Download

82 Chapter 4 • XSS TheoryIntroductionIn order to fully understand cross-site scripting (XSS) attacks, there are several core theoriesand types of techniques the attackers use to get their code into your browser.This chapterprovides a break down of the many types of XSS attacks and related code injection vectors,from the basic to the more complex.As this chapter illustrates, there is a lot more to XSSattacks than most people understand. Sure, injecting a script into a search field is a valid attackvector, but what if that value is passed through a filter? Is it possible to bypass the filter?The fact of the matter is, XSS is a wide-open field that is constantly surprising theworld with new and unique methods of exploitation and injection. However, there are somefoundations that need to be fully understood by Web developers, security researchers, andthose Information Technology (IT) professionals who are responsible for keeping the infrastructuretogether.This chapter covers the essential information that everyone in the fieldshould know and understand so that XSS attacks can become a thing of the past.Getting XSS’edXSS is an attack technique that forces a Web site to display malicious code, which then executesin a user’s Web browser. Consider that XSS exploit code, typically (but not always)written in Hypertext Markup Language (HTML)/JavaScript (aka JavaScript malicious software[malware]), does not execute on the server.The server is merely the host, while theattack executes within the Web browser.The hacker only uses the trusted Web site as a conduitto perform the attack.The user is the intended victim, not the server. Once an attackerhas the thread of control in a user’s Web browser, they can do many nefarious acts describedthroughout this book, including account hijacking, keystroke recording, intranet hacking,history theft, and so on.This section describes the variety of ways in which a user maybecome XSS’ed and contract a JavaScript malware payload.For a Web browser to become infected it must visit a Web page containing JavaScriptmalware.There are several scenarios for how JavaScript malware could become resident on aWeb page.1. The Web site owner may have purposefully uploaded the offending code.2. The Web page may have been defaced using a vulnerability from the network oroperating system layers with JavaScript malware as part of the payload.3. A permanent XSS vulnerability could have been exploited, where JavaScript malwarewas injected into a public area of a Web site.4. A victim could have clicked on a specially crafted non-persistent or DocumentObject Model (DOM)-based XSS link.