Cross Site Scripting XSS

From this document you will learn the answers to the following questions:

What does Trudy take to masquerade as Alice?

What is the normal user of my . sjsu . edu?

What is the term for a malicious scripting attack?

Similar documents
Web Application Security

Where every interaction matters.

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Cross-Site Scripting

Exploits: XSS, SQLI, Buffer Overflow

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Gateway Apps - Security Summary SECURITY SUMMARY

Cross Site Scripting in Joomla Acajoom Component

Web Application Security Considerations

Magento Security and Vulnerabilities. Roman Stepanov

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Criteria for web application security check. Version

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Web application security: Testing for vulnerabilities

The Top Web Application Attacks: Are you vulnerable?

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

A Novel Frame Work to Detect Malicious Attacks in Web Applications

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Web Application Guidelines

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Check list for web developers

What is Web Security? Motivation

Web application security

Defending against XSS,CSRF, and Clickjacking David Bishop

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Security Testing with Selenium

Adobe Systems Incorporated

Preparing for the Cross Site Request Forgery Defense

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

OWASP Top Ten Tools and Tactics

Advanced Web Security, Lab

Essential IT Security Testing

KEYWORDS: Internet Applications, Security, Languages, Review and evaluation.

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Stopping SQL Injection and. Manoranjan (Mano) Paul. Track: Operating Systems Security - Are we there yet?

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Application Security Testing. Generic Test Strategy

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Project 2: Web Security Pitfalls

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Hack Proof Your Webapps

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Secure Web Development Teaching Modules 1. Threat Assessment

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Sitefinity Security and Best Practices

Common Security Vulnerabilities in Online Payment Systems

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

(WAPT) Web Application Penetration Testing

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

EECS 398 Project 2: Classic Web Vulnerabilities

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Web attacks and security: SQL injection and cross-site scripting (XSS)

Web Application Penetration Testing

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Cross-site site Scripting Attacks on Android WebView

Sichere Software- Entwicklung für Java Entwickler

Introduction to Computer Security

Cross Site Scripting Prevention

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Ethical Hacking Penetrating Web 2.0 Security

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Testing the OWASP Top 10 Security Issues

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

A Survey on Threats and Vulnerabilities of Web Services

Security features of ZK Framework

A6- Sensitive Data Exposure

Phishing by data URI

An Insight into Cookie Security

Rational AppScan & Ounce Products

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Columbia University Web Security Standards and Practices. Objective and Scope

Session 30. IT Security: Threats, Vulnerabilities and Countermeasures. Phillip Loranger, DoED CISO Robert Ingwalson, FSA CISO

Institutionen för datavetenskap

Web Security Testing Cookbook*

Last update: February 23, 2004

Hacking de aplicaciones Web

External Network & Web Application Assessment. For The XXX Group LLC October 2012

How To Fix A Web Application Security Vulnerability

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

elearning for Secure Application Development

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Web Application Security

OWASP TOP 10 ILIA

Lab 3 Assignment (Web Security)

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Transcription:

Cross Site Scripting XSS Athmanathan Panneerselvam, Venkatachalam Computer Science Department San Jose State University San Jose, CA 95192 appraveencse@gmail.com, sujandharanv@gmail.com 1. Abstract Internet is used by vast number of people. Security is the most important factor in almost all applications which run over the internet. Though high security is enforced in the operating systems, servers, firewalls, and in client browsers there are some vulnerabilities that do exist in web based applications. Cross site scripting is a kind of security vulnerability in these applications. This is often caused by injecting venomous code into the web pages. This paper shows the types of cross site scripting, possible ways of injection, and how to extenuate these attacks. The attacks are illustrated with appropriate scenarios for better understanding. It is true that these attacks are hard to eliminate completely but can be mitigated to higher extent. 2. Introduction Cross site scripting often called as XSS is a web attack that happens at application layer. Web pages are classified as static and dynamic. Static web pages do not suffer by this attack as there is no user session involved in it. Whereas, in dynamic web pages the server customizes the screen for each user and this customization is tracked through sessions. This session can be stolen by the attacker and the attacker can impersonate as the authenticated user. The code which is capable of running in the client side is injected to the web page and it is usually in the form of HTML or JavaScript. The attacker may be a malicious user or robot. HTML forms act as an entry point for this attack, the malicious code entered through the form is stored in the server and cause problems when this information is taken back from the server and displayed to the users. When the page is loaded along with the malicious script, it may send important information like cookies and form values of the user to the attacker or malicious website. Cross Site Scripting had its acronym as CSS, this usage has not continued as it is confusing with Cascading Style Sheet. Apart from Javascript and HTML, technologies like ActiveX, VBScript, ActionScript, and Jscript are used to create XSS attacks. In many cases this attack gets in to effect through hyperlink, hyperlink will have all the data collected from user s page and encodes the malicious content in the link. When the user clicks this link, all the information gathered will be sent to the attacker. Since the attacker has your session, he or she can claim as you. XSS exploits the trust a user has for a website. 3. Threats Involved Ignorant user may execute the malicious scripts on viewing the pages which are dynamically generated by the attacker Attacker can use the user session before it gets expired. Attacker can redirect the user to malicious web site or server If the user clicks the link provided by the attacker, he/she gains the rights of the user. For the rest of the connection period, he/she can execute commands with the user privileges that accessed the URL. 4. Characters Trudy is the attacker Alice is the normal user Assume my.sjsu.edu is vulnerable to XSS

