Cross Site Scripting (XSS) is a type of computer security vulnerability that enables attackers to inject client-side script into web pages viewed by other users. The attack can steal access credentials, execute denial-of-service attacks, and modify web pages to run commands on the client machine. XSS occurs when a web application accepts user input without validating it, and that input is used to generate dynamic content that is displayed to other users. Mitigation techniques include input validation, implementing httpOnly and secure cookies, and using web application firewalls.

1. 23/02/2011
Cross Site Scripting (XSS)
• Is a type of computer security vulnerability
typically found in web applications that enables
malicious attackers to inject client-side script into
Cross Site Scripting (XSS)
web pages viewed by other users
• The attack steals access credentials, executes
denial-of-service and modifies web pages in
order to execute any command at the client
machine
The players
Input Vulnerabilities
– An Attacker
1. A Web application that accepts user input • Anonymous Internet User
• Malicious Internal User
– A company’s Web server (i.e. Web application)
2. The input is used to create dynamic content
• External (e.g.: Shop, Information, CRM,
Supplier)
3. The input is insufficiently validated • Internal (e.g.: Employees Self Service Portal)
– A Client
• Any type of customer
• Anonymous user accessing the Web-Server
XSS Steps Example: XSS (jsp)
Attacker Web Server
Post Forum Message: Did you know this?
Subject: GET Money for FREE !!! .....
http://myserver.com/test.jsp?name=Stefan
GET Money for FREE !!!
Body:
<script> attack code </script>
<script> attack code </script> <HTML>
Re: Error message on startup
.....
I found a solution!
<Body>
.....
Can anybody help? Welcome Stefan
.....
Get /forum.jsp?fid=122&mid=2241
Error message on startup </Body>
.....
</HTML>
1. Attacker sends malicious code
http://myserver.com/welcome.jsp?name=<script>alert("Attacked")</script>
2. Server stores message GET Money for FREE !!!
<script> attack code </script>
<HTML>
3. User requests message <Body>
4. Message is delivered by server Client Welcome
<script>alert("Attacked")</
5. Browser executes script in message !!! attack code !!! script>
(c) 2005, EUROSEC GmbH Chiffriertechnik & Sicherheit
</Body> 6
(c) 2005, EUROSEC GmbH Chiffriertechnik & Sicherheit 5 </HTML>
1

2. 23/02/2011
Mitigation Mitigation
• Input Validation • Implement Cookie Options
– Check if the input is what you expect – "httpOnly" Cookies
• Prevent disclosure of cookie via DOM access
• Do not try to check for "bad input"
– use with care, browser compatibility problems may occur
– Whitelist testing is better • But: cookies are sent in each HTTP requests
– E.G. Trace-Method can be used to disclose cookie
• Only what you expect will pass
• Passwords still may be stolen via XSS
• (correct) Regular expressions – "secure" Cookies
* Blacklist testing is no solution because blacklists are • Cookies are only sent over SSL
never complete.
Mitigation Mitigation
• Use Web Application Firewalls • XSS-Prevention Best Practices
– Check for malicous input values – Implement the mentioned XSS-Mitigation in
– Check for modification of read-only parameters applications
– Block requests or filter out parameters – Do not assume input values are benign
– Do not trust client side validation
– Check and validate all input before processing
– Do not echo any input value without validation
– Use one conceptual solution in all applications
2