CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)

CNIT 129S: Securing Web Applications Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 1

Attacking Clients • Vulnerabilities in browsers • May result in session hijacking, unauthorized actions, and disclosure of personal data, keylogging, remote code execution • XSS is the most prevalent web application vulnerability in the world

Varieties of XSS • Reﬂected XSS • Stored XSS • DOM-Based XSS

Reﬂected XSS • Example: an error message that takes text from user and displays it back to the user in its response • 75% of all XSS vulnerabilities are this type

Persistent Cookies • If user has a persistent cookie, implementing "remember me" • Step 1 is not needed • User need not be currently logged in

Same-Origin Policy • evil.com cannot get your target.com cookies from your browser • Only a page in the same domain (arget.com) • But XSS lets the attacker add scripting to a page that comes from target.com • Hence the name Cross-Site Scripting

Stored XSS Vulnerabilities • A message is stored • Executed on any user who views it • May attack a large number of users

The Vulnerability • Client-side JavaScript can access the browser's Document Object Model • Can determine the URL used to load the current page • A script the developer put there may extract data from the URL and display it, dynamically updating the page's contents

Example: Dynamically Generated Error Message • Writes message to page • Can also write script to page

Apache (2010) • XSS in issue-tracking application • Attacker injected code, obscured it with a URL shortener • Administrator clicked the link • Attacker stole the administrator's cookie • Attacker altered the upload folder for the project and placed a Trojan login form there

Apache (2010) • Attacker captured usernames and passwords for Apache privileged users • Found passwords that were re-used on other systems within the infrastructure • Fully compromised those systems, escalating the attack beyond the vulnerable Web application • Link Ch 12a

MySpace (2005) • Samy evaded filters intended to block XSS • Added JavaScript to his user profile, that made every viewer • Add Samy as a friend • Copied the script to the user's profile • Gained over 1 million friends within hours • Link Ch 12b

• Stored XSS in email allowed attackers to send a malicious email to the CEO • Stealing his session cookie

Twitter (2009) • Link Ch 12d

Other Payloads for XSS • Virtual Defacement • Add images, code, or other content to a page

Injecting Trojan Functionality • Inject actual working functionality into the vulnerable application • Such as a fake login form to capture credentials • Or the fake Google purchase form on the next slide, from 2004

Disadvantages of Session Hijacking • Attacker must monitor her server and collect cookies • Then carry out actions on behalf of target users • Labor-intensive • Leaves traces in server logs

Inducing User Actions • Use attack payload script to carry out actions directly • If the goal is to perform an administrator action, each user can be forced to try it until an administrator is compromised • MySpace XSS worm did this

Exploiting Trust Relationships • Browsers trust JavaScript with cookies from the same website • Autocomplete in the browser can ﬁll in ﬁelds, which are then read by JavaScript • Some sites require being added to Internet Explorer's "Trusted Sites"; those sites can run arbitrary code like this

Exploiting Trust Relationships • ActiveX controls often contain powerful methods • They may check to see that requests came from the expected site • With XSS, that condition is satisﬁed

Escalating the Client-Side Attack • Website may attack users by • Logging keystrokes • Capturing browsing history • Port-scanning the local network

Delivery Mechanisms for XSS Attacks

Delivering Reﬂected and COM-Based XSS Attacks • Phishing email containing a crafted URL • Targeted attack with custom email • Instant message containing a URL • Code posted on websites that allow user to post HTML

Watering Hole Attack • Attacker creates a website with content that will interest the target users • Use search engine optimization to attract viewers • Page contains content that causes the user's browser to make requests containing XSS payloads to the vulnerable application

• Purchase ad space, put malicious URL in the ad • The ad may appear in pages about the app you are attacking, because of keyword matches • Web apps often have "tell a friend" or "send feedback" features • Leverage this to deliver an XSS attack via an email that originate from the organization's server Delivering Reﬂected and DOM-Based XSS Attacks

Delivering Stored XSS Attacks • In-band (most common)

Delivering Stored XSS Attacks • Out-of-band (most common) • Anything other than viewing the target app • Such as email from its server

Chaining XSS • XSS vulnerability itself may be low-risk • But chaining it together with other vulnerabilities can cause serious compromise

Example • XSS allows script to be inserted into user's displayed name • Access control ﬂaw lets attacker change other users' names • Add token-stealing XSS to every username • Gain administrator credentials: total control of application

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)

More Related Content

What's hot

Viewers also liked

Similar to CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)

More from Sam Bowne

Recently uploaded

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)