WEBVTT 00:00:00.000 --> 00:00:06.170 align:middle line:90% 00:00:06.170 --> 00:00:08.090 align:middle line:84% Welcome to Cross-Site Scripting session. 00:00:08.090 --> 00:00:10.710 align:middle line:90% 00:00:10.710 --> 00:00:14.370 align:middle line:84% In this first part, we will focus on threat analysis. 00:00:14.370 --> 00:00:17.700 align:middle line:84% We will take our time to discuss cross-site scripting details. 00:00:17.700 --> 00:00:19.680 align:middle line:84% Then we will discuss how the system 00:00:19.680 --> 00:00:23.250 align:middle line:84% can be harmed, then the impact of successful exploitation 00:00:23.250 --> 00:00:25.380 align:middle line:84% and give you some insights to identify who 00:00:25.380 --> 00:00:27.390 align:middle line:90% may want to harm your system. 00:00:27.390 --> 00:00:30.570 align:middle line:84% XSS, or Cross-Site Scripting, is a type of injection 00:00:30.570 --> 00:00:33.630 align:middle line:84% in which malicious scripts are injected into otherwise 00:00:33.630 --> 00:00:36.060 align:middle line:90% benign interested websites. 00:00:36.060 --> 00:00:38.160 align:middle line:84% We have already discussed injection flaws, 00:00:38.160 --> 00:00:41.610 align:middle line:84% but cross-site scripting was so prevalent and specific that it 00:00:41.610 --> 00:00:45.090 align:middle line:84% was given its one category in the OWASP Top 10. 00:00:45.090 --> 00:00:48.300 align:middle line:84% It has remained in the top 10 for several editions. 00:00:48.300 --> 00:00:52.260 align:middle line:84% Although it has dropped from third to seventh in the 2017 00:00:52.260 --> 00:00:55.410 align:middle line:84% Top 10, it is still the second most prevalent issue 00:00:55.410 --> 00:00:58.990 align:middle line:84% affecting around two thirds of all applications. 00:00:58.990 --> 00:01:00.690 align:middle line:90% Let's see how it works. 00:01:00.690 --> 00:01:04.739 align:middle line:84% In this picture, we are searching for banana juice. 00:01:04.739 --> 00:01:08.370 align:middle line:84% We first type the keyword "banana" in the search field. 00:01:08.370 --> 00:01:10.410 align:middle line:84% The page was reloaded, and the results 00:01:10.410 --> 00:01:14.340 align:middle line:84% matching our search criteria rendered on the screen. 00:01:14.340 --> 00:01:17.250 align:middle line:84% The red arrows point to places where our keyword 00:01:17.250 --> 00:01:18.970 align:middle line:90% appears on the page. 00:01:18.970 --> 00:01:23.270 align:middle line:84% Let's see this in terms of HTTP requests and responses. 00:01:23.270 --> 00:01:26.300 align:middle line:84% After typing our search keyword "banana," 00:01:26.300 --> 00:01:28.700 align:middle line:84% an HTTP request is made to the server. 00:01:28.700 --> 00:01:32.000 align:middle line:84% Client issues a GET request, and our keyword 00:01:32.000 --> 00:01:34.850 align:middle line:84% is sent as a query string parameter queue. 00:01:34.850 --> 00:01:36.800 align:middle line:84% When the server receives the request, 00:01:36.800 --> 00:01:38.720 align:middle line:84% it reads the query string parameter, 00:01:38.720 --> 00:01:40.970 align:middle line:84% runs a database query to retrieve records, 00:01:40.970 --> 00:01:43.400 align:middle line:84% matching our search criteria, and then 00:01:43.400 --> 00:01:47.240 align:middle line:84% computes the final HTML output to be rendered client side 00:01:47.240 --> 00:01:49.540 align:middle line:90% with all matching records. 00:01:49.540 --> 00:01:51.730 align:middle line:84% Then the server responds to the client, 00:01:51.730 --> 00:01:54.700 align:middle line:84% sending the final HTML to be rendered. 00:01:54.700 --> 00:01:59.410 align:middle line:84% Note that our keyword is also outputted as part of the HTML, 00:01:59.410 --> 00:02:02.080 align:middle line:84% and this is where troubles begin. 