Laura Diane Hamilton

Technical Product Manager at Groupon

Resumé

How to Prevent XSS

Today Phil Corliss, founder of GitSentry, walked through some common cross-site scripting (XSS) vulnerabilities and ways to prevent them.

On June 11, an Austrian teenager named Florian ("Firo") discovered an XSS vulnerability in TweetDeck, Twitter's popular tool for real-time tweet engagement tracking.

Firo discovered that any tweet containing a unicode emoji character—such as the heart emoticon ♥ ("♥")—would be treated as raw html (not escaped).

News spread throughout the hacking community, and later that morning a German programmer named Andy Perdana wrote a tweet that would execute JavaScript to retweet itself. In other words, a virus.

The tweet got itself retweeted 75,811 times before TweetDeck fixed the vulnerability.

Phil walked us through some common XSS vulnerabilities and the steps to mitigate them.


Sinatra

I was surprised to learn that, by default, Sinatra does not escape html. Sinatra is vulnerable to XSS by default.

Phil created this simple Sinatra app to illustrate the Sinatra XSS vulnerability.

You can exploit the vulnerability by inserting JavaScript into the "message" field. For example, insert this code into the "Message" section: <SCRIPT>alert('This site is vulnerable to XSS')</SCRIPT » >


Rails

Next, Phil showed us a vulnerable rails app.

By default, Rails will sanitize and/or escape all user-provided input...except for link_to urls.

On Phil's vulnerable rails app, use this GitURL: javascript:alert("Your rails app has an XSS vulnerability")


Preventing XSS

Phil gave us the following tips for preventing XSS vulnerabilities:

  1. Use a templating language that escapes HTML by default
  2. Always be wary of any user-provided or user-modified fields. Content, URLs, cookies, headers, etc.)
  3. Know which jQuery methods escape and which don't escape
  4. Don't roll your own sanitization tools! Use popular tried-and-true libraries.
  5. Use Content Security Policy (CSP) headers.


Mitigating XSS Risks

He suggested the following tips to reduce XSS risk:

  1. Force the user to re-enter his password before modifying sensitive data or making a transaction
  2. Use short session expirations
  3. Set the HttpOnly flag on cookies
  4. Limit the content that is shared among users


Resources

Here are some resources on XSS:

  1. Google's XSS Game
  2. Stripe's Capture the Flag
  3. Brakeman
  4. Bundler-Audit
  5. CodeClimate
  6. Gemnasium
  7. Phil's startup GitSentry
  8. OWASP XSS Cheat Sheet
  9. Content Security Policy Info

You can see Phil's slides on speakerdeck here.

Lauradhamilton.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.