Cross Site Scripting Defined

May 22, 2012

I have been asked to give a presentation about cross site scripting at a local OWASP chapter meeting. I  am making my research and notes available in to a series of blog posts. The first – what is cross site scripting?

XSS Defined
History of XSS
Detecting XSS
Reporting XSS in a Meaningful Way
Preventing XSS

What is Cross Site Scripting?

Cross Site Scripting (XSS) is an attack against the user of a website. It is a technique that forces a website to disply malicous code, which then executes in the user’s web browser. The attacker uses a vulnerable website to send malicous code to another end user of the site. The vulnerability arises when the website takes data in some way from a user and dynamically inculdes it in a web page without first validating that data.

Using XSS an attacker can conduct account hijacking, rewrite portions of the page, log keystrokes, get information about the browser and client machine such as browsing history, or even pivot from the browswer and attack the user’s network.

Types of Cross Site Scripting

Persistent Cross Site Scripting

Persistent, or stored, XSS occurs when data provided by the attacker is stored by the web application to be used later. Think about social networks such as Facebook or Twitter, comments on blogs, user reviews on retail sites, wikis, etc. If content entered by one user is malicous, any other user who views the page that uses that content can be a victim.

Reflected Cross Site Scripting

Reflected XSS occurs when the data provided by the attacker is used immediately by the web application right away in some response. Think about website error messages and search results. Reflected attacks are delivered to victims via another route, such as in an email message. When a user is tricked into clicking on a malicious link, the injected code travels to the vulnerable website, which reflects the attack back to the user’s browser. The browser then executes the code because it appears to have come from the website the user is viewing.

DOM Based Cross Site Scripting

The Document Object Model (DOM) is a convention for representing and interacting with objects in HTML/XML. Browsers work with the DOM; when a page is loaded the broswer parses the page into an object structure. DOM-based XSS occurs in the content processing stages performed by the client. The page itself does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment. An example is JavaScript accessing and extracting data from the URL via the location.* DOM, or receiving raw non-HTML data from the server via XMLHttpRequest, and then using this information to write dynamic HTML without properly escaping, entirely on the client side.

How bad is the issue?

According to White Hat Security, 64% of the website they assess have XSS vulnerabilities. Your web application is more likely to have some than not.

According to the Web Hacking Incident Database, 7.4% of web attacks utilize XSS.

Most sites are vulnerable to XSS. Because it affects users, it tends to be used in more targeted or sophisticated multistage attacks. As shown below in real world XSS attacks, the potential for wormable flaws exists! If it’s on an Internet facing application, either that high privileged users interact with or on a public section of your site, you better pay attention!

Real World Examples

Hacker Redirects Barack Obama’s site to hillaryclinton.com
During the 2008 democratic primaries, XSS in Obama’s website was exploited to redirect visitors to Hillary Clinton’s website. Users who went to Obama’s community blog were instead taken to www.hillaryclinton.com.

Apache.org hit by targeted XSS attack, passwords compromised
A targeted attack against JIRA admins used XSS to steal adminitrative cookies. Using those priveleges, they installed backdoors and scripts to collect passwords at login. Thanks to people’s tendency to use the same password on several websites and applications, the attacker was able to  use those credentials get root access to other servers.

New XSS Facebook Worm Allows Automatic Wall Posts
An XSS in the Facebook’s mobile API allowed a maliciously prepared iframe element containing JavaScript to post to user’s walls.

Sources

Wikipedia: http://en.wikipedia.org/wiki/Cross-site_scripting
OWASP: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
DOM Based Cross Site Scripting or XSS of the Third Kind: http://www.webappsec.org/projects/articles/071105.shtml
Web Hacking Incident Database: http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
WhiteHat Web Security Statistics (2011): http://img.en25.com/Web/WhiteHatSecurityInc/WPstats_winter11_11th.pdf
XSS Attacks (Amazon):

Leave a Reply

Your email address will not be published. Required fields are marked *

Where to Find Me

NoVa OWASP: April 11

By

The NoVa chapter of OWASP is meeting on 4/11. Topic: Impact of IPv6 On Your Applications.

Read more »

ISSA Meeting: February 21

By

NoVa ISSA Chapter Meeting! Topic: The Beauty of Surveillance.

Read more »

Security MBA: January 7

By

Come and enjoy some security news while drinking an icy cold refreshment.

Read more »

Lijit Search