introduction to xss

7/30/2019 Introduction to XSS

1/14

Introduction to XSS (CSS)

Cross Site Scripting

submitted by

Generics


2/14

Abstract

Keywords: Cross-Site Scripting

Keywords: Vulnerabilities

Keywords: Impacts

This document offers an overview of the process, solutions, and dangers, of

Cross-site Scripting. It demonstrates the ease at which an attacker can access a

victims personal information while keeping their identity covered. Furthermore,

means to circumvent these attacks are presented in hopes to raise user

awareness.


3/14

Seminarpaper Generics 2006

2

1 INTRODUCTION ................................................................................................. 32 CROSS SITE SCRIPTING [1] ............................................................................. 32.1 Types of XSS Vulnerability [2] ....................................................................... ............................................ 42.2 Session Hacking [3] ............................................................... .................................................................... ... 53 XSS-PROXY [5] .................................................................................................. 64 THE IMPACT [6] ................................................................................................. 65 VULNERABILITY CHECKING [7] ...................................................................... 76 SOLUTIONS AND WORKAROUNDS [8] ........................................................... 77 CONCLUSION .................................................................................................... 88 APPENDIX .......................................................................................................... 99 BIBLIOGRAPHY ............................................................................................... 12


4/14


3

1 Introduction

Following a seemingly harmless link can lead to catastrophic consequences,especially if it is allegedly a link to your net banking account. The world of internethas advanced tremendously, as have ways of exploiting its security. Internet usershave had negative surfing experiences by following malicious links since thebeginning, without ever discovering how to bypass such threats. Cross-Site andCross-Framework-Scripting are the standard attack techniques for stealing cookies,passwords or even worse, your personal TAN numbers. In this paper we will discussthese and other advanced techniques, outline the impacts, give some examples, andexplain how to protect yourself from these attacks.

2 Cross site Scripting [1]

Cross-Site-Scripting, which in security circles is more popularly known as XSS, is atechnique used to gather user information. XSS (CSS) is used by attackers tocompromise clients through security vulnerabilities. Usually such vulnerabilities canbe found in web applications.

Because there can be confusion with the acronym of Cross-Site-Scripting (CSS),which also stands for Cascading Style Sheet or Content Scrambling System, SteveChampeon popularized XSS in his Webmonkey article XSS, Trust, and Barney [8].Since then the security community has used XSS as the standard abbreviation.

The main intention of a XSS attacker is to fool the user into clicking on a maliciouslink which looks like a trusted site. The link could look like this:

http://www.mytrustedsite.com/cgi-bin/xy.cgi?givemeallyourmoney

Since most of the users do not know what all the code after http://www.mytrustedsite.comstands for, they are tempted to click on the link because it looks like a site they arefamiliar with. To make the attack possible, the attacker has to know that the trustedserver has XSS vulnerability. After a user clicks on a prepared link they will beforwarded to the site, and without asking, the malicious code will be executed in theirbrowser. For a better understanding see the graph below.


5/14


4

Fig 1

Usually J avaScript is not allowed to access cookies that arent from the same scriptor from the same server. Cookies can store session IDs or even worse,authentication data. With the Cross-Site-Scripting technique the attacker can nowmodify or delete cookies on the victims computer.

So far it may not sound as if this is a big issue. However, in the next chapter we willsee that once the attacker gets the cookie, it is easy to hijack a session.

2.1 Types of XSS Vulnerabi lity [2]

XSS commonly attacked vulnerabilities are separated into three basic groups: types1, 2, and 3. However, there is no standard nomenclature for these points.

Type 1 is commonly referred to as DOM-based or Local XSS. It is distinguished by asecurity hole in the client-side script; meaning that the J avaScript connects to aparticular URL request parameter, creates its own HTML with the gatheredinformation, but fails to be HTML quoted. The information will be re-processed bybrowsers as HTML that might include more client-side script. Script can be injectedinto a link, which can skip the client-side sandbox and grant the attacker full accessto the victims system.A Bugzilla error page was once found to have a vulnerability of this kind. In thatparticular case, J avaScript wrote URL to pages without prior filtering, encrypting, orquoting.


