cross site scripting overview

8/8/2019 Cross Site Scripting Overview

http://slidepdf.com/reader/full/cross-site-scripting-overview 1/27

Author: EUROSEC GmbH Chiffriertechnik & Sicherheit

Tel: 06173 / 60850, www.eurosec.com

© EUROSEC GmbH Chiffriertechnik & Sicherheit, 2005



Presentation Overviewy W hat is Cross-Site Scripting?

y W hat is the impact of Cross-Site Scripting?y W hat are Cross-Site Scripting Techniques?

y Basic anatomy of Attacks

y How can we protect applications against it?y Basic protection mechanisms

(c) 2005, EUROSEC GmbH Chiffriertechnik &Sicherheit 2



Wh at is Cross-Site Scripting?The three conditions for Cross-Site Scripting:

1. A W eb application accepts user inputy W ell, which W eb application doesn't?

2. The input is used to create dynamic contenty

Again, which W

eb application doesn't?

3. The input is insufficiently validatedy Most W eb applications don't validate sufficiently!




Wh at is Cross-Site Scripting?y Cross-Site Scripting aka XSS or CSSy The players:

y An Attackery Anonymous Internet Usery Malicious Internal User

y A company s W eb server (i.e. W eb application)y External (e.g.: Shop, Information, CRM, Supplier)y

Internal (e.g.: Employees Self Service Portal)y A Client

y Any type of customery Anonymous user accessing the W eb-Server




Wh at is Cross-Site Scripting?y Scripting: W eb Browsers can execute commands

y Embedded in HTML pagey Supports different languages (JavaScript, VBScript, ActiveX, etc.)y Most prominent: JavaScript

y Cross-Site means: Foreign script sent via server to clienty Attacker makes W eb-Server deliver malicious script codey Malicious script is executed in Client s W eb Browser

y Attack:y Steal Access Credentials, Denial-of-Service, Modify W eb pagesy Execute any command at the client machine




XSS-Attack: General Overview


Post Forum Message:

Subject: GET Money for FREE !!!

Body:

<script> attack code </script>

1. Attacker sends malicious code

2. Server stores message

Did you know this?

.....

3. User requests message

4. Message is delivered by server

5. Browser executes script in message

GET Money for FREE !!!


Get /forum.jsp?fid=122&mid=2241

Attacker

Client

Web Server

GET Money for FREE !!!


!!! attack code !!!

This is only oneexample out of manyattack scenarios!

Re: Error message on startup

.....

I found a solution!.....

Can anybody help?

.....

Error message on startup

.....



XSS A New T h reat?y XSS is an old problem

y First public attention 5 years ago

y Now regularly listed onBUGTRAQ

y Nevertheless:y Many W eb applications are

affected

W hat`s the source of the

problem?Insufficient input/outputchecking!Problem as old asprogramming languages

(c) 2005, EUROSEC GmbH Chiffriertechnik & Sicherheit 7

CERT ® Advisory CA-2000-02 MaliciousHTML Tags Embedded in Client WebRequests

Original release date: February 2, 2000Last revised: February 3, 2000

A web site may inadvertently includemalicious HTML tags or script in adynamically generated page based onunvalidated input from untrustworthy

sources. This can be a problem when aweb server does not adequately ensurethat generated pages are properly encodedto prevent unintended execution of scripts,and when input is not validated to preventmalicious HTML from being presented tothe user.



Wh o is affected by XSS?y XSS attack s first target is the Client

y Client trusts server (Does not expect attack)y Browser executes malicious script

y But second target = Company running the Servery Loss of public image (Blame)y Loss of customer trusty Loss of money




Im pact of XSS-Attacks Access to authentication credentials for W eb application

y Cookies, Username and Password XSS is not a harmless flaw !

y Normal users Access to personal data (Credit card, Bank Account) Access to business data (Bid details, construction details)Misuse account (order expensive goods)

y High privileged usersControl over W eb applicationControl/Access: W eb server machineControl/Access: Backend / Database systems




Im pact of XSS-Attacksy Denial-of-Service

y Crash Users`Browser, Pop-Up-Flodding, Redirectiony Access to Users` machine

y Use ActiveX objects to control machiney Upload local data to attacker`s machine

y Spoil public image of company y Load main frame content from other locationsy Redirect to dialer download




Sim ple XSS Attack


h ttp://myserver.com/test.jsp?name=Stefan

h ttp://myserver.com/welcome.jsp?name= <script>alert("Attacked")</script>

<HTML><Body>

Welcome Stefan

</Body>

</HTML>

<HTML>

<Body>

Welcome<script>alert("Attacked")</script>

</Body>

</HTML>

Wh ere script is executed ...


