Cross Site Scripting (XSS)
- 1. Security Concerns Mobile Application Security
- 2. About Priaum Talukder Program: MSCSE ID: 1612359050 Email: [email protected] https://www.linkedin.com/in/priamcse Course: CSE 597 / Seminar Topics Course Teacher: Dr. Shazzad Hosain North South University
- 3. Previous Topics Top Issues Facing Mobile Devices Top Application Security Risks Injection Broken Authentication & Session Management
- 4. Cross Site Scripting (XSS)
- 5. Cross Site Scripting (XSS) Type of injection. Malicious script injected on trusted or weak web servers. Attacker Uses Web Application to sent malicious code. Mostly uses client side application. Example: HTML, JavaScript, VBScript, ActiveX, Flash etc.
- 6. Cross Site Scripting (XSS) Cross-Site Scripting (XSS) attacks occur when: Data enters a Web application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to a web user without being validated for malicious content.
- 7. XSS Example Example of malicious code Modification of the Document Object Model - DOM (change some links, add some buttons) Send personal information to thirds (javascript can send cookies to other sites)
- 8. Cross Site Scripting (XSS) Attacker Executes Script on the Victim’s machine Is usually Javascript Can be any script language supported by the victim’s browser
- 9. Types of XSS Three types of Cross Site Scripting Reflected Stored DOM injection
- 11. Reflected XSS Attacks Reflected XSS are the most frequent type of XSS attacks found in the wild. Reflected attack is like phishing attack. Attacker sends the malicious code via website url. Reflected attacks delivered to victim via email, website url or by other medium. An attacker convinces a victim to visit a URL. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser.
- 12. Reflected XSS Attacks Injected script is reflected off the web server. such as in an error message search result or any other response that includes some or all of the input sent to the server as part of the request.
- 13. Reflected XSS Attacks Example article.php?title=<meta%20http- equiv="refresh"%20content="0;"> This makes a refresh request roughly about every .3 seconds to particular page. It then acts like an infinite loop of refresh requests, potentially bringing down the web and database server by flooding it with requests. The more browser sessions that are open, the more intense the attack becomes.
- 15. Stored XSS Attacks Stored attacks are those where the injected script is permanently stored on the target servers. such as in a database in a message forum visitor log comment field etc. The victim then retrieves the malicious script from the server when it requests the stored information.
- 16. Stored XSS Attacks Risk when large number of users can see unfiltered content Very dangerous for Content Management Systems (CMS) Blogs Forums
- 17. Stored XSS Attacks Stored XSS Attacks of cross-site scripting vulnerability has the largest impact of all when compared to other XSS variants because: It will affect every visitor of the targeted web application Unless detected and manually removed, the malicious code will remain active on the website, thus having a very long term effect Web browser’s XSS protection mechanisms do not detect and stop persistent XSS
- 18. DOM Based XSS Attacks
- 19. DOM Based XSS Attacks XSS Modifies the Document Object Model (DOM) Javascript can manipulate all the document It can create new nodes Remove existing nodes Change the content of some nodes JavaScript is manipulated directly inside the client Using misconfiguration of client side code Using flows in frameworks (AngularJS, JQuery, . . . )
- 20. Example DOM Based XSS Suppose the following code is used to create a form to let the user choose his/her preferred language. A default language is also provided in the query string, as the parameter “default”. Code <select><script> document.write("<OPTION value=1>"+document.location.href.substring(do cument.location.href.indexOf("default=")+8)+"</ OPTION>"); document.write("<OPTION value=2>English</OPTION>");
- 21. Example (Cont.) A DOM Based XSS attack against this page can be accomplished by sending the following URL to a victim: http://www.some.site/page.html?default=<script >alert(document.cookie)</script> When the victim clicks on this link, the browser sends a request for: /page.html?default=<script>alert(document.coo kie)</script> to www.some.site. The server responds with the page containing the above Javascript code. The browser creates a DOM object for the page, in
- 22. Prevention
- 23. Prevention (XSS Attack) By validating of all incoming data or input data. Appropriate encoding of all output data can prevent this attack.
- 24. Input Validation Use Standard input validation mechanism Validate length, type, syntax and appropriate rules Use the “Accept known good” validation Reject invalid input Do not forget that error messages might also include invalid data
- 25. Output Validation Ensure that all user-supplied data is appropriately entity encoded before rendering HTML or XML depending on output mechanism means <script> is encoded <script> Set the character encoding for each page you output specify the character encoding (e.g. ISO 8859-1 or UTF 8) Do not allow attacker to choose this for your users
- 26. Reference OWASP Top 10 Mobile Risks by OWASP https://en.wikipedia.org/wiki/Cross-site_scripting - by wikipedia https://www.owasp.org/index.php/Cross- site_Scripting_(XSS) – by OWASP https://www.owasp.org/index.php/XSS_(Cross_ Site_Scripting)_Prevention_Cheat_Sheet by OWASP https://www.owasp.org/index.php/Types_of_Cro ss-Site_Scripting – Types of Cross Site Scripting by OWASP http://www.acunetix.com/websitesecurity/cross-
- 27. Thank you!