![Page 1: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/1.jpg)
Developer's Guide toCross Site Scripting
OWASP New Zealand Day 2017
![Page 2: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/2.jpg)
whoami
Felix Shi (@comradepara)◦ A security guy at Xero
◦ Infosec◦ Running◦ Cartography
Disclaimer: Something about my own opinions does not reflect those of my employer.
![Page 3: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/3.jpg)
Disclaimer
Disclaimer: This is a primer to Cross Site Scripting (XSS), it is by no means an exhaustive list.
Please consult your local security team or physician if you think you are suffering from XSS.
![Page 4: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/4.jpg)
Presentation Overview
1. Background◦ Fundamentals◦ What is XSS◦ Why should you care◦ Why is it still an issue◦ Exploitation theory
2. Demo◦ Exploitation practice◦ Prevention theory◦ Prevention practice
▫ Backend▫ Frontend▫ Content Security Policy
◦ Mitigation practice▫ Input validation▫ Cookie Flags
![Page 5: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/5.jpg)
Background
![Page 6: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/6.jpg)
Fundamentals
What's in a modern web application?
◦ Stuff the browser uses▫ HTML, Javascript, CSS, pretty pictures
◦ Stuff the server uses▫ Ruby, Java, C#, Python etc.
◦ Persistent server side storage▫ SQL databases, file systems
![Page 7: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/7.jpg)
Fundamentals
HTML
◦ Has been around since forever▫ (Correction: Invented in the late 80s)
◦ The building block of the web
◦ Elements on the page are described using tags
<htm
l>
<hea
d>
<title
>why
![Page 8: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/8.jpg)
Fundamentals
HTML Tags
◦ <b> Hello I'm bold </b>◦ <u> Underlined </u>◦ <img src='tower.jpg' />
![Page 9: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/9.jpg)
Fundamentals
HTML Tags
◦ <b> Hello I'm bold </b>◦ <u> Underlined </u>◦ <img src='tower.jpg' />
Hello I'm boldUnderlined
![Page 10: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/10.jpg)
Fundamentals
Ways to include Javascript on a page
◦ <script>console.log("Hello");</script>◦ <script src="test.js" />◦ <img src='hi.jpg' onload='alert(1)' />
And many other ways!!!
![Page 11: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/11.jpg)
Fundamentals
What can you do with Javascript?
◦ Alter the look and functionality of the page
◦ Access private user data associated with the site
◦ Perform actions on the user's behalf
![Page 12: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/12.jpg)
But I trust the webapps I use!
![Page 13: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/13.jpg)
Let's talk about...
Cross Site
Scripting!
![Page 14: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/14.jpg)
What is Cross Site Scripting (XSS)?
![Page 15: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/15.jpg)
What is Cross Site Scripting (XSS)?
Someone can get their own Javascript to run in the context of your site
![Page 16: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/16.jpg)
Why should I care?
¯\_(ツ)_/¯
![Page 17: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/17.jpg)
Who does it affect?
How could it affect the user?
◦ The user's browser executes the malicious Javascript
◦ Alter the look and functionality of the page
◦ Access private user data associated with the site
◦ Perform actions on the user's behalf
![Page 18: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/18.jpg)
¯\_(ツ)_/¯
![Page 19: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/19.jpg)
Who does it affect?
How could it affect your company?
◦ Loss of trust▫ Bad PR
◦ Fixing technical debt is expensive▫ Which leads to angry product owners▫ Anger leads to hate, something... dark side
◦ Regulation / Compliance issues▫ Some certs require a clean pentest report
![Page 20: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/20.jpg)
Why is it still an issue?
![Page 21: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/21.jpg)
Why is it still an issue?Because handling user defined data is hard
![Page 22: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/22.jpg)
Exploitation Time!!!
![Page 23: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/23.jpg)
XSS Exploitation Theory
◦ Identify the entry points of user defined data.
◦ Identify how the above data gets used on the page.
◦ The goal of XSS is to get the browser to execute user defined scripts.
![Page 24: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/24.jpg)
XSS Exploitation Theory
◦ Identify the entry points of user defined data.