Source: http://www.securityfocus.com/archive/1/272037/2002-05-09/2002-05-15/0

<a href=" javascript#[code] "><div onmouseover=" [code] "><img src=" javascript:[code] ">

[IE] <img dynsrc=" javascript:[code] ">[IE] <input type="image" dynsrc=" javascript:[code] ">[IE] <bgsound src=" javascript:[code] ">

&<script>[code]</script>[N4] &{[code] };[N4] <img src=&{ [code] };><link rel="stylesheet" href=" javascript:[code] ">

[IE] <iframe src=" vbscript:[code] ">[N4] <img src=" mocha:[code] ">[N4]<img src=" livescript:[code] "><a href="about: <script>[code]</script> "><meta http-equiv="refresh"

content="0;url= javascript:[code] "><body onload=" [code] "><div style="background-image:

url( javascript:[code] );">

[IE] <div style="behaviour: url( [link to code] );">[Mozilla] <div style="binding: url( [link to code] );">[IE] <div style="width: expression( [code] );">[N4] <style type= "text/javascript">[code] </style>[IE] <object classid="clsid:..."

codebase="javascript:[code]" >

<style></script><![CDATA[</script><script>[code]</script> <<script>[code]</script><img src="blah"onmouseover=" [code] "><img src="blah>" onmouseover=" [code] "><xml src=" javascript:[code] "><xml d="X"><a><b> <script>[code]</script> ;

</b></a> </xml><div datafld="b" dataformatas="html"

datasrc=" #X"></div>[UTF-8; IE, Opera][\xC0][\xBC]script>[code][\xC0][\xBC]/script>



Preventing XSS m eans Preventingy Subversion of separation of clients

y Attacker can access affected clients datay Industrial espionage

y Identity thefty Attacker can impersonate affected client

y Illegal accessy Attacker can act as administratory Attacker can modify security settings




XSS Solution

Input Validation

But what is to consider Input ?




Typical HTTP Request


POST /thepage.jsp?var1=page1.html HTTP/1.1

Accept: */*

Referer: http://www.myweb.com/index.html

Accept-Language: en-us,de;q=0.5Accept-Encoding: gzip, deflate

Content-Type: application/x-www-url-encoded

Content-Lenght: 59

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: www.myweb.com

Connection: Keep-Alive

uid=fred&password=secret&pagestyle=default.css&action=login

Reqested ResourceGET and POST Parameters

Referer and User AgentHTTP Met h od

Th is all is input:



Wh at to Consider Input?y Not only field values with user supplied inputy Should be treated as Input:

y

All field values: Even hidden fieldsy All HTTP header fields: Referery And even the HTTP method descriptor

y Input is any piece of data sent from the client!y That is the whole client request


What if you request the following from your Web Server?

<script>alert("Hello")</script> / HTTP/1.0



How to perfor m Input Validationy Check if the input is what you expect

y Do not try to check for "bad input"

y Black list testing is no solutiony Black lists are never complete!

y

W hite list testing is bettery Only what you expect will passy (correct) Regular expressions




HTML Encoding m ay h elp ...y HTML encoding of all input when put into output

pagesy There are fields where this is not possible

y W hen constructing URLs from input (e.g.redirections)

y Meta refresh, HREF, SRC, ....y There are fields where this is not sufficient

y W hen generating Javascript from inputy Or when used in script enabled HTML Tag attributes


Htmlencode("javascript:alert(`Hello`)") = javascript:alert(`Hello`)



W eb Application Firewallsy W eb Application Firewalls

y Check for malicous input valuesy Check for modification of read-only parametersy Block requests or filter out parameters

y Can help to protect old applicationsy No source code availabley No know-how availabley No time available

y No general solutiony Usefulness depends on applicationy Not all applications can be protected




B y t h e wayy W eb Services are affected by XSS too

y Become more and more standardy

Access protocol is often HTTPy Data transfer using XML

y Attack: Submitting SOAP-Response-Values asRequest-Values

y Often HTML rendering engines are used for display y Force traditional XSS attack code in output




Summ aryy Cross-Site Scripting is extremly dangerous

y Identity theft, Impersonationy

Cause: Missing or in-sufficient input validationy XSS-Prevention Best Practicesy Implement XSS-Prevention in applicationy Do not assume input values are benigny Do not trust client side validationy Check and validate all input before processingy Do not echo any input value without validationy Use one conceptual solution in all applications




Appendix




Wh y t h is presentation fro m us?

- Our professional background:y Several project years in research projects on secure software

development; with partners like SAP, Deutsche Bank,Commerzbank, Universities, etc.

y Large amount of vulnerability checks for software companies,including reviews and coaching for development staff

y Security requirements- and design specifications for largedevelopment projects

y W riting of company guidelines and checklists for securedevelopment, mostly in banking and finance sector

y Reverse engineering and reviews of security mechanisms andcrypto algorithms

y Implementation of security functions for customers




Final Re m arky The present work has been conducted within the

so-called secologic research project (term:

2005+2006)y For more details see www.secologic.orgy W e are grateful to the German Ministry

Bundesministerium für W irtschaft for supportingthis project

y W e appreciate all suggestions and feedback withrespect to our presentation slides and white papers




Copyrig h t Re m arky This document has been prepared by EUROSEC and serves

the purpose of conducting courses and seminars aboutsecure software development (focus on web applications)

y W e published these slides to support further activities in thedevelopment of better software applications

y These slides can be used for your own purposes/employees within your company, as long as you include an informationabout authorship by EUROSEC

y Commercial use by companies specialized in seminars

and/or consulting, is not allowed without a separateagreement; please contact us: [email protected]


cross site scripting overview

Documents