6/14


5

Type 2-vulnerability is the most common form, and is usually called non-persistent orreflected vulnerability. The hole is most commonly found in search-engines where auser types in a string that has HTML special characters. The search-string shows upagain on the page of results without HTML characters, which allows the code fromthe clients side to be added to the dynamic page, and you have a XSS hole.

Attackers use social engineering to lure victims into following hurtful URLs that caninject code into the page of results. By doing this, the attacker gains full admittance tothe pages composition. This type of vulnerability has evoked mixed feelings byprogrammers and other computer specialists due to the fact that social engineering isinvolved. However, for a beginner using the internet, this threat is unquestionable.

This vulnerability was found in older versions of ATutor (a web-based learning center)on the search page. It was possible to inject script into the URLs that would result inunquoted malicious script.

Type 3-vulnerability is the most powerful XSS attack, and is referred to as persistent,stored, or second-order vulnerability. When user data is persistently stored in file or

database and then later shown to other users without first being HTML quoted,vulnerability exists. Online message boards where users can post messages forothers is an example of this. Attackers can inject a script a single time and have itnegatively effect many other users with minimal social engineering. Users canbypass this problem by encoding data before it is re-displayed on another page. Anextreme example of this was found in Indiatimes Email portal where users inboxescould be hijacked even if the victims hadnt opened the destructive email.

A limited percentage of possible XSS vulnerabilities are listed here; there arehundreds of other examples attainable by the public.

2.2 Session Hacking [3]

In order to understand why an attacker is capable of hijacking a session, we need tocomprehend what a cookies function is. Cookies store session IDs andauthentication data for the time a user is at a site. This means that the attacker canonly hijack the session as long as the user is on that site. The attacker can extract

the session ID from the stolen cookie and use it for himself to make a connection tothe site. Since the attacker has a valid session ID, he doesnt need to enter ausername or password. The stolen cookie provides that information for the enemy.


7/14


6

3 XSS-Proxy [5]

XSS-Proxy is fundamentally a cutting-edge Cross-Site-Scripting tool used in assaults.Cross Site Scripting has erroneously not stimulated great concern among certainsecurity experts; however, XSS-Proxys ability to allow attackers to control attacksentirely remotely may change that misconception. This new generation of Cross-Site-Scripting, especially with the additional aid of J avaScript Remoting, has theability to make remote advances bi-directional, interactive, and above all, much moremenacing to users.

Once a diversion has been created and the victim has left the XSS window open, theattacker has imminent browser control. The attacker then has the ability to accessother XSS susceptible sites or redirect distinct blind requests to other servers. Oneway this can occur is through XSS vectors sent by blogs, email, etc. A victim clicks

on a URL and is redirected to another site (typically a banking, or other site that mayhold person-particular account information) where the J avaScript sends a request foradditional script commands. This is followed by a fairly complex process on theattackers side including submission processing, response forwarding, errormanagement, etc. During the users idle time, the attacker has the capacity to view,alter, and submit the victims personal documents. In addition, the attacker canaccess the victims identity (especially in cases when the victim has logged into aparticular site) and ride on the preexisting session (session-riding).

4 The Impact [6]

The negative impacts of XSS are far-reaching, diverse, and potentially devastating. Ifan attacker gains access to authentication cookies and session management tokens,the process of hijacking a victims session without going through the authenticationprocess can be expedited. Making the situation more serious is the fact that theprocess is unfortunately easy to master. Due to the fact that damaging scripts areactualized in a seemingly trusted setting, the attacker has the opportunity to view the

document fields filled out by the victim. Another possible incursion is for the attackerto create a hidden window on the victims machine, which would log each of thevictims keystrokes (including passwords and other private information to be used bythe attacker later). The attacker can also use malicious codes against HTTPS andoverride possible warning reports to the user. These situations can lead to identitytheft, account hijacking, alteration of user settings, cookie theft, false advertising, andthe spread of webmail-based worms. Attackers are most interested in sites thatprocess credit card facts, produce results based on what a user enters into a searchengine, and that store user content.

