Secure coding | XSS Attacks on current Web Applications

100 %
0 %
Information about Secure coding | XSS Attacks on current Web Applications

Published on February 25, 2014

Author: null0x00



Shubham Sharma

Cross-Site Scripting Attacks on Current Web Applications

Introduction  An attacker gets control of the user’s browser in order to execute a malicious script within the context of trust of the web application’s site.  As a result, and if the embedded code is successfully executed, the attacker might then be able to access, passively or actively, to any sensitive browser resource associated to the web application (e.g., cookies, session IDs, etc.)

THREATS!!!  Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible.  Steal cookies which can then be used to impersonate customer and have access to their data and privileges. This is also known as Session Hijacking.  Redirect the user to another website of their choosing. Maybe one that may be quite offensive, or one that attempts to install malware onto users computer;  Display alternate content on your own website.

History of Attacks  October 2001, -----Hotmail ---- Remote attacker was allowed to steal .NET Passport identifiers of Hotmail’s users by collecting their cookies.  October 2005, ------ MySpace, utilized by the worm Samy to propagate itself across MySpace’s user profiles.  November 2006,Orkut, was vulnerable to cookie stealing by simply posting the stealing script into the attacker’s profile.

Non-Persistent XSS Attack

 User input is reflected immediately on the page by server-side scripts without proper sanitization.  To exploit, the attacker has to provide the victim with a modified URL, passing the code to be inserted as a parameter.  This attack is done by encoding data in the URL, thus disguising the injected code from the user.

Persistent XSS Attacks

Persistent XSS Attacks  When the data entered by the user are stored on the server for a certain length of time, the attack is called "persistent".  All of the website's users have access to the page where the harmful code was introduced.  Commonly found in: Contact/Feedback pages, Log viewers, Exception handlers, Chat applications/Forums, etc.


Actual Demonstration

No Protection

Data Validation  Application accepts correct data.  User data must be validated to ensure it is of the corrected type, and discarded if it doesn’t pass the validation process.  Allow a limited set of special characters.

Preg Match  Performs a regular expression match.

Output Escaping  Protects integrity of displayed/output data,  Should escape the data when presenting it to the user.  Prevents the browser from applying any unintended meaning to any special sequence of characters that may be found.


Data Sanitization  Manipulating the data to make sure it is safe.  Removing any unwanted bits from the data and normalizing it to the correct form.

htmlentities  Converts all applicable characters to HTML entities.  Default value for this argument is ISO-8859-1 in versions of PHP prior to 5.4.0, and UTF-8 from PHP 5.4.0 onwards.  **


Available flags constants ID Description ENT_COMPAT Will convert double-quotes and leave single-quotes alone. ENT_QUOTES Will convert both double and single quotes. ENT_NOQUOTES Will leave both double and single quotes unconverted.

ID Flags FILTER_SANITIZE_EM AIL FILTER_SANITIZE_EN CODED Remove all characters except letters, digits and !#$%&'*+/=?^_`{|}~@.[]. FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIG H, FILTER_FLAG_ENCODE_L OW, FILTER_FLAG_ENCODE_HI GH URL-encode string, optionally strip or encode special characters. Apply addslashes(). FILTER_SANITIZE_MAGIC _QUOTES FILTER_SANITIZE_NUMB ER_FLOAT Description FILTER_FLAG_ALLOW_FR ACTION, FILTER_FLAG_ALLOW_TH Remove all characters except digits, +- and optionally .,eE.

ID Flags FILTER_SANITIZE _NUMBER_INT Description Remove all characters except digits, plus and minus sign. FILTER_SANITIZE _SPECIAL_CHARS FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_HIGH HTMLescape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters. FILTER_SANITIZE _STRING FILTER_FLAG_NO_ENCODE_Q UOTES, FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP Strip tags, optionally strip or encode special characters. FILTER_SANITIZE _STRIPPED Alias of "string" filter.

