Upgrade to Pro — share decks privately, control downloads, hide ads and more …

xss

 xss

alert('xss')
XSS For Fun and Profit
GitSentry.com

6758b2a88ae70a4304986e3470a98d2e?s=128

Philip Corliss

July 01, 2014
Tweet

Transcript

  1. <SCRIPT>ALERT(‘XSS’)</SCRIPT> XSS For Fun and Profit ! Slides: https://speakerdeck.com/pcorliss/xss

  2. WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,

    Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts
  3. THE BASICS • Typically via a query parameter • Malicious

    link the user needs to click on • Mostly seen on error pages and search queries Persistent XSS Reflective XSS • Saved to the App DataStore • Replayed due to lack of escaping • No action required on the user’s part
  4. 2007 CALLED IT WANTS ITS SECURITY VULNERABILITY BACK

  5. SECRET SECURITY INCANTATIONS OF DUBIOUS VALUE • Don't install a

    compiler on production servers • Your password must have at least… • Don’t write your own … • Don’t do string interpolation in SQL calls* * Probably still a good idea
  6. TWEETDECK Screenshot taken 8 minutes later at 11:44am. https://twitter.com/derGeruhn/status/476764918763749376

  7. EBAY Has been live for about 3 or 4 years

    now. members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=rulesdoc
  8. WHO CARES?

  9. HANDS ON TIME VULN.ALTTAB.ORG

  10. XSS PREVENTION • Use a templating language that escapes HTML

    by default • Always be wary of user modifiable anything. (Content, URLs, Cookies, Headers) • Know which jQuery methods escape and which don’t (html() versus text()) • Avoid in-house sanitization tools • Content Security Policy Headers
  11. XSS MITIGATION • Require a password to modify sensitive date

    • Short session expirations • HttpOnly flag on cookies • Limit the content that is shared between users
  12. GITSENTRY.COM

  13. RESOURCES • The slides with clickable links • Google’s XSS

    Game • Stripe CTF v2.0 Disk Image • Static Tools for Ruby Apps like Brakeman & Bundle-Audit • Online tools like CodeClimate & Gemnasium • OWASP XSS Cheat Sheet • Content Security Policy Info • Turning on Automatic HTML Escaping in Sinatra • The XSS Examples From This Presentation • The commit that fixed the socket.io demo chat app • Writeup of Tweetdeck Issue and the tweet with 70K retweeets • Live eBay XSS Example
  14. WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,

    Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts