Exploring Cross-Site Scripting (XSS) Attacks on Web Applications and Their Possible Remedies

Transcription

1 INDEPENDENT STUDY-I LONG REPORT Exploring Cross-Site Scripting (XSS) Attacks on Web Applications and Their Possible Remedies BY Wahab Hussain Spring 2011 / MSSE / hellowahab@gmail.com ADVISOR Prof. Naeem ul Hassan Janjua COMPUTER SCIENCE DEPARTMENT SHAHEED ZULFIKAR ALI BHUTTO INSTITUTE OF SCIENCE & TECHNOLOGY

2 ACKNOWLEDGEMENT First of all I would like to thanks Allah for making me able, what I am today. After Allah I am deeply thankful to my Parents and teachers who helped me groom, so I am able to purse my Masters Degree in Software Engineering. My special thanks goes to Prof. Naeem ul Hassan Janjua, my IS Advisor, who suggested different research methodologies and his time to time advices helped me a lot to stay in the right direction during my research. I also would like to thanks Mr. Muhammad Kashif for providing invaluable help and suggestion for report writing and mid term review presentation 2

3 Abstract. Cross site scripting (XSS) is one of the mostly found attacks on website. As any sort of negligence from the programmer or developer can make the application vulnerable to cross site scripting. In this research work I have studied different mechanism of cross site scripting attacks and ultimately come to a conclusion to have a sort of Anti-XSS plugin for browser. As the victim of XSS attacks are user of the application so it is best to save guard them at the user side i.e. client side. Each and every browser has the ability to parse the response stream of server and render it as a web page. The function of Anti -XSS will be to sit in between the parsing engine and response stream. It will intercept the stream before parsing engine parse it and render the page. The Anti-XSS will maintain a database for XSS attacks as Anti-Virus software do maintain a virus definition. This database will be automatically updateable. This way if a XSS attack is discovered anywhere in the world or any penetration tester found any sort of XSS attack it can be made public as a vulnerability and all the browsers that are protected by Anti-XSS will update their databases. 3

4 Contents 1 Іntrоԁυᴄtіоn Literature Review: XSS Attacks Types of Attacks Non Persistent DOM Based Attacks Persistent Attacks XSS Attack Methods History Stealing Intranet Hacking XSS Defacement Advanced XSS Attack vector DNS Pinning Automated tools for XSS Burp: Firefox Extensions: Firebug: Dom Inspector Proposed Solution for Cross-site Scripting (XSS) Attacks Conclusion Future Work

5 Cһарtеr 1 Іntrоԁυᴄtіоn 5

6 1 Іntrоԁυᴄtіоn Cross Site Scripting (XSS) is recognized as one of the biggest threat to the world of web. As more or more business are making their presence online more advanced types of attacks are emerging as well. As the size of web is growing leap and bound it is nearly impossible to check that each an d every aspect of all web applications hosted on web is not vulnerable to cross site scripting attack. There are so many online line repositories available for XSS attacks so that a novice user can also launch an XSS attack. All he need is a browser to access the web. The real target and victim of XSS attacks are the users browsing the web applications so the owners of web applications usually get unaware of these types of attacks. Due to this negligence the web applications remain unpatched for these types of cross site scripting (XSS) attacks and the users have to pay for that. So as the real victim of cross site scripting (XSS) is a user, the focus should be to secure the client from these types of attacks. As the use of web applications is increasing, more and more companies are hosting their websites and usually those website are interactive to an extent that the user can post data on their behalf. Big IT giants like Google and Microsoft are also playing an important role in the improvement of web applications. Facebook is also playing a vital role in the web based applications. Due to involvement of so many people on web XSS attack are nearly unavoidable. Mentioned below figure describes the stack of security levels. XSS attack usually occur in top two stacks Custom web application and Third -party web applications 6

7 Figure 1 Vulnerability Stack [18] Prior to 2005 security experts didn t pay any sort of proper attention to mitigate any risk related to XSS. The real impact of XSS was realized in October 2005 when Sammy worm shutdown the most popular social networking site MySpace. This affect millions of users; as the issue become publicized more and more security personals look into the matter and the real investigations get started. Within a short span of time security personals discovered a lot of loop hole in so many site. XSS attacks can be used to hijack sessions, steal s ensitive information or cookies, redirect user to unwanted links or performing undesirable activities on user s behalf. First paper on XSS was presented on 1999 by David Ross. 7

8 Cһарtеr 2 Literature Review: XSS Attacks 8

9 2 Literature Review: XSS Attacks Literature Review section consists of different XSS attacks and their mitigation and suggested techniques. Despite of the fact different people have worked on cross site script (XSS) attack mitigation techniques. Still this is considered as one of the biggest vulnerabilities found on web. 2.1 Types of Attacks There are several type of attacks Non persistent attacks, Persistent attack, DOM based attacks Non Persistent Non persistent attacks are the types of attacks in which the attacker some how managed to get a weak/vulnerable link inside a web application. They append some malicious content to the link of the victim site and propagate it through the or any other messaging medium. In this type of attack the malicious content isn t saved inside the database of victim application so you can t identity this attack by just peeping at your saved data DOM Based Attacks DOM based attack is similar to non persistent attack and is caused by the vulnerability in input validation at client side Persistent Attacks In this type of attack the malicious JavaScript content are saved inside the website database. These types of attacks are usually crafted on blogs, bulletin boards and types of applications where users are allowed to post their comments. 9

