Cross SIte scripting
Stephen Boles
Code Fellows
stephenboles@gmail.com
Road MAP
- How Does It Work?
- Types of XSS
- Consequences
- How To Prevent?
- Further Reading
- Picture Of Puppy
HOW DOES IT WORK?
- Hackers infect a web page with malicious client-side script.
- A user visits this web page, the script is downloaded to his browser, and executed.
TYPES OF XSS
- (Persistent) or Stored XSS Attacks
- Those where the injected script is permanently stored on the targets servers.
- (Non-Persistent) or Reflected XSS Attacks
- Reflected off the web server, such as an error message, search result, etc. Done by tricking users with a malicious link, etc.
XSS Consequences
- Potential disclosure of users cookie sessions, allowing a hacker to hijack users account and take over the account.
- Installation of Trojan Horse programs, redirecting user to some other site, and possibly spoof content .
How to prevent
- Microsoft Web Protection Library (http://wpl.codeplex.com/)
- Includes ANTI XSS Library with white lists, and globalization for attacks from around the world in different languages.
- OWASP ESAPI: http://goo.gl/7U2FZ
- Contextual output encoding/escaping
- Current News
- Stack Overflow:
- "Security is a process, not a product."
Resources
-
Stack Overflow Thread
-
OWASP Checklist for SECURITY
-
Stack Overflow Thread
-
OWASP Checklist for SECURITY
EVEN MORE RESOURCES
- WebGoat
- OWASP XSS Prevention Cheat Sheet
deck
By Stephen Boles