2017 OWASP Top 10: Cross-Site Scripting (XSS)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody John wagged on here with dev central we're coming to you with another light board lesson video and today we're gonna talk about another one of the OWASP top 10 security risks out there in the world today and this one is the number seven risk on the list delicious came out in 2017 late 2017 so it's the latest and greatest and this security risk is titled cross-site scripting or sometimes it's written as X SS but anyway cross-site scripting it's interesting that this is number seven on the list because the last time the OWASP list came out in 2013 it was the number three security risk out there and in the time before that the 2010 version it was the number two so so actually it's kind of moved down the list a little bit which I guess in a sense is good it means we're getting better at defending cross-site scripting but anyway today we're gonna talk about what it is and how you can defend against it so ultimately cross-site scripting is client-side code injection is kind of the the overarching idea of what it is and essentially an attacker is trying to steal your stuff and the attacker is gonna send this code that he wants your browser to execute in order to send him all of your secret stuff so again the question is how does all that work and all that so let's let's kind of write a or I'll draw kind of a an example of how this may work there's a lot of different types of cross-site scripting but I'm gonna give you a scenario of one that's pretty prevalent and and one where the attacker is trying to steal your session cookie so that the attacker can then impersonate you to the website that you're going to and and then he can do all kinds of stuff you know when he has your secrets so alright so the the cross-site scripting vulnerability really takes three things to to happen it takes an attacker so I'm going to put the attacker right here so attacker and then it takes a web application so here's a web app over here alright and and then and in this case the web application is vulnerable and then it also takes a victim so I'm gonna put the victim over here this is the this is the unsuspecting person that is about to get attacked and doesn't even know it all right so the attacker what the attacker is gonna do is he's gonna find a web application that is vulnerable to cross-site scripting and he's gonna send it some code so this web application I mean let me just kind of draw it out here a little bit it consists of several different parts and pieces and all that but one of the things it has is a database so I'm gonna put a DB right here it's a database and then it also has let's say some HTML code all right which is very common in a web application all right and let's say that this that this HTML code allows for scripts to be run in it which is one thing that you may not want to do in this case but but anyway I'll kind of run through a scenario of how this attacker is gonna get the victims secrets and it's gonna get it through this vulnerable web application all right first thing it's gonna do is it's gonna send a post to this web application and the post is going to include I'll put a little script right here so it's gonna have script you know dot dot dot whatever and then it's gonna you know the end of the script script like that alright so what this script is is trying to do is trying to say hey I want to get the cookie from the victim and I want that victim to send its cookie up to me and it's going to post that to the database of this web application and so ok it's it does that so that's where the database could say hey I'm not going to allow you to you know post scripts into the database and let's say this web application for example allows users to comment on stuff or maybe post a question or post of you know hey I really loved that picture that you got or whatever it is which is very common today but anyway nonetheless it's the attackers gonna post the script and then the database is gonna have that post the latest comment or the latest posts in that database is going to be this script and then where the HTML code comes in is let's say that the HTML code allows for the printing of the latest comment in this database so as the HTML code runs if someone were to access this web application and say hey I'd love to see the latest comment on that awesome picture that we've just posted then this HTML code that runs the comment from the database allows the database comment to be you know posted kind of thing again a fairly common type scenario all right well what the victim is going to do I'm gonna put a couple little boxes around the attacker and the victim what the victim is going to do is he is going to send a get request yet to this web application and so it's gonna be you know maybe HTTP example.com whatever and then and maybe maybe also at the end of this it's going to say you know maybe DB DB comment all right so hopefully can read all that penmanship there all right so example.com / DB comment and it's gonna send that to this web application and essentially what that is trying to do is it's going to say hey I want the latest comment from the database and then this HTML code is gonna is going to allow to print you know the DB comment and it's going to send that back with a I'm gonna say a 200 okay because it's like hey you you've requested a valid page from me and when it says that 200 okay it's also gonna send the contents of this HTML code and it's gonna say you know HTML you know header 1 this is the latest DV comment and then the next HTML line it's going to print the latest DB comment which the latest DB comment is the script that this attacker put in the database and so ultimately