Vinesh Redkar (Security Analyst) At NII Consulting Research Found Stored XSS on Paypal ,Rediffmail. http://securityvin32.blogspot.com firstname.lastname@example.org
Introduction What is Cross-Site Scripting Types of Cross-site Scripting What is Blind XSS Demo of Blind XSS Impact of XSS Mitigation Of XSS
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into web sites. Types Of Cross-Site Scripting Reflected XSS (Non-persistent) Stored XSS(Persistent) DOM XSS
Attacker sets the trap – update my profile Application with stored XSS Attacker enters a malicious vulnerability script into a web page that stores the data on the server Communication Bus. Functions Administration Transactions E-Commerce Knowledge Accounts Finance Mgmt 2 Custom Code Script runs inside victim’s browser with full access to the DOM and cookies3 Script silently sends attacker Victim’s session cookie
• XSS attack’s first target is the Client – Client trusts server (Does not expect attack) – Browser executes malicious script• But second target = Company running the Server – Loss of public image (Blame) – Loss of customer trust – Loss of money
What is it? Using it in penetration tests Challenges
IT’S NOT LIKE BLIND SQLI WHERE YOU GET IMMEDIATE FEEDBACK.YOU DON’T EVEN KNOW WHETHER YOUR PAYLOAD WILL EXECUTE (OR WHEN!) YOU MUST THINK AHEAD ABOUT WHAT YOU WANT TO ACCOMPLISH … AND YOU HAVE TO BE LISTENING.
1. Carefully choose the right payload for the right situation.2. Get lucky!3. Patience
log viewers exception handlers customer service apps (chats, tickets, forums, etc.) anything moderated For Demo we used Feedback Page.
A malicious user can use XSS to steal credentials or silently redirect to malicious pages which can aide in further exploitation. A cross site scripting attack can result in the following:1. Account hijacking2. Malicious script execution3. Information theft -.4. Denial of Service5. Browser Redirection6. Manipulation of user settings
Input validation Output Encoding: < < > > ( ( ) ) # # & & Do not use "blacklist" validation Specify the output encoding
Clickjacking is an attack that tricks a web user into clicking a button, a link or a picture, etc. that the web user didn’t intend to click, typically by overlaying the web page with an iframe. We’ve known about clickjacking, also called “UI redress attacks,” for years now, as they were originally described in 2008 by Robert Hansen and Jeremiah Grossman. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both. Payload for Iframe injection <iframe src=“Target WebSite”> Set opacity:0; Use z-index:-1 :An element with greater stack order is always in front of an element with a lower stack order.
Don’t allow website to inject in IFRAME by using X-frame Header. Using X-Frame-OptionsThere are three possible values for X-Frame-Options:1. DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.2. SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.3. ALLOW-FROM uri The page can only be displayed in a frame on the specified origin.