5. Attack Initialization Trudy first checks a particular website whether it is vulnerable to cross site scripting or not. If the website is vulnerable then Trudy would employ a way to attack. There are many ways that she can perform an attack, few of the methods are described below. In all the techniques she would use any of the ECMAScript to be executed in Alice s system with the Alice s privilege. Hereafter, anything from stealing cookies, corrupting or changing user settings, hijacking user account is possible. 6. Scenarios The following scenarios illustrates the various attacks of Cross site scripting 6.1 Malicious Link Attack Trudy forms a spiteful link by embedding malicious script in the link. She sends this link to Alice either through email or instant messages When the SJSU server sends back the response which include the value of the user profile along with some important information, the malicious code will start to execute once the response reaches the client browser. 6.2 Cookie Theft Trudy knows that my.sjsu.edu is vulnerable to XSS. If she finds the usage of cookies in the website, she formulates an attack which can steal those cookies. In this attack Trudy first register a page with malicious script. When the page is displayed on the browser, the malicious script would come in effect and process the required information as told by Trudy. Finally, gathers all the cookie information and redirect the request to Trudy s server. Trudy takes this request and sends that to my.sjsu.edu and masquerades as Alice. Since my.sjsu.edu only relies on the cookie information, it authenticates the request without knowing that the request was made by Trudy and not Alice. Trudy now can do anything what Alice can do in my.sjsu.edu Figure 1 or she can put inside vulnerable XSS website which Alice often visits. We will look how to insert new fields and links in XSS vulnerable websites in the following sections. The link may look like <AHREF=http://my.sjsu.edu/registration.cgi?clie ntprofile= <SCRIPT>malicious code</script>> Click here to see your status</a> Alice who is studying at SJSU in some department (not computer science) might click the link, thinking she can look at her status. Figure 2 Collecting these kinds of sensitive information from other website is called Phishing. Let s look in detail how Trudy can embed malicious script in a page.

For example consider the help page of my.sjsu.edu and there is text box to search items and an action button called Search to perform search. Figure 3.1 Trudy can frame javscript to include username and password like Login to get privileged access<br/> Username: <input type= text name= username /><br/> Password: <input type= password name= password /> <input type= button value= SingIn onclick= location.replace(http://trudyserver.co m?uname= +this.form.username+ &pwd= +thi s.form.password)> Trudy puts the above code in the search box and submits the search. The response page will look like Figure 3.2 Unknowing Alice will give her credentials and click login to get privileged access. Alice thinks that the username and password are indeed provided by my.sjsu.edu. After the click, Alice sensitive information is sent to Trudy. Trudy gets the credentials and stores in her place and redirects the page back to my.sjsu.edu/help with fake successful login message. Alice would not even know that her username and password is hijacked. Now Trudy can send unauthorized request to my.sjsu.edu. 6.2.1 Solution Cookies read and write access can be prevented by setting the cookie attribute HTTPOnly. When HTTPOnly is turned on, browsers will not let the client side script to read or write the cookie. Not all browsers follow the rule of HTTPOnly. Some would allow read access and some would allow write access and some would/wouldn t allow both. Another approach is to tie cookie to the ipaddress so it cannot be used by a malicious third party. 6.3 Stored XSS This is similar to the previous scenario. The attack is handled in the same way but on the form fields which are going to be persisted. The previous scenario would not work out for Trudy if Alice closes her session and comes after the cookie is expired. In order to persist the changes made by Trudy, Trudy has to choose the fields which are going to be persisted. Say, Trudy has access to my.sjsu.edu, she logs in and edit her fields. She puts the malicious script in one of her profile s information field (ex: Address). After she updates her profile her malicious script is going to reside in the server database. Later Bob who is professor at my.sjsu.edu (he is not teaching security) tries to view information about Trudy. When he opens her profile, the malicious script gets in action and does what Trudy told. 6.3.1 Solution This attack can be prevented by validating the input. If some scripts are present inside the form fields, server can disable the action of the script by simply stripping out the slashes. In this case even though Trudy s malicious code is stored in the server, the script cannot get executed when it reaches the client browser. The scripts which are already stored in the server before our input validation come in effect, can be prevented executing on the client

server by encoding the output sent to the client browser. It is generally a good practice to encode both input and output form fields which goes in and out from the server. Here we are not stripping any slashes and this helps the webpage not to lose any information especially when Alice pastes some code snippets in a blog or forum. 6.4 Reflected XSS The first phase involved in Cookie Theft is similar to this attack. Trudy embeds some malicious code in the webpage and posts the data to the server. The server in turn sends the response; the malicious code will get reflected in the response and get in to action once the page reaches the client browser. This scenario happens in the stored XSS, in addition to that the form fields are stored in Stored XSS attack. The solution for this attack is same as the stored XSS attack. 6.5 Cross Site Request Forgery CSRF or XSRF attacks by misusing the trust which the site has for the logged in user. Once the user logs in the system the website trusts that the subsequent tasks request are from the logged in user. Trudy can exploit this trust by accessing the task URL directly by using image object without bringing any notice to Alice. For example envious Trudy can order 100 items in shopping website when Alice is logged in. Alice would not know until she receives the summary of the shopping through email/mail. This attack is achieved through HTML image tag or Javascript Image object and these objects will be embedded to the web page. When Alice loads the page, these objects perform a web request as mentioned by Trudy. <img src= www.shopitems.com/buy/laptop/id=1234 &quantity=5 width= 1 height= 1 /> Assuming Alice has already registered her bank account details with the website shopitems.com loading the URL given above would simply order those items. This can be achieved through javascript too by <script> var objimage =new Image(); objimage.src= www.shopitems.com/buy/laptop/id=1234&qu antity=5 ; </script> Browsers are not the only applications which support CSRF. Files like.doc (word),.flv (flash),.dat(movie), Atom,RSS (Feeds) can be used to embed the script. When these files are opened in their corresponding software it will make web request and will perform the action. 6.5.1 Solution Token can be appended in each request. These tokens have to be associated with user session and the validity of the token must be limited to certain time period. If the token is not present form data won t be used to take actions. As a user make sure to log-off sites before browsing elsewhere. 6.6 Cross Site Tracing Alice visits a webpage which is vulnerable to XSS. The server sends back the page with the malicious script in it which was stored earlier. The script executes and sends an HTTP Trace request to the web page which was recently visited by Alice in order to get information. The recently visited web page then sends cookies or other important information to Trudy. XST is only a historic attack. This problem has been fixed in all the new browsers. 7. WebGoat Webgoat is an amazing project which explained the discovered web attacks precisely. Attention to minute details, hints, and videos made us to like the tool very much. It does not provide explanation for all scenarios; however, it

provides a good foundation to start learning about the attacks. 8. Acknowledgements We thank Dr. Mark Stamp, professor in the department of computer science at San Jose State University for giving us an opportunity to explore the web site attacks. The errors and inconsistencies in this article remain to us. 9. Conclusion The survey results from 2007 indicate XSS carried out on the websites constitutes 80% of the known attacks and at least 68% of websites are open to XSS attacks on their users. This article covers almost all of the XSS attacks and the preventive measures. Escaping the slashes, input validation, cookie security, and disabling scripts are discussed to prevent the various attacks. If preventive measures are not taken appropriately, it will lead to other attack SQL injection. Every developer who works with web applications must study about these attacks and must consider all preventive measures while developing web applications. By doing this we can at least prevent novice and intermediate attacker from attacking the website. 10. References [1] The OWASP WebScarab Project, http://www.owasp.org/webscarab [2] Cgisecurity, The Cross Site Scripting FAQ, http://www.cgisecurity.com/articles/xss-faq.shtml, 2002 [3] CERT/CC, CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests, http://www.cert.org/advisories/ca-2000-02.html [4] Web Security, XSS -The underestimated Exploit http://www.acunetix.com/websitesecurity/xss. htm [5] The XSS -FAQ http://www.cgisecurity.com/xss-faq.html [6]Cross Site Scripting http://en.wikipedia.org/wiki/crosssite_scripting [7]Chirs Pollet, Attacking Websites http://www.cs.sjsu.edu/faculty/pollett/174.12. 08f/Lec05112008.pdf

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information