% of Websites in our Industry use Input Validation

Pygmalion Effect Clearly Communicate Expectations

Metrics If you want to improve something, measure it. Measure to see if what you're doing is working. If not, try something else.

THANK YOU Questions?!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information