Today Phil Corliss, founder of GitSentry, walked through some common cross-site scripting (XSS) vulnerabilities and ways to prevent them.

On June 11, an Austrian teenager named Florian ("Firo") discovered an XSS vulnerability in TweetDeck, Twitter's popular tool for real-time tweet engagement tracking.

Firo discovered that any tweet containing a unicode emoji character—such as the heart emoticon ♥ ("♥")—would be treated as raw html (not escaped).

News spread throughout the hacking community, and later that morning a German programmer named Andy Perdana wrote a tweet that would execute JavaScript to retweet itself. In other words, a virus.

The tweet got itself retweeted 75,811 times before TweetDeck fixed the vulnerability.

Phil walked us through some common XSS vulnerabilities and the steps to mitigate them.





Sinatra

I was surprised to learn that, by default, Sinatra does not escape html. Sinatra is vulnerable to XSS by default.

Phil created this simple Sinatra app to illustrate the Sinatra XSS vulnerability.

You can exploit the vulnerability by inserting JavaScript into the "message" field. For example, insert this code into the "Message" section: <SCRIPT>alert('This site is vulnerable to XSS')</SCRIPT » >





Rails

Next, Phil showed us a vulnerable rails app.

By default, Rails will sanitize and/or escape all user-provided input...except for link_to urls.

On Phil's vulnerable rails app, use this GitURL: javascript:alert("Your rails app has an XSS vulnerability")





Preventing XSS

Phil gave us the following tips for preventing XSS vulnerabilities:

Use a templating language that escapes HTML by default Always be wary of any user-provided or user-modified fields. Content, URLs, cookies, headers, etc.) Know which jQuery methods escape and which don't escape Don't roll your own sanitization tools! Use popular tried-and-true libraries. Use Content Security Policy (CSP) headers.





Mitigating XSS Risks

He suggested the following tips to reduce XSS risk:

Force the user to re-enter his password before modifying sensitive data or making a transaction Use short session expirations Set the HttpOnly flag on cookies Limit the content that is shared among users





Resources

Here are some resources on XSS:

You can see Phil's slides on speakerdeck here.