Presentation

pages.csam.montclair.edu

Presentation

Cross-Site Scripting

(XSS)

Christopher Lam












Overview

Introduction

Description

Programming Languages used

Types of Attacks

Reasons for XSS Utilization

Attack Scenarios

Steps to an XSS Attack

Compromises to not fixing CSS/XSS holes

Methodology

How to protect against XSS

Conclusion

Introduction

What is a XSS Attack

Most web sites today contain dynamic content

which makes a website more enjoyable

By creating a dynamic web site you are making

yourself susceptible to a popular and very

powerful security vulnerability

This threat is called Cross-Site Scripting

Also known as XSS, it is defined as the number

one and utmost prevalent web site vulnerability

on the internet

XSS Attack is a potentially dangerous security vulnerability found in

web-based based applications

It allows a variety of code to be injected by a malicious user into a

webpage

XSS is very easy to execute and very long and arduous to repair


Takes about 52 days to fix an XSS hole

10-25 XSS holes are found in commercial products every month

During an attack “everything looks fine”

to the end user, but in actuality

they are subject to an endless

amount of threats

Originally known as (CSS)


confused for Cascading Style Sheets


Programming Languages Utilized

in XSS Attacks

Sun Microsystems's Java

Client-side Script

JavaScript

Action Script

VB Script

Microsoft’s Active X

Adobe’s Flash

HTML or XHTML

RSS and Atom feeds

Types of XSS Attacks

DOM-Based or Type 0 (Local)

Document Object Model

Standard object model for representing html or xhtml

Problem exists within the page’s client side script

If an attacker hosts a malicious site, which contains

a vulnerable website on a clients local system, a

script can be injected

Now the attacker can run the privileges of that

users browser on their system “Local Zone”

Can be either persistent or non-persistent

Types of XSS Attacks (contd.)

Non-Persistent or Type 1 (Reflected)

Most common type

With invalidated user-supplied supplied data in a resulting

webpage without html encoding, client-side code can

be injected into the dynamic page

Then with some social engineering

(Manipulating someone to perform actions)

An attacker convinces a user to follow a malicious

URL which injects code into the resulting page

Now the attacker has full access to that pages

content


Types of XSS Attacks (contd.)

Persistent or Type 2 (Stored or Second order)

Allows the most powerful kinds of attacks

First data is stored in a server provided by a web

application

It is later shown to a user on a webpage without any

html encoding

Ex: Online message board that allows users to post

messages for other users to read

With this method, malicious scripts can be provided

more then once

An attack can affect a large amount of users and the

application can also be infected by a XSS Virus or

Worm

XSS Attacks Used For:

Hijacking Accounts

False Advertising & inserting hostile

content

Cookie theft/poisoning & defacing

websites

Changing of users settings

Conducting phishing attacks

Attack Scenario (1 of 3)

Attack Scenario (2 of 3)


DOM-Based Attack

1. Mallory sends via email a URL of a maliciously

constructed webpage to Alice

2. Alice receives email and clicks the link

3. The malicious webpage's JavaScript opens up a

vulnerable HTML page locally on Alice's computer

4. The vulnerable page containing the JavaScript then

executes on Alice’s computers local zone

5. Now Mallory's malicious code can run commands

with all privileges on Alice’s computer


Non-Persistent Attack

1. Alice visits Bob’s website frequently and logs in with

a username and password


Site stores billing information

2. Mallory notices that Bob’s website contains a type 1

XSS vulnerability

3. Mallory then creates a URL to exploit that

vulnerability, and then sends Alice an email making

it look like it came from Bob

4. While logged into Bob’s site, Alice views the URL

5. The malicious script then poses as Bob’s site, and

steals Alice’s session cookie and sends it to Mallory

6. With Alice’s cookie, Mallory can steal everything


Attack Scenario (3 of 3)

Persistent Attack

1. Bob hosts a site that allows users to post messages

to be viewed by other users at a later time

2. Mallory notices that Bob’s site has a Stored XSS

vulnerability

3. Mallory then posts a controversial message which

encourages more users to view it

4. After viewing the posted message, all the users

session cookies are sent to Mallory’s web server

without them knowing

5. Later on Mallory can log in as whom ever she wants

and post messages posing as them

Steps to an XSS Attack

Select a target

Testing

Find an XSS hole, and look if it has any cookies

If it has a cookie, then you have found a target

Insert code or script pointing to the vulnerability

Make sure the page does not appear broken

XSS Execution

Send your crafted URL to launch it (Hex encode it)

More experienced attackers would do a few redirects to steal

cookies, return to site, then attack them harder

Decide what to do with the data

After collecting data, see if Account Hijacking is possible

Not Fixing CSS/XSS Holes

Compromises:

Account being taken over

Hacker publishing a warning about your

company not fixing its problems

Damages your companies reputation

Lack of security measures

Shows clients you are not doing anything

Trust issues

Why do business with you if there is no trust

Methodology

Before Implementing XSS custom tag library encoding

A Successful XSS Attack that

causes a popup to appear in the

users browser


Methodology (contd.)

After Implementing XSS custom tag library encoding

How to Protect Against XSS

< = < ( = ( “ = " # = # % = % + = +

> = > ) = ) ‘ = ' & = &

; = ; - = -



The XSS custom tag library makes sure the

generated web pages are properly encoded

It protects itself from any malicious attack


This webpage is displaying erroneous code

because the custom tag library prevents insertion

of malicious script

Never trust Input & Always filter metacharacters

View material only from official websites

It will eliminate almost 90% of problems

Be cautious when reading emails, discussion boards,

posts, etc.

Turn off JavaScript in browser settings

In IE, turn security settings on high

Custom tag Libraries

Conclusion

References

XSS is defined as the number one and utmost

prevalent website vulnerability on the internet

No one is ever completely safe from XSS

Can not be expected to write flawless code or have

round the clock personnel to answer all possible

vulnerability issues

As XSS vulnerabilities continue to grow, the best

way to protect yourself from it is to be careful

and be aware of its existence












http://en.wikipedia.org/wiki/Cross-site_scriptingsite_scripting

http://www.cgisecurity.com/articles/xss-faq.shtml

http://www.owasp.org/index.php/Top_10_2007-A1

http://ha.ckers.org/xss.html

http://www.ibm.com/developerworks/tivoli/library/s-csscript/ csscript/

http://www.whitehatsec.com/home/assets/WPStatsreport_100107.pdf

http://crypto.stanford.edu/cs155/papers/CSS.pdf

http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29site_Scripting_%28XSS%29

http://www.owasp.org/index.php/Cross-site-scriptingscripting

http://www.xssed.com/article/6/Paper_Kr3ws_Cross-Site_Scripting_Tutorial/

http://shiflett.org/articles/foiling-cross-site-attacks


Picture References

http://www.midmarket.eweek.com/images/stories/Slideshows/top_website_vulnerabilities/vulnerable02.jpg


http://talks.php.net/presentations/slides/php-under-attack/xss.png


http://images.google.com/imgresimgurl=http://www.timelessprototype.com/tpdc/blog/image.axd%3Fpicture%3DCross%2BEyed%2BScr

ipting%2BBug.png&imgrefurl=http://www.timelessprototype.com/tpdc/blog/%3Ftag%3D/etiquette&usg=__7A8nC-

4J6Jd1heOY4HEg1bo4YRQ=&h=592&w=709&sz=292&hl=en&start=60&tbnid=bytIySB5LrMoKM:&tbnh=117&tbnw=140&prev=/images

%3Fq%3Dcross-site%2Bscripting%26start%3D40%26gbv%3D2%26ndsp%3D20%26hl%3Den%26sa%3DN

site%2Bscripting%26start%3D40%26gbv%3D2%26ndsp%3D20%26hl%3Den%26sa%3DN


http://images.google.com/imgresimgurl=http://bp2.blogger.com/_17vaN5T6Cbw/SEx5xbTHiHI/AAAAAAAAAOE/2xtRR9cT2Jo/s200/No

Script.png&imgrefurl=http://www.infopowered.blogspot.com/&usg=__rjX_EUzPz0y8_teWb818RzD8cCs=&h=200&w=200&sz=37&hl=en

&start=225&tbnid=5ULzggLJ0pPHmM:&tbnh=104&tbnw=104&prev=/images%3Fq%3Dcross-

site%2Bscripting%26start%3D220%26gbv%3D2%26ndsp%3D20%26hl%3Den%26sa%3DN

http://images.google.com/imgresimgurl=http://i.haymarket.net.au/utils/sc/ImageResizer.ashx%3Fn%3Dhttp://backoffice.ajb.com.au%2

u%25

2Fimages%252Fnews%252Fphishingmoney.jpg%26w%3D218&imgrefurl=http://www.securecomputing.net.au/News/93871,yahoo-and and-

ebay-hook-up-on-phisher-

blocker.aspx&usg=__9kqYJaZ4d7WxWMuzvcv_VENQy6Q=&h=329&w=218&sz=19&hl=en&start=299&tbnid=0A-

rLlxgIugEqM:&tbnh=119&tbnw=79&prev=/images%3Fq%3Dcross-

site%2Bscripting%26start%3D280%26gbv%3D2%26ndsp%3D20%26hl%3Den%26sa%3DN


THE END!

Beware of the Cross - Eyed Scripting Bug!

More magazines by this user
Similar magazines