Upload
aldilnojinjalo
View
214
Download
0
Embed Size (px)
Citation preview
7/28/2019 Preventing XSS Attacks
1/10
Preventing XSS Attacks
Submitted by Jeremy Pullicino on March 22, 2011 10:24 pm2 CommentsCross Site Scripting (XSS) attacks are amongst the most common types of attacks against web
applications. XSS attacks all fall under the same category however a more detailed look at the
techniques employed during XSS operations reveals a multitude of tactics that exploit a variety of
attack vectors. A detailed look at XSS attacks can be found in the following article; Cross-Site
Scripting attack.
This article guides you through the most common and useful XSS prevention mechanisms which
are Filtering and Escaping.
Filtering for XSSAll XSS attacks infect your web site via some form of User Input. XSS attack code could come
from a simple submitted by your users, or could take a more complex route such as a
JSON script, XML web service or even an exploited cookie. In all cases the web developer should
be aware that the data is coming from an external source and therefore must not be trusted.
The simplest and arguably the easiest form of XSS protection would be to pass all external data
through a filter which will remove dangerous keywords, such as the infamous tag,
JavaScript commands, CSS styles and other dangerous HTML markup (such as those that contain
event handlers.)
Many web developers choose to implement their own filtering mechanisms; they usually write
server-side code (in PHP, ASP, or some other web-enabled development language) to search forkeywords and replace them with empty strings. I have seen lots of code that makes use of Regular
Expressions to do this filtering and replacing. This technique is in itself not a bad one, however
unfortunately the hackers usually have more experience than the web developers, and often manage
to circumvent simple filters by using techniques such as hex encoding, unicode character variations,
line breaks and null characters in strings. These techniques must all be catered for and that is why it
is recommended to use some sort of library that has been tried and tested by the community at large.
Many libraries exist to choose from, and your choice will primarily depend on the backend
technology that your web server uses. What is important is that you choose a library that is regularly
maintained by a reliable source. XSS techniques keep changing and new ones emerge all the time
so your filters will need to be updated periodically to keep abreast with the changing attacks.If you are using Java, then a good place to go is XSS Protect, a project hosted on Google code. It
claims to filter all known XSS attacks from HTML code. PHP boasts a more comprehensive
library called HTML Purifier which licensed as Open Source and can be customised depending on
your needs. HTML Purifier also boasts strict standards compliance and better features than other
filters.
Another interesting library you can use is HTML Markdown which converts text from your users
into standard and clean XHTML. This gives the advantage that minimal HTML Markup can exist in
your users input (such as bold, underline and colours). HTML Markdown is a Perl library and does
not explicitly advertise XSS prevention features so it probably should not be your only line of
defence.
The side-effect with these filtering techniques is that legitimate text is often removed because it hits
one or more of the forbidden keywords. For example, I would not be able to publish this article if
http://www.acunetix.com/blog/author/jeremyp/http://www.acunetix.com/websitesecurity/cross-site-scripting.htmhttp://www.acunetix.com/websitesecurity/cross-site-scripting.htmhttp://www.acunetix.com/websitesecurity/cross-site-scripting.htmhttp://www.acunetix.com/websitesecurity/cross-site-scripting.htmhttp://www.acunetix.com/blog/author/jeremyp/7/28/2019 Preventing XSS Attacks
2/10
the blogging software I used was filtering out all my HTML tags. I would not be able to write things
like and alert(you have been hacked) as these would be filtered out and you would
not see them. If you want to preserve the original data (and its formatting) as best as possible you
would need to relax your filters and employ HTML, Script and CSS Escaping techniques, all of
which I explain in the next section.
Escaping from XSS
This is the primary means to disable an XSS attack. When performing Escaping you are effectively
telling the browser that the data you are sending should be treated as data and should not be
interpreted in any other way. If an attacker manages to put a script on your page, the victim will not
be affected because the browser will not execute the script if it is properly escaped.
Escaping has been used to construct this article. I have managed to bring many scripts into your
browser, but none of these scripts has executed! The technique used to do that is called, escaping, or
as the W3C calls it Character Escaping.