◦ Identify how the above data gets used on the page.
◦ The goal of XSS is to get the browser to execute user defined scripts.
![Page 25: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/25.jpg)
Types of Cross Site Scripting - Reflected
Example URLhttp://trustedsite/search.php?q=<script>alert(1);</script>
Page source returned to the victim<html>...<div>
<script>alert(1);</script></div>...</html>
Exploitation Vector:Social Engineering, an attacker crafts a URL and gets people to click on it.
![Page 26: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/26.jpg)
Types of Cross Site Scripting - Stored
Script Entry Point▫ Various places, all ending up in persistent
storage. ■ For example: Entries in a guestbook
Exploitation Vector▫ User just needs to visit page that renders the
stored script.
▫ More dangerous than reflected XSS.■ Can be prepared in advance■ Can affect multiple users
![Page 27: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/27.jpg)
Types of Cross Site Scripting - DOM Based
Example user datahttp://trustedsite/search.php?q=<script>alert(1);</script>
Page source excerpt...<script>
document.write(document.URL.indexOf("q=")+2);</script>..
Note that the XSS script does not appear in the source code.
![Page 28: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/28.jpg)
Demo Time!
:D
![Page 29: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/29.jpg)
Defence
![Page 30: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/30.jpg)
Prevention Theory
◦ XSS issues are introduced when user supplied Javascript snippets are executed by the browser
◦ Faulty handling of user provided data
![Page 31: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/31.jpg)
Defence
◦ Multiple user defined strings were rendered on the page:
▫ The title URL parameter ▫ Username field▫ Message field
![Page 32: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/32.jpg)
Defence
URL:http://url/entries?title=<script>alert(1);</script>
HTML Output:<h1>
Thank you for signing my<script>alert(1);</script>
</h1>
![Page 33: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/33.jpg)
Defence
◦ Don't allow user input▫ Not possible IRL :(
◦ Ensure that user provided data is validated when appropriate
◦ Ensure that user provided data is properly encoded/escaped on output
![Page 34: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/34.jpg)
What is Encoding
?????
![Page 35: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/35.jpg)
Defence
HTML Encoding is a technique that converts potentially unsafe characters into their encoded form.
Character HTML Encoded
< <
> >
& &
![Page 36: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/36.jpg)
Defence - Encoding
Input:
<script>alert(1);
</script>
HTML Encoded Output:
<script>alert(1);
</script>
![Page 37: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/37.jpg)
Defence - Encoding
Input:
<script>alert(1);
</script>
HTML Encoded Output:
<script>alert(1);
</script>
User sees:<script>alert(1);</script>
![Page 38: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/38.jpg)
Defence - Encoding
Input:
<script>alert(1);
</script>
HTML Encoded Output:
<script>alert(1);
</script>
User sees:<script>alert(1);</script>
NO SCRIPT EXECUTION FOR YOU!!1 >:)
![Page 39: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/39.jpg)
HTML Encoding for Developers
Templates: Django, Flask, Rails v. > 3.0, Mustache for Node.JS◦ Secure by default
▫ Automatically HTML encodes user data
Opting out of HTML Encoding in Flask: {{username | safe}}
Defence - Encoding (Backend)
![Page 40: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/40.jpg)
HTML Encoding for Developers
◦ Most modern front-end Javascript frameworks also HTML encode their output by default.▫ For example: Angular.js, React.js
Opting out of HTML Encoding in React.js...
Defence - Encoding (Frontend)
![Page 41: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/41.jpg)
dangerouslySetInnerHTML
Defence - Encoding (Frontend)
![Page 42: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/42.jpg)
dangerouslySetInnerHTML
Defence - Encoding (Frontend)
Awesome Method Name!
"Are you sure you want to shoot yourself in the foot?"
![Page 43: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/43.jpg)
HTML Encoding for Developers
Still want to do encoding on the server-side manually?◦ Use an established library!
▫ .NET (If you are not using Razor)■ System.Web.HttpUtility.HtmlEncode
▫ Java■ StringEscapeUtils.esapeHTML
Don't write your own encoding library
Defence - Encoding (Back-end)
![Page 44: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/44.jpg)
WeHTML Encoded
Everything!
![Page 45: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/45.jpg)
It is Demo TimeAgain! :D
![Page 46: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/46.jpg)
OH NOES! :(
![Page 47: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/47.jpg)
Defence
◦ Another user defined data was found used the page:▫ Alternate text for the user's avatar
<img src='auto generated url' alt='Username'/>
![Page 48: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/48.jpg)
Defence
Username:<script>alert(1);</script>
With HTML Encoding:<img src = 'generated_url' alt = '<script>alert(1);</script>' />
![Page 49: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/49.jpg)
Defence
Username:' onload=alert(1) v='
With HTML Encoding:<img src = 'generated_url' alt = '' onload=alert(1) v='' />
Note: Not all HTML Encoder encodes the apostrophe character.
![Page 50: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/50.jpg)
Defence
Username:' onload=alert(1) v='
With HTML Encoding:<img src = 'generated_url' alt = '' onload=alert(1) v='' />
Note: Not all HTML Encoder encodes the apostrophe character.
![Page 51: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/51.jpg)
Let's talk
about
Encoding(Again)
![Page 52: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/52.jpg)
Encoding Again
This time the user defined data was used inside a HTML attribute.
Other examples of user data in attributes:
<input type="text" value="user data" /><img src="user data">
![Page 53: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/53.jpg)
Encoding Recap
Another Encoding mechanism must be used in this scenario.
Attribute Encoding
Character Attribute Encoded
' '
" "
![Page 54: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/54.jpg)
Defence
Username:' onload=alert(1) v='
With Attribute Encoding:<img src = 'some auto generated url' alt = '' onload=alert(1) v='' />
![Page 55: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/55.jpg)
Defence
Attribute Encoding for the Developers
If you are using templatesMake sure you wrap user input in quotes!
<img src="blegh" alt="{{user_input}}">
![Page 56: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/56.jpg)
Defence
Attribute Encoding for the Developers
Use the appropriate attribute encoding method in your framework.
◦ Use an established library!▫ .NET
■ System.Web.HttpUtility.HtmlAttributeEncode▫ Java (OWASP Encoder)
■ org.owasp.encoder.Encode.forHTMLAttribute
![Page 57: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/57.jpg)
Knowingwhen to usewhich encoding is important!! :O
![Page 58: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/58.jpg)
Context
HTML<div>user input</div>
HTML Attribute<input value="user input">
URLhttp://mysite/index?title=user input
![Page 59: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/59.jpg)
Context
Javascript Escaping<script>var title = user input;</script>
Style / Cascading Style Sheetbackground-image: user input;
And some others...
![Page 60: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/60.jpg)
Context
Sometimes you need to use multiple encodings!
<script>var title = ' ';alert(123); </script> <script>alert(1);//';</script>
![Page 61: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/61.jpg)
Context
Sometimes you need to use multiple encodings!
<script>var title = ' ';alert(123);
</script> <script>
alert(1);//';</script>
![Page 62: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/62.jpg)
Context
Sometimes you need to use multiple encodings!
<script>var title = ' ';alert(123);
</script> <script>
alert(1);//';</script>
![Page 63: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/63.jpg)
More ways to
prevent XSS
:D
![Page 64: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/64.jpg)
Prevention - Input validation
Input Validation
◦ Should you allow special characters such as < and > in some fields?
◦ A whitelist approach is always preferred over blacklist
◦ Reject fields that have failed validation
◦ Ensure that input validation is used consistently across all points of input
![Page 65: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/65.jpg)
Prevention - Input validation
Input Validation
Special mention for user defined URLs! <a href='user input'>My site</a>
Javascript can be embedded by prefixing the link with javascript:
For example: <a href='javascript:alert(1);'>Website</a>
![Page 66: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/66.jpg)
Prevention - Input validation
Input Validation
Special mention for user defined URLs! <a href='user input'>My site</a>
Validation Strategy:◦ Fail the validation if it starts with Javascript: ◦ Validate that the user data is a valid URL◦ (Optional) Check if URL is on a blacklist
![Page 67: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/67.jpg)
Prevention - Cookie Flags
Cookie Security Flags
◦ Prevent your precious session cookies from being stolen by evil Javascript with the following flags.
