Cross-Site Scripting: Understanding the Sin, Its Types, and Prevention, Slides of Software Engineering

Download Cross-Site Scripting: Understanding the Sin, Its Types, and Prevention and more Slides Software Engineering in PDF only on Docsity! Cross-Site Scripting Docsity.com Overview of the Sin • Found in web-based applications • Allows code injection by a malicious user into web pages used by others. • Can allow a malicious user to access sensitive data from other users via the malicious script Docsity.com 3 Types of XSS Attacks (continued) • Non-persistent or reflective (most common type) – Alice frequently visit’s a web site hosted by Bob. Bob’s site allows her to log in with a username and password and store sensitive information. – Mallory observes a XSS vulnerability in Bob’s web site – Mallory crafts a URL that contains some script to exploit the vulnerability and sends the email to Alice while pretending to be Bob. – Alice visits the URL provided by Alice while logged into Bob’s web site. – The malicious script embedded in the URL executes in Alice’s web browser. The script can steal sensitive information and then send it back to Mallory’s server without Alice’s knowledge. Docsity.com 3 Types of XSS Attacks • Stored or Persistent XSS – This occurs when data/script is provided by the attacker and saved to the server and then displayed without proper HTML encoding. – Bob’s hosts a web site that allows users to post comments and other content to the site for later viewing by other members – Mallory notices this site has a XSS vulnerability and posts a comment with some malicious script included. – Upon merely viewing the comment, the script is executed and can be used to steal user’s session cookies or other credentials. – Now Mallory can log into the site using the stolen information. Docsity.com Spotting the Sin Pattern • The web application takes input from an HTTP entity such as a querystring , header, or form • The application does not check the input for validity • The application echoes the data back into a brower. Docsity.com Testing Techniques • To take your web application: – Make a request to your web application – Use known malicious values for all input pararmeters (a script) – Then look at the HTML response – If you see your data come back in the HTML bye stream – If so, you may have a XSS issue Docsity.com XSS Redemption • Encode all user-supplied HTML characters before output. • Use input validation wherever a user could enter malicious content. • Cookie security to prevent an attacker from stealing the session cookies of an application used for authentication. Docsity.com Tools • AppScan from Sanctum (now part of Watchfire) • Libwhisker • DevPartner SecurityChecker from Compuware • WebScarab Docsity.com