Upgrade to Pro — share decks privately, control downloads, hide ads and more …

xss

 xss

alert('xss')
XSS For Fun and Profit
GitSentry.com

Avatar for Philip Corliss

Philip Corliss

July 01, 2014
Tweet

More Decks by Philip Corliss

Other Decks in Programming

Transcript

  1. WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,

    Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts
  2. THE BASICS • Typically via a query parameter • Malicious

    link the user needs to click on • Mostly seen on error pages and search queries Persistent XSS Reflective XSS • Saved to the App DataStore • Replayed due to lack of escaping • No action required on the user’s part
  3. SECRET SECURITY INCANTATIONS OF DUBIOUS VALUE • Don't install a

    compiler on production servers • Your password must have at least… • Don’t write your own … • Don’t do string interpolation in SQL calls* * Probably still a good idea
  4. EBAY Has been live for about 3 or 4 years

    now. members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=rulesdoc
  5. XSS PREVENTION • Use a templating language that escapes HTML

    by default • Always be wary of user modifiable anything. (Content, URLs, Cookies, Headers) • Know which jQuery methods escape and which don’t (html() versus text()) • Avoid in-house sanitization tools • Content Security Policy Headers
  6. XSS MITIGATION • Require a password to modify sensitive date

    • Short session expirations • HttpOnly flag on cookies • Limit the content that is shared between users
  7. RESOURCES • The slides with clickable links • Google’s XSS

    Game • Stripe CTF v2.0 Disk Image • Static Tools for Ruby Apps like Brakeman & Bundle-Audit • Online tools like CodeClimate & Gemnasium • OWASP XSS Cheat Sheet • Content Security Policy Info • Turning on Automatic HTML Escaping in Sinatra • The XSS Examples From This Presentation • The commit that fixed the socket.io demo chat app • Writeup of Tweetdeck Issue and the tweet with 70K retweeets • Live eBay XSS Example
  8. WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,

    Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts