Reading Time: 3 minutes
Three major XSS issues in 2016 (plus an avatao XMaSS challenge)

Gábor Pék (CTO, Avatao)

xss

In our previous blog, we gave you a small introduction to Cross-site Scripting (XSS) attacks and added some easy challenges to get a taste of web security. It seems, however, that XSS is still one of the top vulnerabilites on the web. An attack against Yahoo Mail and various sandbox escape techniques keep this this topic hot.

We took the opportunity to prepare a small XSS gift for you for Christmas.

    XSS vulnerability in Yahoo Mail

    This year was really interesting in terms of real use-cases. One of the most recent findings was described by Jouko Pynnönen about a stored XSS vulnerability in Yahoo Mail. According to JP’s blog “The flaw was reported to Yahoo Security via HackerOne on November 12 and fixed on November 29, 2016. Yahoo awarded a bounty of $10,000 for the finding.” In short, an attacker could perform a DOM-based XSS attack via dynamically generated HTML markups controlled by user-supplied values that were not properly sanitized.

      AngularJS

      Another interesting issue was when the AngularJS team decided to remove their “expression sandbox” from AngularJS 1 after reporting escapes for all AngularJS 1 versions. It’s important to emphasize that this sandbox was never intended to provide real protection against XSS attacks. It rather misled developers who kept relying upon it as a security feature.

        Javascript function overrides

        There are other XSS mitigation techniques such as Javascript function overrides, but these also failed to provide long-term XSS protection. A recent blog entry on brutelogic.com suggests to use iframes to bypass the protection provided by “js-override.js”.

          Practice with us!

          You can see that XSS is still hot and it makes total sense to arm yourself against it. Try your skills again by solving our Avatao XmaSS challenge. Enjoy!

          If you like our posts and challenges, follow us on Twitter and Facebook for the most recent updates.

          We wish you a Merry Christmas!

          Related Articles

          Python best practices and common issues

          Python best practices and common issues

          Reading Time: 9 minutes Python is a high-level, flexible programming language that offers some great features. To be as effective as possible, it is important to possess the knowledge to make the most out of coding with Python.

          Where the money is: Financial cybersecurity

          Where the money is: Financial cybersecurity

          Reading Time: 7 minutes Money management moves towards complete automation, and the evolution of cybercrime follows along. The money heist has changed, we all know that. Cyberspace takes more and more of that cake, but the reason behind attacks remains the same: money, in any form.

          Security Champions: Interview with Alexander Antukh, CISO of Glovo

          Security Champions: Interview with Alexander Antukh, CISO of Glovo

          Reading Time: 7 minutes Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.

          Why do you need a security champions program?

          Why do you need a security champions program?

          Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.

          Sensitive data exposure – It’s in your hands

          Sensitive data exposure – It’s in your hands

          Reading Time: 8 minutes Exposing data, especially sensitive data, is a long-time-coming threat. Since personal information such as addresses, payment details, non-hashed passwords, config files, and so on are very popular targets among attackers, it’s obvious that sensitive information is supposed to be protected from unauthorized access.

          Compliance training for developers – From security awareness by design

          Compliance training for developers – From security awareness by design

          Reading Time: 8 minutes Compliance standards are a valuable but mostly misunderstood part of the corporate culture. Like any other certificate, a compliance certificate demonstrates that the entity/business operates according to a commonly accepted standard and signals trust towards third parties. A successful compliance certificate eases regulatory processes, opens new markets, and in general speeds up revenue generation, which is the key metric for businesses.