For internet users or sellers, this topic is alarming and may pose many security

issues. Holes in XSS can be devastating and costly to businesses, especially if theattacker publicizes the flaws. Such security leaks can deteriorate customer-consumer confidence.


8/14


7

5 Vulnerability checking [7]

Analyzing your susceptibility of becoming a victim of a code insertion attack is a vitalelement of user internet safety. Ignorance of internet fraud puts users at the front linefor attacks. Despite the fact that many users are aware of holes in security, theylack the knowledge to close them. The road to protection can be very basic andinvolves the interpretation of client-side HTML composition.

One of the simplest ways of analyzing your weakness is by entering a scriptingformat. By entering a scripting format into all input fields, application vulnerability canbe assessed. If a warning appears in the form of XSS Vulnerable, you are dealingwith a susceptible component. An improperly loaded HTML page after a script checkis also an indication of page vulnerability. There are various other ways of assessingvulnerability as well, including assessment of hidden fields and variable string

substitution. Also, once XSS holes have been evaluated, investigate if the sitedistributes cookies. Cookie theft can be accomplished in any site that operates withthem.

If an application component responds alternatively to GET and POST submissions,susceptibility is low to URL scripting strikes. New XSS attack methods are beingdeveloped every day which elevates the risks, and should encourage users toeducate themselves.

6 Solutions and workarounds [8]

As alarming as this subject is, there are ways for users to protect themselves. Thebest advice is to only follow main and direct links to websites. If while surfing, a linkcatches your eye, search for its main site instead of clicking on the link. By followingthat rule, users will practically eliminate all associated risks. If you intend to read amessage board from unknown users, protect yourself by switching off J avaScript inthe browser settings or change your security settings to the maximum level of

security. Another simple way to bypass XSS problems is to encode all HTMLcharacters, so as to obstruct attackers from deciphering it as HTML. Furthermore,client-side scripts can, under some circumstances, by entirely bypassed by disablingscripting all together.

Encrypted sites and others that operate with SSL (https) are equally exposed toattacks. A lock symbol on a browser does not necessarily indicate security. Attacksin those cases are simply being carried out through an encrypted connection.


9/14


8

7 Conclusion

This paper points out how Cross-site Scripting can lead to identity-theft, accounthijacking, alteration of user settings, cookie theft, false advertising, and the spread ofwebmail-based worms. These situations can occur unexpectedly and even to themost knowledgeable of users. Forms of hacking are developing right along withinternet applications. Moreover, company reputations can be deteriorated, causingcustomer dissatisfaction and mistrust. New applications also come with formerlyunknown holes that can be penetrated as soon as a technique arises that can do so.

These risks could easily be counteracted if we could raise awareness and educateusers. Also, by taking more time to assess and improve products before distributingthem, companies can prevent this entire problem from the root.


10/14


9

8 Appendix

Examples of Cross-site Scripting

Example 1 [A]:

Phpnuke cross site scripting vulnerability

Hi nuke webmasters,

Phpnuke cross site scripting vulnerabilityAffected version : 5.3.1 and prior perhaps other...perhaps allPostNuke affected too.

No more explanation, it is enough with cross site scripting...i'm bored withCSS vuln ;)

http://www.phpnuke.org/user.php?op=userinfo&uname=&ltscript&gtalert(document.cookie);

This is an other way to stole cookies as i explain in my previous post butwithout using IE 5.5 vulnerability.http://www.isecurelabs.com/article.php?sid=230

regards,

Example 2 [B]:

Here a few holes that i've found in PHPNuke.5 Cross Site Scripting.

http://phpnuke.org/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=02&ttitle=[J AVASCRIPT]

http://phpnuke.org/modules.php?name=Downloads&d_op=ratedownload&lid=118&ttitle=[J AVASCRIPT]

http://phpnuke.org/modules.php?op=modload&name=Members_List&file=index&letter=[J AVASCRIPT]

http://phpnuke.org/submit.php?subject=[JAVASCRIPT]&story=[JAVASCRIPT]&storyext=[JAVASCRIPT]&op=Preview

http://phpnuke.org/user.php?op=userinfo&uname=[JAVASCRIPT] ==>This hole was notfound byAurelien Cabezon.

and /admin.php?upload=Go! who's the same that upload=1 .