10 In this type of attack the attacker input the m alicious code inside the input box provide to him via web application. If the web application saved these contents without sanitizing the input the content will saved as it is and if any other user will visit this page this malicious code will executed on his browser. 10

11 Cһарtеr 3 XSS Attack Methods 11

12 3 XSS Attack Methods Most of the people think that XSS attack can only steal their cookies or do redirect them to a new page. We will discuss the extreme possibilities that can be done using Cross Site Scripting (XSS). 3.1 History Stealing In this type of attack the attacker can steal the list of website the user have visited and he also steal cookies and also collect the history of search engine used by user as well 3.2 Intranet Hacking An attacker using a malicious web page can also lunch attacks on network resources, that can t be attacked directly due to firewall and other security measure. e.g. A user visits a malicious link and then link execute a java applet that reveal the internal ip address. Then using this point as a target attack the attacker can finger print the internal web server and send data to the outside world. 3.3 XSS Defacement XSS defacement can cause a website to be defaced from its original look and feel. XSS defacement can be persistent or non-persistent. Having a persistent defacement over a public and famous website can shatter the trust of users over the site. In case the website is also used as e -commerce platform it can severely damage the sales of that website. 12

13 Cһарtеr 4 Advanced XSS Attack vector 13

14 4 Advanced XSS Attack vector Usually it is considered that XSS attack can only be caused by unfiltered malicious data entered by user via application. There are several other ways through which use data can be injected into user s browser. 4.1 DNS Pinning In this type of attack the host file present on users system is used to a forward the request to any malicious. Using this method phishing attacks and url redirects can be launched. Following are the steps to launch a DNS pinning attack. 1. The users will try to connect to a site and gets an ip with a DNS time out of 1 second. 2. Using JavaScript again the user browser try to connect to in 2 second but as the DNS time out is one second the DNS entry doesn t appears to be valid. 3. The users browser now tries to connect with DNS this time the DNS provide a new IP and this way the user is redirected to a new IP. The technique used to circumvent this attack is called Anti-DNS Pinning. In this technique such type of connections are rejected. 14

15 4.2 IMAP3 Wade Alcorn in his research paper published a way to trigger an XSS attack against IMAP3 (Internet Message Access Protocol 3). Browser security model doesn t allow all the port to be accessible so most of the ports aren t vulnerable to this attack but IMAP3 s port i.e 220 is allowed to be accessible via browser. This cause a security threat to the IMAP3 server if its on the same domain. 4.3 MHTML MHTML is a protocol to allow communication between MS Outlook and Internet Explorer (IE). As the HTML enable is allowed to contact web servers to download any information or link embedded in this vulnerability ca n be exploited. This type of weakness is only relavant to IE7 and have no effect on other browsers. 15

16 Cһарtеr 5 Automated tools for XSS 16

17 5 Automated tools for XSS As the number of web application is growing i t is nearly impossible to test each an every web page for XSS vulnerability. XSS vulnerabilities can be found manually as well by just trying malicious code inside search boxes and input boxes. But if thousands of pages need to be tested, it is mandatory to automate the testing task 5.1 Burp: Burp proxy is an intercepting proxy that will help you analyze the web traffic in both directions. Figure 2 Burp Suite Main Window [18] 17

18 Burp allows you to view the data transmitted to and from the system and you can also modify the data in betwee n as well. 5.2 Firefox Extensions: Firebug:- Firebug is one of the most widely used plugin for Firefox and it is nearly used by every web developer during the development of web applications nowadays. Figure 3 Firebug Snap Shot [Self] Firebug allows you to investigate the html elements easily and it also help you determine which JavaScript event get fired with a particular html node. 18

19 5.3 Dom Inspector Dom inspector is also one of the most widely used firefox plugin. Dom inspector helps you inverstigate th e hierarchy of Dom objects. Figure 4. Dom Inspector Main Window [18] 19

20 Cһарtеr 6 Proposed Solution for Cross-site Scripting (XSS) Attacks 20

21 6 Proposed Solution After reviewing different research I come up with the conclusion that the mitigation of XSS should be on client side so we should device a mechanism in which there exist an intermediary component between parsing engine of the browser and the response stream. I would like to name this intermediary as ANTI-XSS. Anti-XSS will maintain a repository of recently launched XSS attacks. Anti-XSS will also update it repository from a live centralized repository. Figure5 Anti-XSS component [Self] This way if a new attack is launched and recognized the repository will be updated and the client will be updated as well regarding the attack. This way client can surf site with weak security measures as well and they will stay safe due to Anti- XSS. The centralized repository should also contain a heuristic or artificially intelligent component installed so in this case if an attack is recognized and it is saved inside the XSS database on 21

