Upgrade to Pro — share decks privately, control downloads, hide ads and more …

xss

Philip Corliss
July 01, 2014
Programming
1
310

 xss

alert('xss')
XSS For Fun and Profit
GitSentry.com

Philip Corliss

July 01, 2014
Tweet

More Decks by Philip Corliss

See All by Philip Corliss
AWS, Immutable Infrastructure, and PCI
pcorliss
0
99
Building a Platform on AWS
pcorliss
1
110
Developer Happiness - Building Systems & Tools
pcorliss
0
91

Other Decks in Programming

See All in Programming
Java 22 Overview
kishida
1
180
Let's learn code review
riofujimon
2
410
Apache Hive 4 on Treasure Data
ryukobayashi
0
330
SIMD Parallel Programming with the Vector API
josepaumard
0
180
Anthropic Cookbook のおすすめレシピ
schroneko
7
980
Node.js v22 で変わること
yosuke_furukawa
PRO
9
3.5k
Git Lint
bkuhlmann
4
750
ONE WEDGE_company_guide
1wedge_one
0
490
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
PostmanでAPIの動作確認が楽になった話
h455h1
0
170
Tailwind CSSを本気でカスタマイズする方法
fsubal
13
5.3k
Ruby Pattern Matching
bkuhlmann
0
930

Featured

See All Featured
RailsConf 2023
tenderlove
4
540
Six Lessons from altMBA
skipperchong
21
3k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Code Review Best Practice
trishagee
55
15k
Web Components: a chance to create the future
zenorocha
305
41k
How GitHub (no longer) Works
holman
304
140k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
Embracing the Ebb and Flow
colly
80
4.1k
Designing Experiences People Love
moore
136
23k

Transcript

  1. <SCRIPT>ALERT(‘XSS’)</SCRIPT> XSS For Fun and Profit ! Slides: https://speakerdeck.com/pcorliss/xss

  2. WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,

    Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts

  3. THE BASICS • Typically via a query parameter • Malicious

    link the user needs to click on • Mostly seen on error pages and search queries Persistent XSS Reflective XSS • Saved to the App DataStore • Replayed due to lack of escaping • No action required on the user’s part

  4. 2007 CALLED IT WANTS ITS SECURITY VULNERABILITY BACK

  5. SECRET SECURITY INCANTATIONS OF DUBIOUS VALUE • Don't install a

    compiler on production servers • Your password must have at least… • Don’t write your own … • Don’t do string interpolation in SQL calls* * Probably still a good idea

  6. TWEETDECK Screenshot taken 8 minutes later at 11:44am. https://twitter.com/derGeruhn/status/476764918763749376

  7. EBAY Has been live for about 3 or 4 years

    now. members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=rulesdoc

  8. WHO CARES?

  9. HANDS ON TIME VULN.ALTTAB.ORG

  10. XSS PREVENTION • Use a templating language that escapes HTML

    by default • Always be wary of user modifiable anything. (Content, URLs, Cookies, Headers) • Know which jQuery methods escape and which don’t (html() versus text()) • Avoid in-house sanitization tools • Content Security Policy Headers

  11. XSS MITIGATION • Require a password to modify sensitive date

    • Short session expirations • HttpOnly flag on cookies • Limit the content that is shared between users

  12. GITSENTRY.COM

  13. RESOURCES • The slides with clickable links • Google’s XSS

    Game • Stripe CTF v2.0 Disk Image • Static Tools for Ruby Apps like Brakeman & Bundle-Audit • Online tools like CodeClimate & Gemnasium • OWASP XSS Cheat Sheet • Content Security Policy Info • Turning on Automatic HTML Escaping in Sinatra • The XSS Examples From This Presentation • The commit that fixed the socket.io demo chat app • Writeup of Tweetdeck Issue and the tweet with 70K retweeets • Live eBay XSS Example

  14. WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail,

    Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts