Transcript Document

Cross-Site Scripting Vulnerabilities
Adam Doupé
11/24/2014
Doupé - 11/24/14
Ethics
• Only hack into sites you own
– Or you have permission
• Popular sites may have bug bounty
program
– Facebook
– github
– Google
• You will get caught
Doupé - 11/24/14
Tech
•
•
•
•
•
•
HTTP
HTML
CSS
JavaScript
SQL
Server-Side Code (Python/PHP/Ruby)
Doupé - 11/24/14
Many Vulnerabilities
•
•
•
•
•
•
•
•
•
•
•
Cross-Site Scripting (XSS)
SQL Injection
Cross-Site Request Forgery (XSRF)
HTTP Parameter Pollution (HPP)
Command Injection
Parameter Manipulation
File Exposure
Directory Traversal
Forced Browsing
Logic Flaws
Execution After Redirect (EAR)
Doupé - 11/24/14
Many Vulnerabilities
•
•
•
•
•
•
•
•
•
•
•
Cross-Site Scripting (XSS)
SQL Injection
Cross-Site Request Forgery (XSRF)
HTTP Parameter Pollution (HPP)
Command Injection
Parameter Manipulation
File Exposure
Directory Traversal
Forced Browsing
Logic Flaws
Execution After Redirect (EAR)
Doupé - 11/24/14
Tech
•
•
•
•
•
•
HTTP
HTML
CSS
JavaScript
SQL
Server-Side (Python/PHP/Ruby)
Doupé - 11/24/14
Web Applications
HTTP
SQL
Doupé - 11/24/14
Web Applications
HTTP
SQL
JavaScript
Doupé - 11/24/14
Web Applications
HTTP
SQL
JavaScript
Doupé - 11/24/14
HTTP Client Request
GET / HTTP/1.1
User-Agent: curl/7.37.1
Host: www.facebook.com
Accept: */*
Doupé - 11/24/14
HTTP Server Response
HTTP/1.1 200 OK
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Set-Cookie: datr=cohyVEAwQmq5jJh2cWZ9pZc9; expires=Wed, 23-Nov-2016 01:22:58 GMT;
Max-Age=63072000; path=/; domain=.facebook.com; httponly
Set-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0;
path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/;
domain=.facebook.com
Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/;
domain=.facebook.com
Content-Type: text/html; charset=utf-8
<!DOCTYPE html>
<html lang="en" id="facebook" class="no_js">
<head>
<script>
...
</script>
<title id="pageTitle">Welcome to Facebook - Log In, Sign Up or Learn More</title>
Doupé - 11/24/14
JavaScript
• Makes the page dynamic
• Full control over page
– Layout
– Asynchronous requests
– Event handlers
• Code from the website running on your
browser
Doupé - 11/24/14
Doupé - 11/24/14
Doupé - 11/24/14
Same Origin Policy
• Browser JavaScript Security Policy
• (protocol, host, port)
https://www.facebook.com/
(https, www.facebook.com, 443)
http://www.cnn.com/
(http, www.cnn.com, 80)
Doupé - 11/24/14
Same Origin Policy
•
•
•
•
•
Cookies (document.cookie)
DOM
localStorage
XMLHttpRequests
img
Doupé - 11/24/14
Cross-Site Scripting (XSS)
• Malicious JavaScript running in the context
of your web application
Doupé - 11/24/14
XSS – Example
<html>
<body>
<p>Hello <?= $name ?></p>
</body>
</html>
Doupé - 11/24/14
http://example.com/test.php?name=adam
<html>
<body>
<p>Hello <?= $name ?></p>
</body>
</html>
Doupé - 11/24/14
http://example.com/test.php?name=adam
<html>
<body>
<p>Hello adam</p>
</body>
</html>
Doupé - 11/24/14
http://example.com/test.php?name=adam
<html>
<body>
<p>Hello adam</p>
</body>
</html>
Doupé - 11/24/14
Doupé - 11/24/14
http://example.com/test.php?name=<script>alert(‘xss’)</script>
<html>
<body>
<p>Hello <?= $name ?></p>
</body>
</html>
Doupé - 11/24/14
http://example.com/test.php?name=<script>alert(‘xss’)</script>
<html>
<body>
<p>Hello
<script>alert(‘xss’)</script>
</p>
</body>
</html>
Doupé - 11/24/14
http://example.com/test.php?name=<script>alert(‘xss’)</script>
<html>
<body>
<p>Hello
<script>alert(‘xss’)</script>
</p>
</body>
</html>
Doupé - 11/24/14
Doupé - 11/24/14
http://example.com/test.php?name=
Doupé - 11/24/14
http://example.com/test.php?name=
HTTP
Reflected XSS
JavaScript
Doupé - 11/24/14
http://example.com/test.php?title=
SQL
Doupé - 11/24/14
HTTP
Stored XSS
JavaScript
Doupé - 11/24/14
SQL
Exploits – Phishing
• Malicious JavaScript can completely
control the DOM
• Change current page to login page where
the login sends credentials to the attacker
Doupé - 11/24/14
Doupé - 11/24/14
Exploits – Session Theft
• HTTP is session-less
– No HTTP-native way to tie requests to the
same user
• Web applications typically use cookies to
create a session
– Session describes who the user is, if they’ve
passed authentication
• JavaScript has access to cookies…
Doupé - 11/24/14
Exploits – Session Theft
HTTP
SQL
JavaScript
Doupé - 11/24/14
Exploits – Unauthorized Actions
• JavaScript can make requests to the web
application
– Browser sends cookies
– Appears as if the user made the request
(clicked the link or filled out the form)
• Malicious JavaScript can make requests to
the web application on your behalf
Doupé - 11/24/14
JavaScript
Doupé - 11/24/14
Exploits – Worms
• Stored XSS vulnerability + Unauthorized
Actions
– Self-propagating worm
• Social networks particularly susceptible
– “samy is my hero” (2005)
– Tweetdeck (2014)
Doupé - 11/24/14
Doupé - 11/24/14
Doupé - 11/24/14
Doupé - 11/24/14
XSS – Prevention
• Sanitize all user inputs using known
sanitization routine
• Depends on where output is in HTML page
– < and > necessary in HTML
– Only need ‘ in JavaScript
Doupé - 11/24/14
<html>
<script>
var test = “<?= $name ?>”;
</script>
<div <?= $name ?>>
< &lt;
< %27
http://example.com/?adam=$name
onload=“javascript:alert(xss);”
“”alert(‘xss’);//”
Doupé - 11/24/14
Tools
•
•
•
•
•
•
Browser Developer Tools
Wireshark
Burp Proxy
SQLMap
OWASP Broken Web Apps Project
Google Gruyere
Doupé - 11/24/14
Questions?
[email protected]
http://adamdoupe.com/
Doupé - 11/24/14