11/14


10

Example 3 [C]:

Phpnuke module.php vulnerability and php error_reporting issue

From: =?iso-8859-1?Q?Cabezon_Aur=E9lien?=&[email protected]>

To: &[email protected]>Subject: [VulnWatch] Phpnuke module.php vulnerability and php error_reporting issue

[ Phpnuke module.php vulnerability and PHP error_reporting issue ]on 16 december by Cabezon Aurlien | [email protected]

As you know, there are many Cross site scripting issue on Phpnuke modulesand other web application using PHP.

There is a cross site scripting issue cause :[1] there is a lack to checks from user input in module.php[2] PHP does not have a good deal with error reporting

I found my website vulnerable to an other cross site scriptingvulnerability, i thougt the problem was in XForum (forummodule for phpnuke)He was also, but it was too on the way that PHP report errors and deals witherror messages.

---Vulnerable line in module.php--- include("modules/$name/$file.php");---Vulnerable line in module.php---

Exploit :http://host.com/modules.php?op=modload&name=XForum&file=[hostilejavascript]&fid=2

Hostile javascript could be : {script}alert(document.cookie);{/script}thatdisplay your cookie.replace {}by

This crafted url cause the module.php script to make an PHP error reportinglike this:

---php error report---Warning: Failed opening 'modules/XForum/.php' for inclusion(include_path='') in /home/foo/htdocs/modules.php on line 27---php error report---

When your browser display the error reporting, it parses the hotile

javascript too...I found an easy and fast way to fix this problem and other cross sitescripting issue regarding module.php and other web application using PHP :J ust turn off PHP error reporting and wait for a fix from PHP devel team :)The error_reporting function should check for bad inputs.

Temp fix for phpnuke module.php:

---start of module.php---error_reporting(0); //Add this line, J ust turn off error_reporting

//original file

switch($op) {


12/14


11

case "modload":/if (!isset($mainfile)) {include("mainfile.php"); }if (ereg("\.\.",$name) || ereg("\.\.",$file)) {echo "You are so cool";break;}else {

include("modules/$name/$file.php");}break;

default:die ("Sorry, you can't access this file directly...");break;}

---end of module.php---


13/14


12

9 Bibliography

Online Sources

1. Bachfeld, Daniel. Cross-Site-Scripting: Datenklau ber Bande. 16 J une 2006

[1]

2. Endler, David. The Cross Site Scripting FAQ. 16 J une 2006

[6] [7] [8]

3. GNU Free Documentation License. Cross-site Scripting. Wikipedia The Free

Encyclopedia (2006). 16 J une 2006

[2] [8]

4. - - -. Cross-site Scripting. Wikipedia The Free Encyclopedia (2006). 16 J une2006

[2] [8]

5. Ollmann, Gunter. HTML Code Injection and Cross-site Scripting. 16 J une 2006

[4] [6] [7]

6. Rager, Anton. XSS-Proxy. 16 J une 2006 [5]

7. Sumit, Siddharth, and Doshi Pratiksha. Five Common Web Application

Vulnerabilities. 16 J une 2006

8. Champion, Steve. XSS, Trust, and Barney. 16 J une 2006

[8]


14/14


13

Examples

A. Aurlien, Cabezoni. Phpnuke cross site scripting vulnerability. 16 J une 2006

B. frog, frog. 5 PHPNuke Cross Site Scripting holes. 16 J une 2006

C. Aurlien, Cabezoni. Phpnuke module.php vulnerability and php error_reportingissue. 16 J une 2006

[11]

Figures

Fig 1 Endler, David. The Evolution of Cross Site Scripting Attacks. 20 May 2002

introduction to xss

Documents