I have been asked to give a presentation about cross site scripting at a local OWASP chapter meeting. I am making my research and notes available in to a series of blog posts. The first – what is cross site scripting?
What is Cross Site Scripting?
Cross Site Scripting (XSS) is an attack against the user of a website. It is a technique that forces a website to disply malicous code, which then executes in the user’s web browser. The attacker uses a vulnerable website to send malicous code to another end user of the site. The vulnerability arises when the website takes data in some way from a user and dynamically inculdes it in a web page without first validating that data.
Using XSS an attacker can conduct account hijacking, rewrite portions of the page, log keystrokes, get information about the browser and client machine such as browsing history, or even pivot from the browswer and attack the user’s network.
Types of Cross Site Scripting
Persistent Cross Site Scripting
Persistent, or stored, XSS occurs when data provided by the attacker is stored by the web application to be used later. Think about social networks such as Facebook or Twitter, comments on blogs, user reviews on retail sites, wikis, etc. If content entered by one user is malicous, any other user who views the page that uses that content can be a victim.
Reflected Cross Site Scripting
Reflected XSS occurs when the data provided by the attacker is used immediately by the web application right away in some response. Think about website error messages and search results. Reflected attacks are delivered to victims via another route, such as in an email message. When a user is tricked into clicking on a malicious link, the injected code travels to the vulnerable website, which reflects the attack back to the user’s browser. The browser then executes the code because it appears to have come from the website the user is viewing.
DOM Based Cross Site Scripting
How bad is the issue?
According to White Hat Security, 64% of the website they assess have XSS vulnerabilities. Your web application is more likely to have some than not.
According to the Web Hacking Incident Database, 7.4% of web attacks utilize XSS.
Most sites are vulnerable to XSS. Because it affects users, it tends to be used in more targeted or sophisticated multistage attacks. As shown below in real world XSS attacks, the potential for wormable flaws exists! If it’s on an Internet facing application, either that high privileged users interact with or on a public section of your site, you better pay attention!
Real World Examples
Hacker Redirects Barack Obama’s site to hillaryclinton.com
During the 2008 democratic primaries, XSS in Obama’s website was exploited to redirect visitors to Hillary Clinton’s website. Users who went to Obama’s community blog were instead taken to www.hillaryclinton.com.
Apache.org hit by targeted XSS attack, passwords compromised
A targeted attack against JIRA admins used XSS to steal adminitrative cookies. Using those priveleges, they installed backdoors and scripts to collect passwords at login. Thanks to people’s tendency to use the same password on several websites and applications, the attacker was able to use those credentials get root access to other servers.
New XSS Facebook Worm Allows Automatic Wall Posts
DOM Based Cross Site Scripting or XSS of the Third Kind: http://www.webappsec.org/projects/articles/071105.shtml
Web Hacking Incident Database: http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
WhiteHat Web Security Statistics (2011): http://img.en25.com/Web/WhiteHatSecurityInc/WPstats_winter11_11th.pdf
XSS Attacks (Amazon):