CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)

CNIT 129S: Securing
Web Applications
Ch 12: Attacking Users:
Cross-Site Scripting (XSS)
Part 1

Attacking Clients
• Vulnerabilities in browsers
• May result in session hijacking,
unauthorized actions, and disclosure of
personal data, keylogging, remote code
execution
• XSS is the most prevalent web
application vulnerability in the world

Varieties of XSS
• Reﬂected XSS
• Stored XSS
• DOM-Based XSS

Reﬂected XSS
• Example: an error message that takes text from
user and displays it back to the user in its
response
• 75% of all XSS vulnerabilities are this type

Persistent Cookies
• If user has a persistent cookie, implementing
"remember me"
• Step 1 is not needed
• User need not be currently logged in

Same-Origin Policy
• evil.com cannot get your target.com cookies
from your browser
• Only a page in the same domain (arget.com)
• But XSS lets the attacker add scripting to a page
that comes from target.com
• Hence the name Cross-Site Scripting

Stored XSS Vulnerabilities
• A message is stored
• Executed on any user who views it
• May attack a large number of users

The Vulnerability
• Client-side JavaScript can access the browser's
Document Object Model
• Can determine the URL used to load the current
page
• A script the developer put there may extract
data from the URL and display it, dynamically
updating the page's contents

Example: Dynamically
Generated Error Message
• Writes message to page
• Can also write script to page

Apache (2010)
• XSS in issue-tracking application
• Attacker injected code, obscured it with a URL
shortener
• Administrator clicked the link
• Attacker stole the administrator's cookie
• Attacker altered the upload folder for the project
and placed a Trojan login form there

Apache (2010)
• Attacker captured usernames and passwords
for Apache privileged users
• Found passwords that were re-used on other
systems within the infrastructure
• Fully compromised those systems, escalating
the attack beyond the vulnerable Web
application
• Link Ch 12a

MySpace (2005)
• Samy evaded filters intended to block XSS
• Added JavaScript to his user profile, that
made every viewer
• Add Samy as a friend
• Copied the script to the user's profile
• Gained over 1 million friends within hours
• Link Ch 12b

• Stored XSS in email allowed attackers to send a
malicious email to the CEO
• Stealing his session cookie

Twitter (2009)
• Link Ch 12d

Other Payloads for XSS
• Virtual Defacement
• Add images, code, or other content to a page

Injecting Trojan Functionality
• Inject actual working functionality into the
vulnerable application
• Such as a fake login form to capture credentials
• Or the fake Google purchase form on the next
slide, from 2004

Disadvantages of Session
Hijacking
• Attacker must monitor her server and collect
cookies
• Then carry out actions on behalf of target users
• Labor-intensive
• Leaves traces in server logs

Inducing User Actions
• Use attack payload script to carry out actions
directly
• If the goal is to perform an administrator action,
each user can be forced to try it until an
administrator is compromised
• MySpace XSS worm did this

Exploiting Trust Relationships
• Browsers trust JavaScript with cookies from the
same website
• Autocomplete in the browser can ﬁll in ﬁelds,
which are then read by JavaScript
• Some sites require being added to Internet
Explorer's "Trusted Sites"; those sites can run
arbitrary code like this

Exploiting Trust Relationships
• ActiveX controls often contain powerful
methods
• They may check to see that requests came
from the expected site
• With XSS, that condition is satisﬁed

Escalating the Client-Side
Attack
• Website may attack users by
• Logging keystrokes
• Capturing browsing history
• Port-scanning the local network

Delivery Mechanisms for
XSS Attacks

Delivering Reﬂected and
COM-Based XSS Attacks
• Phishing email containing a crafted URL
• Targeted attack with custom email
• Instant message containing a URL
• Code posted on websites that allow user to post
HTML

Watering Hole Attack
• Attacker creates a website with content that will
interest the target users
• Use search engine optimization to attract
viewers
• Page contains content that causes the user's
browser to make requests containing XSS
payloads to the vulnerable application

• Purchase ad space, put malicious URL in the ad
• The ad may appear in pages about the app you
are attacking, because of keyword matches
• Web apps often have "tell a friend" or "send
feedback" features
• Leverage this to deliver an XSS attack via an
email that originate from the organization's
server
Delivering Reﬂected and
DOM-Based XSS Attacks

Delivering Stored XSS
Attacks
• In-band (most common)

Delivering Stored XSS
Attacks
• Out-of-band (most common)
• Anything other than viewing the target app
• Such as email from its server

Chaining XSS
• XSS vulnerability itself may be low-risk
• But chaining it together with other
vulnerabilities can cause serious compromise

Example
• XSS allows script to be inserted into user's
displayed name
• Access control ﬂaw lets attacker change other
users' names
• Add token-stealing XSS to every username
• Gain administrator credentials: total control of
application

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)

More Related Content

What's hot

Viewers also liked

Similar to CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)

More from Sam Bowne

Recently uploaded

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)