Cross Site Scripting

1,953 views

Published on

  • Be the first to comment

Cross Site Scripting

  1. 1. Cross-Site Scripting (XSS) Mattash Ali
  2. 2. What is a XSS Attack? XSS Attack is a potentially dangerous security vulnerability found in web- based applications It allows a variety of code to be injected by a malicious user into a webpage XSS is very easy to execute and very long and arduous to repair  Takes about 52 days to fix an XSS holes  10-25 XSS holes are found in commercial products every month During an attack “everything looks fine” to the end user, but in actuality they are subject to an endless amount of threats
  3. 3. XSS Attacks Used For: Hijacking Accounts False Advertising & inserting hostile content Cookie theft/poisoning & defacing websites Changing of users settings Conducting phishing attacks
  4. 4. Types of XSS Attacks Non-Persistent (Reflected)  Most common type  With invalidated user-supplied data in a resulting webpage without html encoding, client-side code can be injected into the dynamic page  An attacker convinces a user to follow a malicious URL which injects code into the resulting page  Now the attacker has full access to that pages content
  5. 5. Attack Scenario of Non-Persistent The user comes in contact with a malicious link, form, or a malicious redirection. The Web application is requested prepared the call by the Bank. The XSS-code is an XSS vulnerability of the banking application, inserted into the page. The infected page with XSS code is sent to the user. The XSS-code context of the page arrived at the user and thus bypassing the "Same Origin" security setting of the Web browser. XSS-code sends stolen data to the server of the attacker.
  6. 6. Methodology Lets look into how this works with a simple example of a search feature on website. The HTML browser is processing looks like this:
  7. 7. Methodology (contd.) By replacing foobar with the following JavaScript, an attacker can collect cookies Customer’s web browser will be instructed to redirect itself to the hacker’s website
  8. 8. Methodology (contd.) Non-Persistent Reflection Point which demand the use of a 3rd party to exploit it. Imagine an e-mail like this being sent to customers: The email doesnt show the full URL, hiding the malicious code at the very end.
  9. 9. Types of XSS Attacks (contd.) Persistent (Stored )  Allows the most powerful kinds of attacks  First data is stored in a server provided by a web application  It is later shown to a user on a webpage without any html encoding  Ex: Online message board that allows users to post messages for other users to read  With this method, malicious scripts can be provided more then once  An attack can affect a large amount of users and the application can also be infected by a XSS Virus or Worm
  10. 10. Attack Scenario of Persistent The Web application of the bank is called with the XSS code. The malicious code enters into an XSS vulnerability in the application and is stored there. A user calls the Web application of the Bank. The malicious code is installed from the memory to the website. The infected Web page is sent to the user. The XSS code context of the page arrived at the user, and thus bypassing the "Same Origin" security setting of the Web browser. The XSS code sends stolen data to the server of the attacker.
  11. 11. Methodology Step A) On the product.php?id=1 page users see the product along with customer comments Step B) On product_review.php?id=1a hacker leaves a review with malicious code
  12. 12. Methodology (contd.) Step C) They receive a thank you Step D) You will notice that their attack does not show up immediately, but if you return to products.php?id=1, the new comment is displayed.
  13. 13. Methodology (contd.) The HTML browser would process includes the malicious code hidden in the source :
  14. 14. Types of XSS Attacks (contd.) DOM-Based (Local)  Document Object Model  Standard object model for representing html or xhtml  Problem exists within the page’s client side script  If an attacker hosts a malicious site, which contains a vulnerable website on a clients local system, a script can be injected  Now the attacker can run the privileges of that users browser on their system.
  15. 15. Attack Scenario of DOM-BASED The Web application is requested by the Bank prepared the call. The XSS-code inserted in the cookie. The cookie with the malicious code is sent to the user and stored with him. The user calls the Web application of the Bank. The malicious code is installed from the cookie in the Web page. The infected Web page is sent to the user. The XSS code sends stolen data to the server of the attacker.
