A2: CROSS SITE SCRIPTINGIntroduction to the OWASP Top 10

Cross Site Scripting (XSS) Comes in several flavors:

Stored Reflective DOM-Based

Stored XSS

Malicious code is posted to a site (blog, guestbook, etc) which will be displayed back to other site visitors

Code is executed by the browser whenever someone views the page with the stored XSS code

Reflective XSS

Malicious code is embedded into a URL

Following the URL sends the code to the server, which displays (reflects) the code back to the browser

The browser trusts the code because it comes from a “trusted” source

Normally this requires a web form using GET method, but there is a workaround

DOM-Based XSS

Modification to Document Object Model object within the client’s browser Server may never handle malicious code

Malicious code is embedded in a DOM parameter modification

Ex: http://www.some.site/page.html#language=<script>alert(document.cookie)</script>

Payload is executed by client when document.location.href.indexOf(“language=") is processed

XSS Risks

Display an alert box – pretty benign Redirect the user to another server Pass session and other cookies to

another server Hijack the user’s session

XSS Defenses

Never use untrusted data within <script> tags, <!-- comments -->, <div attribute_names =val />, or < tag_names href=“/url” />

Escape all untrusted content to be used in HTML context

“whitelist” input validation Only allow input from a predefined set

Your Framework may do some or all of this for you

Libraries are available as well

References

OWASP XSS Wiki Page http://www.owasp.org/index.php/Top_10_

2010-A2 DOM XSS

http://www.webappsec.org/projects/articles/071105.shtml

Anatomy of a XSS Attack http://www.infosecwriters.com/hhworld/h

h8/csstut.htm XSS Prevention

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet