Ultimate XSS Beginner guide BY UNCLE RAT Agenda What is XSS? u XSS Contexts u u Javascript context u HTML tag attribute u HTML tag u Types of XSS u Reflected XSS u Stored XSS u DOM XSS Agenda u How to test for XSS u Reflected u Stored u DOM XSS u Getting around Filters u Raising our impact What is XSS What is XSS u Allows attacker to inject client-side script u Happens because developer does not sanitize input u XSS attacks are possible in VBScript, ActiveX, Flash, and even CSS u Most common in javascript XSS Contexts XSS Contexts - For stored and reflected XSS XSS into JS XSS in HTML tag attributes XSS between HTML tags XSS in JavaScript template literals XSS in the context of the AngularJS sandbox XSS in CSS XSS in headers ... Types of XSS Types of XSS u Many attack types u Reflected XSS vs stored XSS u Dom based vs source based u Blind XSS u Mutation u CSTI XSS Types of XSS – Reflected Types of XSS - Reflected u User input gets reflected u Into an attribute of an html tag u Into the HTML page u Into the javascript context u ... User input does not gets stored into database u User input is not properly sanitized u User input can contain javascript code u Types of XSS - Reflected u CAN OCCUR WITH POST CALLS u Add CSRF into the mix Types of XSS – Stored Types of XSS - Stored u User input gets stored into database u Database value gets reflected u Into HTML page u Into HTML tag attribute u Into the javascript context u… Types of XSS - Stored u User input is not sanitized properly u At u input u And at write to the database u And at read from database User input can contain malicious javascript code Types of XSS – DOM Types of XSS - DOM u var search = document.getElementById('search').value; u var results = document.getElementById('results'); u results.innerHTML = 'You searched for: ' + search; u Results.innerHTML <<< DOM Sink Types of XSS - DOM u DOM Sinks u Where Model user input enters the Document Object u Eval() u InnerHTML u ... Types of XSS - DOM u Most common sources for DOM XSS u Arises from windows.location u Usually u OR in query string (?) fragment portion of URL(#) Types of XSS – DOM VS Source based Types of XSS – DOM VS Source based u DOM u u Document Object Model u Everything surrounding your page u Like URL u Like History u Can only be investigated in the developer console of browser u ... Source u Source code of a website Types of XSS – Blind XSS Types of XSS – Blind XSS u Relies heavily on out of band servers u Implements the use a payload but no results u Later we get a call informing payload triggered u Can be stored and reflected u Reflected in case of knowing a page and parameter exist but no access Types of XSS – mutation XSS Types of XSS – Mutation XSS u Relatively new technique u Bypassed DOM u Browser will try to repair our ”Broken” payload u Making into a full XSS u Hence: Mutation, browser mutates payload, running directly Types of XSS – CSTI Types of XSS – CSTI XSS u Front-end templating engines such as angularJS and vueJS u If used improperly allow for CSTI u Can lead to XSS XSS Contexts XSS Contexts – XSS in HTML tag XSS Contexts – XSS in HTML tag attributes u u u Test u u u

Hi there

u u XSS Contexts – XSS in HTML u We can u Insert our own HTML tags if developer did not sanitize properly u Make that a javascript executing tag u Execute arbitrary javascript code u Execute a XSS attack XSS Contexts – XSS in HTML tag attributes u Hackxpert.com?Name=

u ... XSS Contexts – XSS in HTML tag attributes XSS Contexts – XSS in HTML tag attributes u u ... u u We can u Break out of the attribute if our input is not sanitized u Insert our own arbitrary JS code u Execute XSS u "> XSS Contexts – Into JS XSS Contexts – Into JS XSS Contexts – Into JS u Since we can control searchterms u We can insert ’ u We can break out of the existing script tag u We can insert our javascript u ‘ u ‘ to break out of JS function u Ending the current script tag with u Starting our own scripts How to test for XSS – General How to test for XSS - General u Attack vectors u Depend on the context u JS: '"`… u u HTML:

u u Single quote, double quote, backtick... to break out of JS function First test for HTML injection, then expand to XSS HTML attribute: '>">`>… u Single quote, double quote, backtick... to break out of html tag attribute u All are simple, if they break the page or insert image, look deeper u Replace the tag with your own tag like

Ultimate XSS Beginner Guide

of 54

Description

Hi there

Almost There!

Free up your schedule!

Take 5 seconds to unlock