XSS

Transcript

1. XSS CROSS SITE SCRIPTING

2. Ivan Banov Front-end Engineer

3. What is?

4. OWASP OWASP is a non-profit organization with the goal of

   improving the security of software and the internet

5. OWASP 1 - Injection 2 - Broken Authentication and Session

   Management (XSS) 3 - Cross Site Scripting (XSS) 4 - Insecure Direct Object References 5 - Security Misconfiguration 6 - Sensitive Data Exposure 7 - Missing Function Level Access Control 8 - Cross Site Request Forgery (CSRF) 9 - Using Components with Known Vulnerabilities 10 - Unvalidated Redirects and Forwards

6. OWASP 1 - Injection 2 - Broken Authentication and Session

   Management (XSS) 3 - Cross Site Scripting (XSS) 4 - Insecure Direct Object References 5 - Security Misconfiguration 6 - Sensitive Data Exposure 7 - Missing Function Level Access Control 8 - Cross Site Request Forgery (CSRF) 9 - Using Components with Known Vulnerabilities 10 - Unvalidated Redirects and Forwards

7. Stored Reflected DOM-based

8. Store This is when an attacker could inject script code

   onto your site permanently and every user who views the page where the script is injected will execute it.

9. POST <script>xss</script> DATABASE lastComment: <script>xss</script> REPONSE <html> <h1>Comments</h1>
 ... <script>xss</script>

   // lastComment </html> POST

10. Reflected This is when an attacker could forge a link

    to inject script code that will execute from your website. This is also the most common type of XSS

11. FAKE LINK http://site.com/?query=<script>xss</script> RESPONSE WITH XSS <html> <h1>Your search <script>xss</script></h1>

    <!-- results --> </html> RECEIVE DATA e.g. document.cookie POST

12. DOM-based This kind of XSS is executed at some point

    after the page has loaded, many time needs user interaction, which means that the attacker must trick the user to execute the script himself. This one is very similar to the reflected XSS, but for needing user interaction makes it harder for the attacker

13. FAKE LINK http://site.com/?query=<script>xss</script> DOM USE QUERY <html> <button onclick="javascript:search()"> Search

    </button> </html> // search uses query param and BANG! RECEIVE DATA e.g. document.cookie POST

14. DOUBLE ENCODED XSS NOT ENCODED <script>alert('XSS')</script> ENCODED %3Cscript%3Ealert('XSS')%3C%2Fscript%3E DOUBLE ENCODED

    %253Cscript%253Ealert('XSS')%253C%252Fscript%253E

15. DATA ENCODE https://site.com/#data:text/plain,alert('xss')

16. XSS ON REACT

17. XSS ON REACT { user: { username: "Xss User", bio:

    "...</script><script>xss</script>" } }

18. XSS ON REACT

19. LET'S PLAY https://xss-game.appspot.com/

20. REFERENCES - https://medium.com/node-security/the-most-common-xss- vulnerability-in-react-js-applications-2bdffbcc1fa0#.tth9q6chn - http://redux.js.org/docs/recipes/ServerRendering.html - https://blog.detectify.com/2012/09/22/the-basics-of-cross-site- scripting-xss/ -

    https://whitton.io/tags/#xss - https://excess-xss.com/

21. THANK YOU