◦ HttpOnly: Cookie is not accessible via Javascript◦ Secure: Cookie can only be sent via HTTPS
![Page 68: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/68.jpg)
Prevention - Content Security Policy
Content Security Policy (CSP)
Go to this talk to listen to hear it from the pros:
So we broke all CSPs... You won't guess what happened next! (16:00, the same room you are in)- Lukas Weichselbaum & Michele Spagnuolo
![Page 69: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/69.jpg)
Prevention - Content Security Policy
Content Security Policy (CSP)
Go to this talk to listen to hear it from the pros:
So we broke all CSPs... You won't guess what happened next! (16:00, the same room you are in)- Lukas Weichselbaum & Michele Spagnuolo
![Page 70: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/70.jpg)
Prevention - Content Security Policy
Content Security Policy (CSP)
Go to this talk to listen to hear it from the pros:
So we broke all CSPs... You won't guess what happened next! (16:00, the same room you are in)- Lukas Weichselbaum & Michele Spagnuolo
Links: https://speakerdeck.com/mikispag/so-we-broke-all-csps-dot-dot-dot-you-wont-guess-what-happened-next-michele-spagnuolo-and-lukas-weichselbaum
https://deepsec.net/docs/Slides/2016/CSP_Is_Dead,_Long_Live_Strict_CSP!_Lukas_Weichselbaum.pdf
![Page 71: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/71.jpg)
Now For the
Takeaway
Message(You don't have to put up with me for much longer)
![Page 72: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/72.jpg)
Takeaway
Developers Developers Developers
◦ Know where user data's used on the page◦ Know the frameworks you are using◦ Encode / Escape user data properly◦ Validate input when appropriate◦ Set cookie security flags◦ Use Content Security Policy
![Page 73: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/73.jpg)
Takeaway
Testers Testers Testers
◦ Take note of pages that contain user data◦ Test by inserting script and see if they executed◦ Look for XSS as a part of your quality assurance
process◦ Use a proxy:
▫ ZAP, Burp, Charles, Fiddle◦ Ask your security team for guidance◦ Automate whenever possible
![Page 74: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/74.jpg)
Misc.
Useful Links
More info on XSShttps://www.owasp.org/index.php/Cross-site_Scripting_(XSS)https://www.owasp.org/index.php/Testing_for_Cross_site_scriptinghttps://www.google.com/about/appsecurity/learning/xss/https://excess-xss.com/
Test Strings for the QAshttp://ha.ckers.org/xss.htmlhttp://htmlpurifier.org/live/smoketests/xssAttacks.php
Content Security Policy (CSP)https://developers.google.com/web/fundamentals/security/csp/https://content-security-policy.com/
![Page 75: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/75.jpg)
Misc.
Useful Links
Proxies: Burp (free edition): http://portswigger.net/burp/ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_ProjectFiddler: http://www.telerik.com/fiddlerCharles: https://www.charlesproxy.com/
Exercises:The XSS Game: https://xss-game.appspot.com/Google Gruyere: https://google-gruyere.appspot.com/XSS/SQLi Lab VM Image: https://pentesterlab.com/exercises/xss_and_mysql_file
BeEF when you really want to mess around with XSS:Browser Exploitation Framework (BeEF): https://github.com/beefproject/beef Slide theme from slidescarnival.com
![Page 76: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/76.jpg)
Cheers
![Page 77: Cross Site Scripting Developer's Guide to · Types of Cross Site Scripting - Stored Script Entry Point Various places, all ending up in persistent storage. For example: Entries in](https://reader030.vdocuments.us/reader030/viewer/2022040911/5e851f2ba142e22c5820e7fe/html5/thumbnails/77.jpg)
Cheers
and have an
awesome day! :D