00:02:02.080 --> 00:02:04.450 align:middle line:84% What if, instead of searching for banana, 00:02:04.450 --> 00:02:07.600 align:middle line:84% we decide to search for an HTML tag? 00:02:07.600 --> 00:02:11.230 align:middle line:84% From the request point of view, everything remains the same. 00:02:11.230 --> 00:02:13.720 align:middle line:84% The server may not find any matching records 00:02:13.720 --> 00:02:17.290 align:middle line:84% in the database, but it still outputs our searching keywords 00:02:17.290 --> 00:02:20.140 align:middle line:84% next to search results title as highlighted 00:02:20.140 --> 00:02:21.860 align:middle line:90% with the red background. 00:02:21.860 --> 00:02:23.980 align:middle line:84% When the browser receives the HTML to render, 00:02:23.980 --> 00:02:26.830 align:middle line:84% it doesn't know that the highlighted part was provided 00:02:26.830 --> 00:02:28.430 align:middle line:90% as part of the request. 00:02:28.430 --> 00:02:32.080 align:middle line:84% It just knows that the server sends this HTML to be rendered. 00:02:32.080 --> 00:02:34.900 align:middle line:84% The HTML tag script has a special meaning, 00:02:34.900 --> 00:02:38.470 align:middle line:84% and the code inside the tag is executed in JavaScript, popping 00:02:38.470 --> 00:02:41.020 align:middle line:90% up the model box saying XSS. 00:02:41.020 --> 00:02:44.470 align:middle line:84% In this scenario, sharing the URL with other users will 00:02:44.470 --> 00:02:46.900 align:middle line:84% trigger the same behaviour in their browsers, 00:02:46.900 --> 00:02:50.660 align:middle line:84% meaning that we can run arbitrary code remotely. 00:02:50.660 --> 00:02:53.210 align:middle line:90% There are two main types of XSS. 00:02:53.210 --> 00:02:57.770 align:middle line:84% Server XSS is exactly what we have discussed until now. 00:02:57.770 --> 00:03:00.800 align:middle line:84% User supplied data, our search keyword, 00:03:00.800 --> 00:03:05.060 align:middle line:84% is included in an HTML response generated by the server. 00:03:05.060 --> 00:03:07.640 align:middle line:84% In the described scenario, our search keyword 00:03:07.640 --> 00:03:10.200 align:middle line:84% does not start anywhere in the server. 00:03:10.200 --> 00:03:12.060 align:middle line:84% It is sent as part of the request 00:03:12.060 --> 00:03:14.120 align:middle line:90% and returned in the response. 00:03:14.120 --> 00:03:18.320 align:middle line:84% Due to this fact, it is called reflected server XSS. 00:03:18.320 --> 00:03:21.810 align:middle line:84% If it was stored somewhere, such as in a database, 00:03:21.810 --> 00:03:25.460 align:middle line:84% and later included in another response, such as a product 00:03:25.460 --> 00:03:31.270 align:middle line:84% review, then it would be called stored XSS. 00:03:31.270 --> 00:03:33.730 align:middle line:90% The other type is client XSS. 00:03:33.730 --> 00:03:37.210 align:middle line:84% In this case, untrusted data, such as a user supplied data, 00:03:37.210 --> 00:03:41.050 align:middle line:84% is used to update the DOM using an unsafe JavaScript call. 00:03:41.050 --> 00:03:43.360 align:middle line:84% Imagine that web application uses an API 00:03:43.360 --> 00:03:45.220 align:middle line:90% to perform product search. 00:03:45.220 --> 00:03:46.870 align:middle line:84% In this case, the server responds 00:03:46.870 --> 00:03:49.990 align:middle line:84% with a JSON object including the list of matching products. 00:03:49.990 --> 00:03:52.660 align:middle line:84% When the API response arrives, the web application 00:03:52.660 --> 00:03:55.210 align:middle line:84% copies the content in the search input fields, 00:03:55.210 --> 00:03:58.660 align:middle line:84% appending it to the DOM next to the search results title, 00:03:58.660 --> 00:04:01.390 align:middle line:84% and then the list of matching products. 00:04:01.390 --> 00:04:03.760 align:middle line:84% In this scenario, the XSS payload 00:04:03.760 --> 00:04:05.830 align:middle line:84% was not part of server's response. 00:04:05.830 --> 00:04:08.770 align:middle line:84% Instead, it was gathered from client side input field 00:04:08.770 --> 00:04:11.070 align:middle line:90% and appended to the DOM. 00:04:11.070 --> 00:04:14.430 align:middle line:84% There's also reflected and stored client XSS, 00:04:14.430 --> 00:04:18.199 align:middle line:84% but you're better reading about it in the OWASP website. 00:04:18.199 --> 00:04:19.000 align:middle line:90%