xss

<SCRIPT>ALERT(‘XSS’)</SCRIPT> XSS For Fun and Proﬁt ! Slides: https://speakerdeck.com/pcorliss/xss

WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,
Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts

THE BASICS • Typically via a query parameter • Malicious
link the user needs to click on • Mostly seen on error pages and search queries Persistent XSS Reﬂective XSS • Saved to the App DataStore • Replayed due to lack of escaping • No action required on the user’s part

2007 CALLED IT WANTS ITS SECURITY VULNERABILITY BACK

SECRET SECURITY INCANTATIONS OF DUBIOUS VALUE • Don't install a
compiler on production servers • Your password must have at least… • Don’t write your own … • Don’t do string interpolation in SQL calls* * Probably still a good idea

TWEETDECK Screenshot taken 8 minutes later at 11:44am. https://twitter.com/derGeruhn/status/476764918763749376

EBAY Has been live for about 3 or 4 years
now. members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=rulesdoc

WHO CARES?

HANDS ON TIME VULN.ALTTAB.ORG

XSS PREVENTION • Use a templating language that escapes HTML
by default • Always be wary of user modiﬁable anything. (Content, URLs, Cookies, Headers) • Know which jQuery methods escape and which don’t (html() versus text()) • Avoid in-house sanitization tools • Content Security Policy Headers

XSS MITIGATION • Require a password to modify sensitive date
• Short session expirations • HttpOnly ﬂag on cookies • Limit the content that is shared between users

GITSENTRY.COM

RESOURCES • The slides with clickable links • Google’s XSS
Game • Stripe CTF v2.0 Disk Image • Static Tools for Ruby Apps like Brakeman & Bundle-Audit • Online tools like CodeClimate & Gemnasium • OWASP XSS Cheat Sheet • Content Security Policy Info • Turning on Automatic HTML Escaping in Sinatra • The XSS Examples From This Presentation • The commit that ﬁxed the socket.io demo chat app • Writeup of Tweetdeck Issue and the tweet with 70K retweeets • Live eBay XSS Example

WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,
Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts

xss

xss

Philip Corliss

More Decks by Philip Corliss

Other Decks in Programming

Featured

Transcript

<SCRIPT>ALERT(‘XSS’)</SCRIPT> XSS For Fun and Proﬁt ! Slides: https://speakerdeck.com/pcorliss/xss

WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,

THE BASICS • Typically via a query parameter • Malicious

2007 CALLED IT WANTS ITS SECURITY VULNERABILITY BACK

SECRET SECURITY INCANTATIONS OF DUBIOUS VALUE • Don't install a

TWEETDECK Screenshot taken 8 minutes later at 11:44am. https://twitter.com/derGeruhn/status/476764918763749376

EBAY Has been live for about 3 or 4 years

WHO CARES?

HANDS ON TIME VULN.ALTTAB.ORG

XSS PREVENTION • Use a templating language that escapes HTML

XSS MITIGATION • Require a password to modify sensitive date

GITSENTRY.COM

RESOURCES • The slides with clickable links • Google’s XSS

WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,