Upgrade to Pro — share decks privately, control downloads, hide ads and more …

xss

Philip Corliss
July 01, 2014
Programming
1
320

 xss

alert('xss')
XSS For Fun and Profit
GitSentry.com

Philip Corliss

July 01, 2014
Tweet

More Decks by Philip Corliss

See All by Philip Corliss
AWS, Immutable Infrastructure, and PCI
pcorliss
0
110
Building a Platform on AWS
pcorliss
1
120
Developer Happiness - Building Systems & Tools
pcorliss
0
95

Other Decks in Programming

See All in Programming
みんなでプロポーザルを書いてみた
yuriko1211
0
260
C++でシェーダを書く
fadis
6
4.1k
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
430
Quine, Polyglot, 良いコード
qnighy
4
640
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330
Jakarta EE meets AI
ivargrimstad
0
190
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
ヤプリ新卒SREの オンボーディング
masaki12
0
130
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k
Outline View in SwiftUI
1024jp
1
330

Featured

See All Featured
RailsConf 2023
tenderlove
29
900
Bash Introduction
62gerente
608
210k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Adopting Sorbet at Scale
ufuk
73
9.1k
Agile that works and the tools we love
rasmusluckow
327
21k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
BBQ
matthewcrist
85
9.3k

Transcript

  1. <SCRIPT>ALERT(‘XSS’)</SCRIPT> XSS For Fun and Profit ! Slides: https://speakerdeck.com/pcorliss/xss

  2. WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,

    Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts

  3. THE BASICS • Typically via a query parameter • Malicious

    link the user needs to click on • Mostly seen on error pages and search queries Persistent XSS Reflective XSS • Saved to the App DataStore • Replayed due to lack of escaping • No action required on the user’s part

  4. 2007 CALLED IT WANTS ITS SECURITY VULNERABILITY BACK

  5. SECRET SECURITY INCANTATIONS OF DUBIOUS VALUE • Don't install a

    compiler on production servers • Your password must have at least… • Don’t write your own … • Don’t do string interpolation in SQL calls* * Probably still a good idea

  6. TWEETDECK Screenshot taken 8 minutes later at 11:44am. https://twitter.com/derGeruhn/status/476764918763749376

  7. EBAY Has been live for about 3 or 4 years

    now. members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=rulesdoc

  8. WHO CARES?

  9. HANDS ON TIME VULN.ALTTAB.ORG

  10. XSS PREVENTION • Use a templating language that escapes HTML

    by default • Always be wary of user modifiable anything. (Content, URLs, Cookies, Headers) • Know which jQuery methods escape and which don’t (html() versus text()) • Avoid in-house sanitization tools • Content Security Policy Headers

  11. XSS MITIGATION • Require a password to modify sensitive date

    • Short session expirations • HttpOnly flag on cookies • Limit the content that is shared between users

  12. GITSENTRY.COM

  13. RESOURCES • The slides with clickable links • Google’s XSS

    Game • Stripe CTF v2.0 Disk Image • Static Tools for Ruby Apps like Brakeman & Bundle-Audit • Online tools like CodeClimate & Gemnasium • OWASP XSS Cheat Sheet • Content Security Policy Info • Turning on Automatic HTML Escaping in Sinatra • The XSS Examples From This Presentation • The commit that fixed the socket.io demo chat app • Writeup of Tweetdeck Issue and the tweet with 70K retweeets • Live eBay XSS Example

  14. WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,

    Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts