What is Cross Site Scripting? Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records. Cross Site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques. In the pie-chart below, created by the Web Hacking Incident Database for 2011 (WHID) clearly shows that whilst many different attack methods exist, SQL injection and XSS are the most popular. To add to this, many other attack methods, such as Information Disclosures, Content Spoofing and Stolen Credentials could all be side-effects of an XSS attack. XSS Attack Vectors So how does a hacker infect your web page in the first place? You might think, that for an attacker to make changes to your web page he must first break the security of the web server and be able to upload and modify files on that server. Unfortunately for you an XSS attack is much easier than that. Internet applications today are not static HTML pages. They are dynamic and filled with ever changing content. Modern web pages pull data from many different sources. This data is amalgamated with your own web page and can contain simple text, or images, and can also contain HTML tags such as for paragraph, for image and for scripts. Many times the hacker will use the ‘comments’ feature of your web page to insert a comment that contains a script. Every user who views that comment will download the script which will execute on his browser, causing undesirable behaviour. Something as simple as a Facebook post on your wall can contain a malicious script, which if not filtered by the Facebook servers will be injected into your Wall and execute on the browser of every person who visits your Facebook profile. By now you should be aware that any sort of data that can land on your web page from an external source has the potential of being infected with a malicious script, but in what form does the data come? The tag is the most popular way and sometimes easiest to detect. It can arrive to your page in the following forms: External script: Embedded script: alert(“XSS”); The tag can contain an embedded script by using the ONLOAD event, as shown below: The BACKGROUND attribute can be similarly exploited: Some browsers will execute a script when found in the tag as shown here: There are some variations of this that work in some browsers: The tag allows you to import HTML into a page. This important HTML can contain a script. If the TYPE attribute of the tag is set to “IMAGE”, it can be manipulated to embed a script: The tag, which is often used to link to external style sheets could contain a script: The BACKGROUND attribute of the TABLE tag can be exploited to refer to a script instead of an image: The same applies to the tag, used to separate cells inside a table: The tag, similar to the and tags can also specify a background and therefore embed a script: The STYLE attribute can also be manipulated in the following way: The tag can be used to pull in a script from an external site in the following way: If the hacker places a malicious script inside a flash file, it can be injected in the following way: Is your site vulnerable to Cross Site Scripting? Our experience leads us to conclude that the cross-site scripting vulnerability is one of the most highly widespread flaw on the Internet and will occur anywhere a web application uses input from a user in the output it generates without validating it. Our own research shows that over a third of the organizations applying for our free audit service are vulnerable to Cross Site Scripting. And the trend is upward. Example of a Cross Site Scripting Attack As a simple example, imagine a search engine site which is open to an XSS attack. The query screen of the search engine is a simple single field form with a submit button. Whereas the results page, displays both the matched results and the text you are looking for. Search Results for XSS Vulnerability To be able to bookmark pages, search engines generally leave the entered variables in the URL address. In this case the URL would look like: https://test.searchengine/search.php?q=XSS%20 Vulnerability Next we try to send the following query to the search engine: alert (This is an XSS Vulnerability) By submitting the query to search.php, it is encoded and the resulting URL would be something like: https://test.searchengine/search.php?q=%3Cscript%3 Ealert%28%91This%20is%20an%20XSS%20Vulnerability%92%2 9%3C%2Fscript%3E Upon loading the results page, the test search engine would probably display no results for the search but it will display a JavaScript alert which was injected into the page by using the XSS vulnerability. How to Check for Cross Site Scripting Vulnerabilities To check for Cross site scripting vulnerabilities, use a Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for Cross Site Scripting vulnerabilities. It will indicate which URLs/scripts are vulnerable to these attacks so that you can fix the vulnerability easily. Besides Cross site scripting vulnerabilities a web application scanner will also check for SQL Injection & other web vulnerabilities.
Posted on: Mon, 08 Sep 2014 12:35:28 +0000
Trending Topics
Recently Viewed Topics
© 2015