Week 8

Good Faith Policy

“These courses expects a high standard of professionalism from its students with regard to how security testing is conducted. We expect all students to act in good faith at all times […]”

TL;DR Don’t be mean

https://sec.edu.au/good-faith-policy

Report 1

Marks released… soon???
Feedback released tonight, maybe..

HTML

A Hacker’s Toolkit

  • HTML is cAsE INSEnSItive
  • <script>...</script>
  • <img onerror="..." src="aaa">
  • document.write(...)
  • Fetch API
  • XMLHttpRequest
  • jQuery

XSS

  • What - User content is rendered as HTML

  • How - The server unsafely puts user content into the response body of a request. The browser interprets the payload as if it was legitimate HTML

Reflected XSS

The payload is part of user input
(i.e. URL bar, inside a cookie, etc)

Demo: Reflected XSS

website.com/?q=<img onerror="alert('pwned!')" src="http://google.com">

Stored XSS

The payload is stored in some sort of database.

Arguably more dangerous… Anyone who opens a page that returns content from that same database may be victim to a stored XSS attack

  • Twitter Hack

Demo: Stored XSS

DOM-based XSS

The client pieces together data which eventually becomes an exploit itself.

i.e. document.write(...)

Mitigating XSS

  • Validation - Blacklisting / whitelisting of input
  • Sanitisation - Remove unsafe tags and attributes
  • Encode - Escape data so it’s not a control character

Defense

Don’t use .innerHTML or .outerHTML

use .innerText or .textContent

Demo: DOM XSS

JS Frameworks

X-XSS-Protection header

Turn it off, it’s broken 🔥 🌊🚒

✅ X-XSS-Protection: 0

  • Sometimes causes client-side errors on real code
  • Has its own vulnerabilities

"Firefox never supported X-XSS-Protection and Chrome and Edge have announced they are dropping have dropped support for it.“

CSP

Only allow scripts / images / styles / … from ____

it kinda OP.

  • block eval(), inline scripts, iframes
  • whitelist by scheme, domain, path, …
  • nonce
  • checksum
  • reporting

Implementation

  • Define CSP inside HTTP headers, ortags
  • Meta tags have a lesser CSP capability
    • (in case you can override meta tags)
    • But still has its flaws…

 

Exploits

Corrupt the CSP header? Response splitting?

Deliverables

Challenges due this Sunday!

Home