it's going to on this victim's browser it's gonna have this HTML code that has the script that the attacker sent that he ultimately wanted the victim to you know to execute in the browser so once that script executes so the script is going to be there's gonna be since that's script it's going to be sent as part of this okay message in the HTML code that now gets executed on the victims browser so that script right there is going to be run on the victims browser and then what the the one of the questions is well what's in the script well the script let's say that the script is written to say that it wants the it wants the cookie from the victim and it wants it to be sent up here so it's going to send a get request let's say to the attacker and it's going to send it to you know to the website so it's going to be you know HTTP evil.com slash you know cookie equals the value of the cookie so let's say in a one-two-three-four you know whatever it is all right so I know that that's a lot going on here again the attacker sends a or posts a script into the database of this vulnerable web application the HTML code allows for the user input to be executed whenever it sends it to the unsuspecting victim once that script is over here on the victims browser the victim's browser then runs and executes the HTML code that was sent to it the HTML code includes that script and then that script automatically kicks off a get request to the attackers website that he has up here already set up and it sends along with the gits you know to the attacker it includes the cookie from the victim from the victims machine a couple of things that you could ask is well hey how does the victim know to even send the get request over here to this web application that the attacker has infected that gets in the you know social engineering spear fishing fishing whatever it is you know you guys have seen that all the time hey don't click on any link that you don't trust or you know any number of ways that the attacker could coerce the victim to click on this link which would then kick off this entire thing another issue is the victim's browser has to be willing to run this script in the HTML that comes over if for some reason the victims browser is like hey this HTML code has this has this script stuff in it that I don't really feel comfortable with and it doesn't run that then you're okay and I think that's part of the reason that cross-site scripting has come down that list so much from used to be number two number three now it's now it's number seven our browsers have gotten a lot better in in recent past or in recent history whatever also the web application so that's one way to defend against this is make sure you use a modern browser that kind of inherently protects against cross-site scripting another one is if you're building this web application you need to you need to separate untrusted data from active browser content and any kind of user input data needs to be considered untrusted data so you two separate active browser content from untrusted data so that's kind of a very overarching way to approach this whole cross-site scripting issue all right so you need to you need to make sure that your web application is secure and then on the victims side if you're just a typical user out there and you have no idea all this stuff's kind of going on make sure you use a browser that's that inherently tries to defend against cross-site scripting all right so that's kind of that's that's one one sort of overarching example in a nutshell there are other ways to defend against this you can put a web application firewall in front of your web application and in any kind of potential cross-site scripting attack that comes in from the attacker that web application firewall is going to kill it before it even gets to your web application so there's a number of things you can do but nonetheless cross-site scripting still out there can be very dangerous if it's if it's allowed to run its course so so thanks for watching this lightboard lesson video and if you like this make sure you subscribe to our youtube channel here at dev central and we'll see you guys out there in the community you
Info
Channel: F5 DevCentral
Views: 138,219
Rating: undefined out of 5
Keywords: f5, devcentral, owasp, xss, cross, site, scripting, top ten, security, web, application, firewall, waf, browser, attack, attacker, victim
Id: IuzU4y-UjLw
Channel Id: undefined
Length: 11min 27sec (687 seconds)
Published: Tue Feb 20 2018
Related Videos
What is Cross Site Scripting?| Cross Site Scripting Attack | Cross Site Scripting Tutorial | Edureka
edureka!
216K
IPS vs WAF
F5 DevCentral
73K
XSS - Cross Site Scripting Explained
Virtual Forge an Onapsis Company
183K
2021 OWASP Top Ten: Server Side Request Forgery
F5 DevCentral
8.1K
Website Hacking Demos using Cross-Site Scripting (XSS) - it's just too easy!
David Bombal
242K
Cracking Websites with Cross Site Scripting - Computerphile
Computerphile
1.4M
2017 OWASP Top 10: Broken Authentication
F5 DevCentral
124K
Cross-Site Scripting (XSS) Explained And Demonstrated By A Pro Hacker!
Loi Liang Yang
305K
What is a Web Application Firewall (WAF)?
F5 DevCentral
195K
2017 OWASP Top Ten: Insufficient Logging and Monitoring
F5 DevCentral
50K
Explaining the GitHub DDoS Attack
F5 DevCentral
31K
Cross Site Request Forgery - Computerphile
Computerphile
693K
Cross-Site Scripting Explained with Examples and How to Prevent XSS with Content Security Policy
Hussein Nasser
41K
Perfect Forward Secrecy
F5 DevCentral
63K
2017 OWASP Top 10: Broken Access Control
F5 DevCentral
77K
2017 OWASP Top 10: Security Misconfiguration
F5 DevCentral
59K
Breaking Down the TLS Handshake
F5 DevCentral
230K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.