Secure Software Development Course
Computer Eng. Depart. – Sharif Univ.
Ahmad Boorghany
[email protected]
Spring 1392
 Impact:
MODERATE
 Attacker injects client-side script into
browser. So what’s the problem? 
 XSS

Problems:
Session Hijacking
 XSS
Problems:

Deface

XSS Keylogger!
 http://…/?name=<script>…</script>

Hi <script>…
 http://…/<script>alert(123)</script>

404 Not Found + alert!
 http://…/?type=‘
onfocus=‘alert(123)’ x=‘
 Escape
user data upon output.
 Do NOT escape by hand. Use a security aware
library: OWASP ESAPI, Microsoft AntiXSS, …
 The problem is that escaping rules are
different for different contexts:





Inside HTML Content
Inside Attribute Values
Inside JavaScript Data Values
Inside Style Property Values
Inside URL Parameters
 XSS
Prevention Rules from OWASP follow.
 Do
NOT put user supplied data here:
 Rule

#1: Escape for HTML Element Content
ESAPI.encoder().encodeForHTMLAttribute(input)
 Script
inside DB!
 Most probable inside our web applications.
 Escape them upon store or display.

Upon display is preferred in most cases.
XSS:
1.
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scrip
ting%29_Prevention_Cheat_Sheet
2.
http://jehiah.cz/a/xss-stealing-cookies-101
3.
http://www.csnc.ch/misc/files/publications/compass_event
08_xssshell_krm_v1.0.pdf
4.
http://jskeylogger.sourceforge.net/
5.
https://docs.djangoproject.com/en/dev/topics/templates/
#automatic-html-escaping
6.
http://wpl.codeplex.com/