Senator Obama hacked by a Clinton supporter During the Democratic primary race of 2008, someone posted a "special" new comment into the user community forum of BarackObama's web site. The result was that as soon as anyone went to the forum, they were immediately redirected to http://HillaryClinton.com. The attacker, tagged "mox" later admitted that he did not access the server, he simply posted a new comment in the forum.
How attackers do a reflected attack Alice visits Bob's website which stores sensitive data after Alice logs in. Mallory observes that Bob's website is vulnerable to an XSS attack. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website, but will contain Mallory's malicious code. Alice clicks on Mallory's link while logged into Bob's website. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability).
XSS vs. CSRF
Finding vulnerable sites They enter text like this: ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> If the site responds with an alert box saying "XSS", it is vulnerable. Automated testing tools can help. Nessus & Nikto are two Best practice: assume all input is tamperable and dangerous. Just protect all inputs!
How we protect ourselves Use ASP.NET Filter the incoming data Encode the outgoing data Use Microsoft's Anti-XSS Library
Use ASP.NET Out of the box, ASP.NET comes with XSS protection enabled. It can be turned off: In web.config <system.web> <httpRuntimerequestValidationMode="2.0" /> </system.web> Top of every page: <% @Page validateRequest="false" ... %>
Encode output First, note that using the innerText property rather than innerHtml will take care of many problems. innerText encodes. innerHtml renders. But more is required. Use the HttpUtility class's static methods: string output = HttpUtility.HtmlEncode(inputString); string url = HttpUtility.UrlEncode(inputString);
Libraries are more robust DIY filtering and encoding is porous. You may filter out "<script" but the attacker uses ... %3C%53%43%52%49%50%54 <SCRIPT <SCRIPT We forget about: <img>, <style>, <iframe>, <layer>, <meta>, <object> Many examples like that! Two libraries: OWASP's ESAPI Microsoft's Anti-XSS Library
Use Microsoft's Anti-XSS Library A free download from Microsoft. Strips out harmful script tags in many forms. Simply change this lblOut.Text = txtIn.Text; Response.Write(strFromBrowser); To this lblOut.Text = AntiXSS.GetSafeHtmlFragment(txtIn.Text); Response.Write( AntiXSS.GetSafeHtmlFragment(strFromBrowser));
Summary Cross-site scripting (XSS) is a serious problem that can allow identity theft and financial loss. Sites have the responsibility to protect visitors by either filtering the input or encoding the output. ASP.NET WebForms provides some protection right out of the box. Microsoft's Anti-XSS Library makes handling that much easier and abstract.
Further study Microsoft Anti-XSS Library download: http://bit.ly/AntiXSSDownload OWASP's XSS prevention cheat sheet: