xss what the heck-!
TRANSCRIPT
![Page 1: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/1.jpg)
Cross Site Scripting(XSS)What the heck?!
Harinee MuralinathKarthik Krishnan
![Page 2: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/2.jpg)
Agenda
❏What is our intent?
❏What is XSS?
❏Prevention techniques
❏Testing tools
![Page 3: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/3.jpg)
What is our intent?
❏security-related jargons - one at a time
❏generate interest
❏give you a guided, hands-on experience
❏apply on projects
❏take your time to learn
![Page 4: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/4.jpg)
What this session will NOT be
❏Make you security experts
❏Tool-oriented
![Page 5: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/5.jpg)
Source: owasp.org
![Page 6: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/6.jpg)
![Page 7: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/7.jpg)
![Page 8: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/8.jpg)
What is Cross-site Scripting (XSS)?
❏ Concept of planting scripts by misusing the powers of HTML, CSS, javascript etc.
❏ When web applications take data from users and dynamically include it in Web pages without first properly validating the data
❏ The victim of XSS is usually another user, instead of the host server itself (which is just a medium)
![Page 9: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/9.jpg)
Demo
![Page 10: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/10.jpg)
Forms of XSS❏Reflective XSS
❏Persistent XSS
![Page 11: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/11.jpg)
Reflective XSS
![Page 12: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/12.jpg)
Persistent XSS
![Page 13: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/13.jpg)
Demo
![Page 14: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/14.jpg)
Prevention Techniques
❏Input validation
❏Output encoding
![Page 15: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/15.jpg)
Possible Solutions?
![Page 16: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/16.jpg)
Solution #1Validate Input for HTML tag characters (< >)
![Page 17: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/17.jpg)
Solution #2Blacklist script Tags
![Page 18: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/18.jpg)
Solution #3Output encode HTML Tags
![Page 19: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/19.jpg)
Solution #4Content Security Policy
![Page 20: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/20.jpg)
Content Security Policy
No inline scripts or JS event handlers
Before:<head>
<script>alert(“Hi, I’m an inline script”);</script></head>
Now:<head>
<script src=”non-inline-script.js”></script></head>
![Page 21: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/21.jpg)
Content Security Policy
Whitelist domains
Before:<head>
<script src=”http://attacker.com/evil.js”></script></head>Now:<head>
<script src=”https://trusted.com/safe.js”></script></head>
Content-Security-Policy:script-src https://trusted.com
![Page 22: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/22.jpg)
Tools to identify obvious XSS
❏ XSS Me :: Add-ons for Firefox
❏ ZAProxy - OWASP ZAP
❏ Burp Suite
❏ ...and others
![Page 23: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/23.jpg)
Demo
![Page 24: Xss what the heck-!](https://reader030.vdocuments.us/reader030/viewer/2022012908/58f074931a28ab49108b458f/html5/thumbnails/24.jpg)
Future references❏XSS Cheat Sheet
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
❏XSS Prevention Cheat Sheethttps://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet