WEBVTT 00:00:00.000 --> 00:00:06.130 align:middle line:90% 00:00:06.130 --> 00:00:08.800 align:middle line:84% Welcome to the third and last part of Cross-Site Scripting 00:00:08.800 --> 00:00:09.640 align:middle line:90% session. 00:00:09.640 --> 00:00:12.100 align:middle line:84% In this part, we will discuss cross-site scripting 00:00:12.100 --> 00:00:13.240 align:middle line:90% mitigation. 00:00:13.240 --> 00:00:14.800 align:middle line:84% We will start discussing what makes 00:00:14.800 --> 00:00:16.600 align:middle line:84% an application vulnerable, and then we 00:00:16.600 --> 00:00:19.480 align:middle line:84% will hunt OWASP Juice Shop vulnerable source code. 00:00:19.480 --> 00:00:21.970 align:middle line:84% Before closing this session, we will discuss how 00:00:21.970 --> 00:00:24.160 align:middle line:90% to avoid such vulnerabilities. 00:00:24.160 --> 00:00:27.430 align:middle line:84% Applications tend to accept data from external sources, 00:00:27.430 --> 00:00:31.210 align:middle line:84% either user input or integrated third party services. 00:00:31.210 --> 00:00:33.880 align:middle line:84% If such data is included in HTML responses 00:00:33.880 --> 00:00:36.550 align:middle line:84% without proper validation and escaping, 00:00:36.550 --> 00:00:38.660 align:middle line:84% then the application might be vulnerable. 00:00:38.660 --> 00:00:40.690 align:middle line:84% If you're using JavaScript frameworks, 00:00:40.690 --> 00:00:42.730 align:middle line:84% or you have a single page application which 00:00:42.730 --> 00:00:46.420 align:middle line:84% uses unsafe JavaScript APIs to append attackers controllable 00:00:46.420 --> 00:00:49.240 align:middle line:84% data to the DOM, then your application 00:00:49.240 --> 00:00:51.520 align:middle line:90% should also be vulnerable. 00:00:51.520 --> 00:00:54.290 align:middle line:84% Let's have a look at the source code. 00:00:54.290 --> 00:00:57.410 align:middle line:84% From project page, we will jump directly to the GitHub repo. 00:00:57.410 --> 00:01:06.490 align:middle line:90% 00:01:06.490 --> 00:01:08.920 align:middle line:84% Since we are dealing with client XSS, 00:01:08.920 --> 00:01:11.650 align:middle line:84% then we should look inside the front end source code folder. 00:01:11.650 --> 00:01:24.720 align:middle line:90% 00:01:24.720 --> 00:01:27.690 align:middle line:84% We are interested in something search related. 00:01:27.690 --> 00:01:40.060 align:middle line:90% 00:01:40.060 --> 00:01:42.280 align:middle line:84% This script has all the search logic. 00:01:42.280 --> 00:02:01.990 align:middle line:90% 00:02:01.990 --> 00:02:04.300 align:middle line:84% This is the search component class, 00:02:04.300 --> 00:02:05.950 align:middle line:90% which has several properties. 00:02:05.950 --> 00:02:08.729 align:middle line:90% 00:02:08.729 --> 00:02:11.490 align:middle line:84% This property should hold search keywords. 00:02:11.490 --> 00:02:12.840 align:middle line:90% Let's see where it is used. 00:02:12.840 --> 00:02:27.280 align:middle line:90% 00:02:27.280 --> 00:02:31.660 align:middle line:84% Query parameter is passed to the bypassSecurityTrustHtml method 00:02:31.660 --> 00:02:33.310 align:middle line:90% implemented by the sanitizer. 00:02:33.310 --> 00:02:44.580 align:middle line:90% 00:02:44.580 --> 00:02:46.830 align:middle line:84% It is provided by the DOM sanitizer. 00:02:46.830 --> 00:02:57.380 align:middle line:90% 00:02:57.380 --> 00:03:00.440 align:middle line:84% DOM sanitizer is part of the Angular framework. 00:03:00.440 --> 00:03:02.030 align:middle line:90% Let's check the documentation. 00:03:02.030 --> 00:03:25.620 align:middle line:90% 00:03:25.620 --> 00:03:27.220 align:middle line:90% We should be at the right place. 00:03:27.220 --> 00:03:29.160 align:middle line:84% Let's find the method we're looking for. 00:03:29.160 --> 00:04:02.060 align:middle line:90% 00:04:02.060 --> 00:04:04.510 align:middle line:84% Now, we know why the script didn't trigger the model. 00:04:04.510 --> 00:04:07.220 align:middle line:90% 00:04:07.220 --> 00:04:10.710 align:middle line:84% The image did, because it is considered safe HTML 00:04:10.710 --> 00:04:11.570 align:middle line:90% by this method. 00:04:11.570 --> 00:04:15.630 align:middle line:90% 00:04:15.630 --> 00:04:18.089 align:middle line:84% Of course, this method is used intentionally 00:04:18.089 --> 00:04:19.709 align:middle line:84% to make the application vulnerable, 00:04:19.709 --> 00:04:23.820 align:middle line:84% but mistakes like this one are more common than you may think. 00:04:23.820 --> 00:04:26.950 align:middle line:90% Let's see how to mitigate XSS. 00:04:26.950 --> 00:04:30.070 align:middle line:84% Choose well tested and actively maintained frameworks 00:04:30.070 --> 00:04:34.460 align:middle line:84% that automatically prevent XSS by default. 00:04:34.460 --> 00:04:37.670 align:middle line:84% Audit such frameworks to know available options 00:04:37.670 --> 00:04:39.980 align:middle line:90% and their limitations. 00:04:39.980 --> 00:04:43.580 align:middle line:84% Always escape data based on the context in the HTML output 00:04:43.580 --> 00:04:45.260 align:middle line:90% it will be included. 00:04:45.260 --> 00:04:47.360 align:middle line:84% Depending where the data will be displayed, 00:04:47.360 --> 00:04:50.750 align:middle line:84% different escaping techniques may be required. 00:04:50.750 --> 00:04:53.150 align:middle line:84% Enforce server side that security directives 00:04:53.150 --> 00:04:56.420 align:middle line:84% are sent to clients as part of responses. 00:04:56.420 --> 00:04:59.770 align:middle line:84% Consider adding appropriate security parameters. 00:04:59.770 --> 00:05:02.590 align:middle line:84% Enabling and enforcing a restrictive content security 00:05:02.590 --> 00:05:06.160 align:middle line:84% policy will help mitigating XSS as long 00:05:06.160 --> 00:05:08.950 align:middle line:84% as there is no other exploitable vulnerability 00:05:08.950 --> 00:05:11.080 align:middle line:90% to add malicious code. 00:05:11.080 --> 00:05:13.240 align:middle line:84% In our next session, we will discuss 00:05:13.240 --> 00:05:15.310 align:middle line:90% insecure deserialization. 00:05:15.310 --> 00:05:17.830 align:middle line:84% Until then, take your time to carefully read 00:05:17.830 --> 00:05:21.570 align:middle line:84% the Cross-Site Scripting section of OWASP Top 10. 00:05:21.570 --> 00:05:23.000 align:middle line:90%