Cross site scripting

 

  • Exploit Methods:
    • Reflected
    • Persistent
    • DOM Based + JSON + JQuery
    • Data URI – MS WORD
      • Hijack links(Script to to turn the links to open WORD document which ll be download to user machine and use user's machine.)
    • Dangling Markup –Script less attack
      • The attacker injects some URL to the database wit out closing tag. When the page is bound the HTML DOM all are sent to the URL that attacker has out on. In MVC, the attacker can now take the "Request Verification Token" too.
  • Solutions:
    • Use HTML Encode for Cross site scripting
    • Avail user inputs to use tags and use regex to a-z only
    • Json.Encode() or Encoder.JavaScriptEncoder() all data supplied to Java script
      • Still vulnerable if the text is read from element and used incorrectly
    • Audit everywhere where ever the DOM created/altered by user input
    • Do not Encode the data to save in database, but Sanitized. Since the data is leading double encoding.
    • Use Sanitizer. AntiXss Sanitizer's GetSafeHtml()/GetSafeHtmlFragmant()
    • Specify Page Encoding in web.config
    • Content Security Policies( Will not allow inline JS and scripts from other websites)
      • Response.AddHeader("X-Content-Security-Policy","default-src 'self'");
      • Response.AddHeader("X-WebKit-CSP","default-src 'self'");
    • Do not expect blacklist to work.
    • Consider removing all data: from all stored URIs to exclude data.
    • Only allow local urls redirects that starts with "/uri"
    • Audit every location data is assigned, ouput and lot of outputs affected by user.
      • Ensure it is not used in java script or highly sanitized
      • Know your control behavior
        • Asp.net Textbox HTMLEncodes, Label does not.
      • Test by injecting script. Use fiddler to inspect the behavior
    • Be concerned with any place that DOM elements are created/modified
      • Use functions such as SetAttribute() and var x= document.CreateElement('div'); rather than document.WriteLine, $(x).html(), element.InnerHtml, eval
    • Deprecate IE6 (use IE upgrade redirect)
    • Don't turn off (EnableRequestValidation or ValidateRequest)
    • MVC apps use [AllowHtml], WebForms more difficult

       

Comments

Post a Comment

Popular posts from this blog

BDD - Acceptance Test Driven Development

Image
Acceptance Test Driven Development What is BDD: BDD is an agile software development technique that encourages collaboration between developers, QA, and non-technical or business participants in a software project. It's more about business specifications than about tests. You write a specification for a story and verify whether the specs work as expected. The main features of BDD development are outlined below:   A testable story (it should be the smallest unit that fits in an iteration) The title should describe an activity The narrative should include a role, a feature, and a benefit The scenario title should say what's different The scenario should be described in terms of Givens, Events, and Outcomes The givens should define all of, and no more than, the required context The event should describe the feature   Advantage of BDD:   The first advantage is that this domain language is usable/understandable by domain experts as well. Given that you e...
Read more

Angular JS – Part 2

Angular Routing Services and Directives: Routing Services: $route - $routeProvider is used to map the URL with template + assigned controller. (specially for SPAs). Methods: when(), otherwise(redirectTo:), current, params, pathParams, reload(). Also we can use resolve() to decide before load template. $routeParams – Used to pass the parameters via URL $location –Use to enable html5 routing. Can get the URL informations Eg. absUrl, protocol, port, host, path, search, hash, url. Replace() method will not keep URL history. Directives: Uses of Directives: Create custom element, custom event, observe and react to changes Use eventApp.dirctive("directiveName",function(){ return {restrict: 'E', template: "<input>"}}); Can restrict the directive to how should use. E(element), C(class), A(attribute), M(comment). Instead of template HTML text, the URL can be used. Use" replace: true" to replace the element name to html i...
Read more

.Net Collections

The  System.Collections namespace contains interfaces and classes that define various collections of objects, such as lists, queues, bit arrays, hash tables and dictionaries. Array list: Implements the IList interface using an array whose size is dynamically increased as required. Dictionary Base: Provides the abstract (MustInherit in Visual Basic) base class for a strongly typed collection of key-and-value pairs. Dictionary is a Generic type. So we can get type safety with Dictionary. Hash table: Represents a collection of key-and-value pairs that are organized based on the hash code of the key. A key cannot be a null reference (Nothing in Visual Basic), but a value can be. Hashtable is not a Generic type. So we can’t get type safety with Hashtable. Hashtable is thread safe. Queue: Represents a first-in, first-out collection of objects. Queues are useful for storing messages in the order they were received for sequential processing. Stack: ...
Read more