22 main repository. The intelligent component will also try to derive other possible variation of this XSS attack. One common observation is that when we d ownload or run an application we don t trust or ask the application on it s own to verify that it is pure from any sort of virus. So why the concept is that there should be a third party or intermediary party or application involved which will save the in terest of customer not only from websites that are malicious but those sites as well which act as a weapon for malicious intent people due to their weak security measures. This approach also ensure security for the legacy application which are still running but don t have their source code with them so incase if anyone find a vulnerab le security hole they still can t repair it or apply any security patch. This solution will also ensure security for any such third party application which have been shipped without code and the company can t update any security related stuff due to unavailability of code. 22

23 Cһарtеr 7 Conclusion 23

24 7 Conclusion After reviewing several research papers and different mitigation techniques I conclude that the XSS attacks should be mitigated on client side and the client s browser should have a defense mechanism against XSS attacks. It might be difficult to implement such an effective mechanism that will encounter each and every XSS attack so if the attack is mitigated on client side it will be extremely easy for any client to check the weaknesses in site and act accordingly. Thi s XSS repository will also ensure which sites are weak and which aren t this can give a XSS rating as well to the site so the user can have a sort of confidence how effective measures a vendor have taken to secure his site from XSS attack. 24

25 Cһарtеr 8 Future Work 25

26 8 Future Work Implementation of the above mentioned techniques can be a complex task as it requires thorough knowledge of the parsing mechanism of the specific browsers. As the suggested component will sit in between the parsing engine and response stream. The middle component should be a state of the art component that is not only able to intercept the response stream but also be able to identify the malicious script embedded within the stream with the help of its database kno wledge. Secondly a centralized server needs to be setup that will be accessed by nearly millions of web browsers. So the server should be scalable and be able to server millions of requests smoothly 26

27 References [1]. Regular expressions considered harmful in client-side XSS filters, Published in: Proceeding WWW '10 Proceedings of the 19th international conference on W orld wide web ACM New York, NY, USA [2]. Client-side detection of XSS worms by monitoring payload propagation, Published in: Proceeding ESORICS'09 Proceedings of the 14th European conference on Research in computer security Springer-Verlag Berlin, Heidelberg [3]. Automatic creation of SQL Injection and cross -site scripting attacks, Published in: Proceeding ICSE '09 Pr oceedings of the 31st International Conference on Software Engineering IEEE Computer Society W ashington, DC, USA [4]. SWAP: Mitigating XSS Attacks using a Reverse Proxy, Published in: Proceeding IW SESS '09 Proceedings of the 2009 ICSE W orkshop on Software Engineering for Secure Systems IEEE Computer Society W ashington, DC, USA [5]. XSS-GUARD: Precise Dynamic Prevention of Cross -Site Scripting Attacks, Published in: Proceeding DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment Springer -Verlag Berlin, Heidelberg [6]. XSSDS: Server-side Detection of Cross-site Scripting Attacks, Published in: Proceeding ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference IEEE Computer Society W ashington, DC, USA [7]. Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking, Published in Proceeding 27

28 SS'08 Proceedings of the 17th conference on Security s ym posium USENIX Association Berkeley, CA, USA [8]. Hunting Cross-Site Scripting Attacks in the Network, Published in: W 2SP 2010: W eb 2.0 Security and Privac y [9]. Robust Defenses for Cross-Site Request Forgery, Published in: Proceeding CCS '08 Proceedings of the 15th ACM conference on Computer and communications security ACM New York, NY, USA [10]. XCS: Cross Channel Scripting and Impact on Web Applications, Published in: Proceeding CCS '09 Proceedings of the 16th ACM conference on Computer and communications security ACM New York, NY, USA [11]. The Life and Death of Statically Detected Vulnerabilities: an Empirical Study, Published in: Journal Information and Software Technology archive Volume 51 Issue 10, October, [12]. Prevention of Cross-Site Scripting Attacks on Current Web Applications, Published in: Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet s ystems: CoopIS, DO A, ODBASE, GADA, and IS - Volume Part II Springer-Verlag Berlin, Heidelberg [13]. Protecting Browser State from Web Privacy Attacks, Published in: Proceeding WWW '06 Proceedings of the 15th international conference on W orld W ide W eb ACM New York, NY, U SA [14]. Exposing Private Information by Timing Web Applications, Published in: Proceeding WWW '07 Proceedings of the 16th international conference on W orld W ide W eb ACM New York, NY, USA [15]. Code-Injection Attacks in Browsers Supporting Policies, Published in: W 2SP 2009: W eb 2.0 Security and Privac y

29 [16]. Evaluating Attack Amplification in Online Social Networks, Published in: W 2SP 2009: W eb 2.0 Security and Privac y [17]. Critical Vulnerability in Browser Security Metrics, Published in: W 2SP 2010: W eb 2.0 Security and Privac y 2010 [18]. Cross Site Scripting Attacks Xss Exploits and Defense ISBN