ID Flags FILTER_SANITIZE_UR L Description Remove all characters except letters, digits and $_.+!*'(),{}|^~[]`<> #%";/?:@&=. FILTER_UNSAFE_RA W FILTER_FLAG_STRIP_LOW Do nothing, optionally , strip or encode special FILTER_FLAG_STRIP_HIG characters. H, FILTER_FLAG_ENCODE_L OW, FILTER_FLAG_ENCODE_HI GH, FILTER_FLAG_ENCODE_A MP FILTER_SANITIZE_FU LL_SPECIAL_CHARS FILTER_FLAG_NO_ENCOD E_QUOTES, Equivalent to callinghtmlspecialchar s() withENT_QUOT ES set. Encoding quotes can be disabled

Mod Security(Web Application Firewall)  Protects against attacks that target websites.  csrf_protection  session_hijacking  comment_spam  authentication_tracking  protocol_violations  sql_injection_attacks  xss_attacks  brute_force, and many more

Default Information Disclosure

Original Contact Information Original Code

How to change Contact info  Go to : • binariesapacheerror • Open contact.html.var

Modified Code Change contact information

Disable Apache Signature and/or Apache Banner  ADD in httpd.config of apache to remove apache version disclosure  ServerTokens ProductOnly  ServerTokens takes 1 argument, 'Prod', 'Major', 'Minor', 'Min', 'OS', or 'Full'""

Before After

 ADD/replace/change in php.ini to remove php version disclosure  expose_php = Off  display_errors=Off  register_globals = Off

Disable Version Disclosure  Go to : • binariesapacheerrorinclude • Open bottom.html By Default we see this

Original Bottom.html file

Change Bottom.html

My customized error page !!

Stopping Sensitive file disclosure  Turn off automatic indexing.  Instruct Apache to reject all requests for files matching a series of regular expressions given below.  Goto httpd.conf file to deny access to . htaccess files.

Protecting bakup files  Add in httpd.config  TheFilesMatchdirective only looks at the last part of the full filename

Disable Directory Indexing  Listing of files like see in Windows Explorer as opposed to a web page.  Attacker can gain valuable information about your site.  Files may may include sensitive information, such as backup script files htaccess files, or text files with note.  Can allow access files outside the web root directory, leading to the stealing of system files.

How to Disable Directory Listings in Apache  Navigate to your Apache config file (httpd.conf)  Find – “Options FollowSymLinks Indexes”  Replace by – “Options FollowSymLinks”  Done

 FollowSymLinks makes Apache follow system symbolic links (shortcuts, if you would) in your file system.  Indexes allows access to open folders within your file system.

Disable powerful functions in php  Disable functions that may be useful to an attacker but not necessary to the application.  Disable execution of OS commands  Open php.ini and search “disable_functions”.  Write “shell_exec “ (without comma in front of disable_functions).

Other functions  exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, pcntl_exec, dl".  If the application needs to execute OS commands, it should use "pcntl_exec", because it provides better abstraction of parameters than the others.

References   scripting-attacks-xss/ Phone- +91-99300-53215 Thank You !!

Add a comment


WilliamOn | 26/03/15
Interesting post ) my blog

Related presentations

Related pages

Secure Coding | The CERT Division

Secure Coding SEI CERT C Coding Standard (2016) Released. The latest edition, available for free, promotes secure coding standards and complements our ...
Read more

Secure Coding | IT Sicherheit Schulung -

Secure Coding Seminar in München : alle unsere offenen Seminare, Inhouse-Seminare oder Firmenseminare werden von hochqualifizierten Referenten durchgeführt.
Read more

Secure Coding - SEI CERT Coding Standards

September 2016: Summer 2016 Edition of the newsletter is published. August 2016: Watch Bob Schiela and Mark Sherman talk about adopting Secure Coding on ...
Read more

Secure Coding Practice Guidelines | Information Security ...

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.
Read more

Secure Coding Guidelines -

Secure Coding Overview. Provides an overview of basic secure coding techniques. Permission Requests. Describes how to interact with the .NET Framework ...
Read more

Secure Coding Guidelines - MSDN - Microsoft

This is the most powerful and hence potentially dangerous (if done incorrectly) approach for security coding: Your library serves as an interface for other ...
Read more

Secure Coding | IT Sicherheit Schulung

Secure Coding Seminar : alle unsere offenen Seminare, Inhouse-Seminare oder Firmenseminare werden von hochqualifizierten Referenten durchgeführt.
Read more

Top 10 Secure Coding Practices - Secure Coding - CERT ...

Top 10 Secure Coding Practices. Validate input. Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of ...
Read more

Secure Coding Practices - Quick Reference Guide - OWASP

November 2010 Version 2.0 5 Secure Coding Practices Checklist Input Validation: Conduct all data validation on a trusted system (e.g., The server)
Read more

Secure Coding | Vulnerability scanning, Cyber Security ...

The 21st century brought us multiple network systems linked to the cloud. Unfortunately, it has also made every business even more exposed or vulnerable ...
Read more