  16. 16. Steps to an XSS Attack Select a target  Find an XSS hole, and look if it has any cookies  If it has a cookie, then you have found a target Testing  Insert code or script pointing to the vulnerability  Make sure the page does not appear broken XSS Execution  Send your crafted URL to launch it  More experienced attackers would do a few redirects to steal cookies, return to site, then attack them harder Decide what to do with the data  After collecting data, it is possible to perform an attack
  17. 17. Existing Methods To solve XSS problemsA. Dynamic Approach1) Vulnerability Analysis based Approach: It track untrusted data at the character level.2) Attack Prevention Approach: A web proxy protects against transferring informations.B. Static Analysis1) String Analysis.2) Preventing XSS Using Untrusted Scripts.3) Software Testing Techniques (black-box testing)
  18. 18. Existing Methods To solve XSS problemsC. Static and Dynamic Analysis Combination Lattice-based Analysis (white-box testing) The Web SSARI is a tool, combination of static and runtime features that apply static taint propagation analysis to find security vulnerabilities.
  19. 19. How to Protect Against XSS< = &LT ( = &#40 “ = &#34 # = &#35 % = &#37 + = &#43> = &GT ) = &#41 ‘ = &#39 & = &#38 ; = &#59 - = &#45 Never trust Input & Always filter meta-characters View material only from official websites  It will eliminate almost 90% of problems Be cautious when reading emails, discussion boards, posts, etc. Turn off JavaScript in browser settings In IE, turn security settings on high Custom tag Libraries
  20. 20. Conclusion XSS is defined as the number one and utmost prevalent website vulnerability on the internet No one is ever completely safe from XSS  Can not be expected to write flawless code or have round the clock personnel to answer all possible vulnerability issues As XSS vulnerabilities continue to grow, the best way to protect yourself from it is to be careful and be aware of its existence
  21. 21. References http://en.wikipedia.org/wiki/Cross-site_scripting http://www.cgisecurity.com/articles/xss-faq.shtml http://www.owasp.org/index.php/Top_10_2007-A1 http://ha.ckers.org/xss.html Bernard Menezes , Network Security and Cryptography , Cengage learning, 2010 Modern web attacks, Fraser Howard, SophosLabs UK, August 2007. “Cross Site Scripting” [online] Available: http://www.cgisecurity.com/xss-faq.html “HTTP Header Injection” [online] Available: http://blogs.msdn.com/b/esiu/archive/2007/09/22/http-header- injection-vulnerabilities.aspx HTTP Response Splitting”[online]Available: http://www.owasp.org/index.php/HTTP_Response_Splitting http://www.xssed.com/article/6/Paper_Kr3ws_Cross-Site_Scripting_Tutorial/ http://shiflett.org/articles/foiling-cross-site-attacks  Picture References  http://www.midmarket.eweek.com/images/stories/Slideshows/top_website_vulnerabilities/vulnerable02.jpg  http://talks.php.net/presentations/slides/php-under-attack/xss.png  http://images.google.com/imgres?imgurl=http://www.timelessprototype.com/tpdc/blog/image.axd%3Fpicture%3DCross%2BEyed%2BScripting%2B Bug.png&imgrefurl=http://www.timelessprototype.com/tpdc/blog/%3Ftag%3D/etiquette&usg=__7A8nC- 4J6Jd1heOY4HEg1bo4YRQ=&h=592&w=709&sz=292&hl=en&start=60&tbnid=bytIySB5LrMoKM:&tbnh=117&tbnw=140&prev=/images%3Fq% 3Dcross-site%2Bscripting%26start%3D40%26gbv%3D2%26ndsp%3D20%26hl%3Den%26sa%3DN  http://images.google.com/imgres?imgurl=http://bp2.blogger.com/_17vaN5T6Cbw/SEx5xbTHiHI/AAAAAAAAAOE/2xtRR9cT2Jo/s200/NoScript.pn g&imgrefurl=http://www.infopowered.blogspot.com/&usg=__rjX_EUzPz0y8_teWb818RzD8cCs=&h=200&w=200&sz=37&hl=en&start=225&tbni d=5ULzggLJ0pPHmM:&tbnh=104&tbnw=104&prev=/images%3Fq%3Dcross- site%2Bscripting%26start%3D220%26gbv%3D2%26ndsp%3D20%26hl%3Den%26sa%3DN  http://images.google.com/imgres?imgurl=http://i.haymarket.net.au/utils/sc/ImageResizer.ashx%3Fn%3Dhttp://backoffice.ajb.com.au%252Fimages% 252Fnews%252Fphishingmoney.jpg%26w%3D218&imgrefurl=http://www.securecomputing.net.au/News/93871,yahoo-and-ebay-hook-up-on- phisher-blocker.aspx&usg=__9kqYJaZ4d7WxWMuzvcv_VENQy6Q=&h=329&w=218&sz=19&hl=en&start=299&tbnid=0A- rLlxgIugEqM:&tbnh=119&tbnw=79&prev=/images%3Fq%3Dcross- site%2Bscripting%26start%3D280%26gbv%3D2%26ndsp%3D20%26hl%3Den%26sa%3DN
  22. 22. THANK YOU!Beware of the XSS Mosquito!

×