Cross-Site Scripting Vulnerabilities Adam Doup 11/18/2015 Ethics Only hack into sites you own Or you have permission Popular sites may have bug bounty program Facebook github Google You will get caught Tech HTTP HTML CSS JavaScript SQL Server-Side Code (Python/PHP/Ruby) Many Vulnerabilities Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR) Many Vulnerabilities Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR) Tech HTTP HTML CSS JavaScript SQL Server-Side (Python/PHP/Ruby) HTML Original HTML had images tables font sizes Content was static https://web.archive.org/web/ /http://www2.yahoo.com/ https://web.archive.org/web/ /http://www.altavista.com/ https://web.archive.org/web/ /http://www.google.com/ HTML Design HTML designed to describe a text document with hyperlinks to other documents How to do fancy animations or pretty web pages? Interactive HTML Java Applets Your computer downloads java bytecode from a random website and runs it What could possibly go wrong? ActiveX Controls Binary, OS-specific programs that are downloaded and executed in the context of a web page Adobe Flash Fundamentally a vector graphics and animation engine Silverlight Microsoft competitor and replacement/upgrade to ActiveX JavaScript Lingua franca of the web JavaScript Client-Side scripting language for interacting and manipulating HTML Created by Brendan Eich at Netscape Navigator 2.0 in September 1995 as "LiveScript" Renamed to "JavaScript" in December 1995 and is (from the Netscape Press Release) "announced JavaScript, an open, cross-platform object scripting language for the creation and customization of applications on enterprise networks and the Internet" JavaScript is a (from wikipedia) "prototype-based scripting language with dynamic typing and first-class functions" Does this sound like Java? Questions over why the name change Marketing ploy to capitalize on the "hot" Java language? Collaboration between Sun and Netscape? By August 1996, Microsoft added support for JavaScript to Internet Explorer Microsoft later changed the name to JScript to avoid Sun's Java trademark Submitted to Ecma International for standardization on November 1996 ECMA-262, on June 1997, standardized first version of ECMAScript JavaScript Lingua franca of the web Eventually supported by all browsers Language organically evolved along the way Document Object Model (DOM) allows JavaScript to manipulate the client-side HTML content Distinct from JavaScript the programming language JavaScript Code can be embedded into HTML pages using the script element and (optionally storing the code in HTML comments) DOM Example DOM Example DOM Example var hr = document.createElement('HR'); document.getElementById('insert_here').appendChild(hr); HTTPSQL Web Applications JavaScript HTTPSQL Web Applications JavaScript HTTPSQL Web Applications HTTP Client Request GET / HTTP/1.1 User-Agent: curl/ Host:Accept: */* HTTP Server Response HTTP/ OK Expires: Sat, 01 Jan :00:00 GMT Set-Cookie: datr=cohyVEAwQmq5jJh2cWZ9pZc9; expires=Wed, 23-Nov :22:58 GMT; Max-Age= ; path=/; domain=.facebook.com; httponly Set-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan :00:01 GMT; Max-Age=0; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8... Welcome to Facebook - Log In, Sign Up or Learn More JavaScript Security Browsers are downloading and running foreign (JavaScript) code, sometimes concurrently The security of JavaScript code execution is guaranteed by a sandboxing mechanism (similar to what we saw in Java applets) No access to local files No access to (most) network resources No incredibly small windows No access to the browser's history The details of the sandbox depend on the browser Same Origin Policy (SOP) Standard security policy for JavaScript across browsers Incredibly important to web security If you learn only one thing from this lecture, let it be the Same Origin Policy Every frame or tab in a browser's window is associated with a domain A domain is determined by the tuple: from which the frame content was downloaded Code downloaded in a frame can only access the resources associated with that domain If a frame explicitly includes external code, this code will execute within the SOP On adamdoupe.com, the following JavaScript code has access to the SOP Example Same Origin Policy https://www.facebook.com/ (https,443)(http,80) Cross-Site Scripting (XSS) XSS attacks are used to bypass JavaScript's Same Origin Policy XSS Example Hello Hello Hello adam Hello adam alert(xss) Hello Hello alert(xss)alert(xss) Hello alert(xss)alert(xss) HTTPJavaScript Reflected XSS SQL HTTPSQL JavaScript Stored XSS Exploits Phishing Malicious JavaScript can completely control the DOM Change current page to login page where the login sends credentials to the attacker Exploits Session Theft HTTP is session-less No HTTP-native way to tie requests to the same user Web applications typically use cookies to create a session Session describes who the user is, if theyve passed authentication JavaScript has access to cookies JavaScript HTTPSQL Exploits Session Theft Exploits Unauthorized Actions JavaScript can make requests to the web application Browser sends cookies Appears as if the user made the request (clicked the link or filled out the form) Malicious JavaScript can make requests to the web application on your behalf JavaScript Exploits Worms Stored XSS vulnerability + Unauthorized Actions Self-propagating worm Social networks particularly susceptible samy is my hero (2005) Tweetdeck (2014) XSS Detection Understand how input is used in HTML source Input forbidden characters ; / Understand what sanitization is performed XSS Prevention XSS is very difficult to prevent Every piece of data that is returned to the user and that can be influenced by the inputs to the application must first be sanitized (GET parameters, POST parameters, Cookies, request headers, database contents, file contents) Specific languages (e.g., PHP) often provide routines to prevent the introduction of code Sanitization has to be performed differently depending on where the data is used This context-sensitivity of sanitization has been studied by the research community 58 XSS Prevention Sanitize all user inputs using known sanitization routine Depends on where output is in HTML page necessary in HTML Only need in JavaScript Tools Browser Developer Tools Wireshark Burp Proxy SQLMap OWASP Broken Web Apps Project https://www.owasp.org/index.php/OWASP_Broke n_Web_Applications_Project Google Gruyere https://google-gruyere.appspot.com/