Tweet
Tweet

Slide 1

Slide 1 text

ALERT(‘XSS’) XSS For Fun and Profit ! Slides: https://speakerdeck.com/pcorliss/xss

Slide 2

Slide 2 text

WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail, Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts

Slide 3

Slide 3 text

THE BASICS • Typically via a query parameter • Malicious link the user needs to click on • Mostly seen on error pages and search queries Persistent XSS Reflective XSS • Saved to the App DataStore • Replayed due to lack of escaping • No action required on the user’s part

Slide 4

Slide 4 text

2007 CALLED IT WANTS ITS SECURITY VULNERABILITY BACK

Slide 5

Slide 5 text

SECRET SECURITY INCANTATIONS OF DUBIOUS VALUE • Don't install a compiler on production servers • Your password must have at least… • Don’t write your own … • Don’t do string interpolation in SQL calls* * Probably still a good idea

Slide 6

Slide 6 text

TWEETDECK Screenshot taken 8 minutes later at 11:44am. https://twitter.com/derGeruhn/status/476764918763749376

Slide 7

Slide 7 text

EBAY Has been live for about 3 or 4 years now. members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=rulesdoc

Slide 8

Slide 8 text

WHO CARES?

Slide 9

Slide 9 text

HANDS ON TIME VULN.ALTTAB.ORG

Slide 10

Slide 10 text

XSS PREVENTION • Use a templating language that escapes HTML by default • Always be wary of user modifiable anything. (Content, URLs, Cookies, Headers) • Know which jQuery methods escape and which don’t (html() versus text()) • Avoid in-house sanitization tools • Content Security Policy Headers

Slide 11

Slide 11 text

XSS MITIGATION • Require a password to modify sensitive date • Short session expirations • HttpOnly flag on cookies • Limit the content that is shared between users

Slide 12

Slide 12 text

GITSENTRY.COM

Slide 13

Slide 13 text

RESOURCES • The slides with clickable links • Google’s XSS Game • Stripe CTF v2.0 Disk Image • Static Tools for Ruby Apps like Brakeman & Bundle-Audit • Online tools like CodeClimate & Gemnasium • OWASP XSS Cheat Sheet • Content Security Policy Info • Turning on Automatic HTML Escaping in Sinatra • The XSS Examples From This Presentation • The commit that fixed the socket.io demo chat app • Writeup of Tweetdeck Issue and the tweet with 70K retweeets • Live eBay XSS Example

Slide 14

Slide 14 text

WHO IS THIS ASSHOLE? • Philip Corliss • @pcorliss (Gmail, Twitter, Github) • Cheese Enthusiast • Groupon Alum • Current GitSentry.com • Available for Contracts