In HTML you can escape dangerous characters by using the sequence followed by the its
character code.
An escaped < character looks like this: character is escaped like this: >. Below is a
list of common escape codes for HTML:
" ---> "
# ---> #
& ---> &
' ---> '
( ---> (
) ---> )
/ ---> / ---> ;
< ---> ---> >
Escaping HTML is fairly easy, however in order to properly protect yourself from all XSS attacks
you require to escape JavaScript, Cascading Style Sheets, and sometimes XML data. There are also
many pitfalls if you try to do all the escaping by yourself. This is where an Escaping Library comes
useful.
The two most popular escaping libraries available are the ESAPI provided by OWASP and
AntiXSS provided for Microsoft. ESAPI can plug into various technologies such as Java, .NET,
PHP, Classic ASP, Cold Fusion, Python, and Haskell. AntiXSS exclusively protects Microsofttechnologies and is therefore better suited in an all-Microsoft environment. Both libraries are
constantly updated to keep up with the latest hacker techniques and are maintained by industry
experts who understand changing tactics and emerging technologies such as HTML5.
When to Escape
You cannot just simply escape everything, or else your own scripts and HTML markup will not
work, rendering your page useless.
There are several places on your web page which you need to ensure are properly escaped. You can
use your own escaping functions (not recommended) and you can use the existing ESAPI andAntiXSS libraries.
7/28/2019 Preventing XSS Attacks
3/10
Use HTML Escaping when
Untrusted data is inserted in between HTML opening and closing tags. These are standards tags
such as , , etc
For example:
IF THIS DATA IS UNTRUSTED IT MUST BE HTML ESCAPED
Use JavaScript Escaping when
Untrusted data is inserted inside one of your scripts, or in a place where JavaScript can be present.
This includes certain attributes such as STYLE and all event handlers such as ONMOUSEOVER
and ONLOAD
For example:
alert('IF THIS DATA IS UNTRUSTED IT MUST BE JAVASCRIPT
ESCAPED')
7/28/2019 Preventing XSS Attacks
4/10
Above is a
diagram visually representing the internet boundary and where filtering and escaping must happen
to ensure XSS protection.
XSS Attacks are a moving target
In this article I attempted to collect as many recommendations and best practices used by security
researchers worldwide. This recommendations set out in this article are by no means exhaustive,
however they should be a good starting point for your XSS defence endeavours.
Technology is changing, and hacker attacks are getting more sophisticated but by understanding the
basics set out in this article you can be prepared to prevent future attack techniques that will most
definitely arise.
The first step in defending against XSS attacks is to code your web applications carefully and use
the proper escaping mechanisms in the right places. After that comprehensive testing should be
performed, ideally using an automated XSS scanner. When updates are made to your web
applications, you should scan the affected pages again to ensure that no new vulnerabilities have
been exposed.
Share and Enjoy:
http://reddit.com/submit?url=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attackshttp://twitter.com/home?status=Preventing%20XSS%20Attacks%20-%20http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2Fhttp://www.acunetix.com/blog/wp-content/uploads/2011/02/XSS_Filter_Escape.png7/28/2019 Preventing XSS Attacks
5/10
2 Comments
mcksays:
April 12, 2011 at 1:30 pm
Theres another open sourced library to do this called XSS-HTML-FILTER at http://xss-
html-filter.sf.net
Norways second largest website describes how they use it here
http://tech.finn.no/2011/04/08/xss-protection-whos-responsibility/
Sobre prevencin de Cross Site Scripting Mbpfernand0's Blogsays:
May 19, 2011 at 4:35 pm
[...] en seguridad, Etiquetado consejos, Cross,, desarrollo, Scripting,, seguridad, site,, XSS
En Preventing XSS Attacks un artculo generalista sobre el tema. Recomiendan un proyecto
alojado en Google Code: If you are [...]
Cross Site Scripting AttackWhat is Cross Site Scripting?
Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise
websites and web applications and make off with a treasure trove of sensitive data including credit
card numbers, social security numbers and even medical records.
Cross Site Scripting (also known as XSS or CSS) is generally believed to be one of the most
common application layer hacking techniques.
In the pie-chart below, created by the Web Hacking Incident Database for 2011 (WHID) clearly
shows that whilst many different attack methods exist, SQL injection and XSS are the most popular.
To add to this, many other attack methods, such as Information Disclosures, Content Spoofing and
Stolen Credentials could all be side-effects of an XSS attack.
http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/#comment-11725http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/#comment-11725http://xss-html-filter.sf.net/http://xss-html-filter.sf.net/http://tech.finn.no/2011/04/08/xss-protection-whos-responsibility/http://mbpfernand0.wordpress.com/2011/05/19/sobre-prevencion-de-cross-site-scripting/http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/#comment-11852http://xss.htm/http://www.facebook.com/share.php?u=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&t=Preventing%20XSS%20Attackshttp://technorati.com/faves?add=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2Fhttp://www.google.com/bookmarks/mark?op=edit&bkmk=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attacks&annotation=Cross%20Site%20Scripting%20%28XSS%29%20attacks%20are%20amongst%20the%20most%20common%20types%20of%20attacks%20against%20web%20applications.%20XSS%20attacks%20all%20fall%20under%20the%20same%20category%20however%20a%20more%20detailed%20look%20at%20the%20techniques%20employed%20during%20XSS%20operations%20reveals%20a%20multitude%20ohttp://www.stumbleupon.com/submit?url=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attackshttp://www.linkedin.com/shareArticle?mini=true&url=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attacks&source=Acunetix+Web+Application+Security+Blog+Acunetix+Web+Application+Security+Blog&summary=Cross%20Site%20Scripting%20%28XSS%29%20attacks%20are%20amongst%20the%20most%20common%20types%20of%20attacks%20against%20web%20applications.%20XSS%20attacks%20all%20fall%20under%20the%20same%20category%20however%20a%20more%20detailed%20look%20at%20the%20techniques%20employed%20during%20XSS%20operations%20reveals%20a%20multitude%20ohttp://delicious.com/post?url=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attacks¬es=Cross%20Site%20Scripting%20%28XSS%29%20attacks%20are%20amongst%20the%20most%20common%20types%20of%20attacks%20against%20web%20applications.%20XSS%20attacks%20all%20fall%20under%20the%20same%20category%20however%20a%20more%20detailed%20look%20at%20the%20techniques%20employed%20during%20XSS%20operations%20reveals%20a%20multitude%20ohttp://digg.com/submit?phase=2&url=http%3A%2F%2Fwww.acunetix.com%2Fblog%2Fweb-security-zone%2Farticles%2Fpreventing-xss-attacks%2F&title=Preventing%20XSS%20Attacks&bodytext=Cross%20Site%20Scripting%20%28XSS%29%20attacks%20are%20amongst%20the%20most%20common%20types%20of%20attacks%20against%20web%20applications.%20XSS%20attacks%20all%20fall%20under%20the%20same%20category%20however%20a%20more%20detailed%20look%20at%20the%20techniques%20employed%20during%20XSS%20operations%20reveals%20a%20multitude%20ohttp://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/#comment-11725http://xss-html-filter.sf.net/http://xss-html-filter.sf.net/http://tech.finn.no/2011/04/08/xss-protection-whos-responsibility/http://mbpfernand0.wordpress.com/2011/05/19/sobre-prevencion-de-cross-site-scripting/http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/#comment-11852http://xss.htm/7/28/2019 Preventing XSS Attacks
6/10
In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities
in the code of a web application to allow an attacker to send malicious content from an end-
user and collect some type of data from the victim.
Today, websites rely heavily on complex web applications to deliver different output or content to a
wide variety of users according to set preferences and specific needs. This arms organizations with
the ability to provide better value to their customers and prospects. However, dynamic websites
suffer from serious vulnerabilities rendering organizations helpless and prone to cross site scripting
attacks on their data.
"A web page contains both text and HTML markup that is generated by the server and interpreted
by the client browser. Web sites that generate only static pages are able to have full control overhow the browser interprets these pages. Web sites that generate dynamic pages do not have
complete control over how their outputs are interpreted by the client. The heart of the issue is that if
mistrusted content can be introduced into a dynamic page, neither the web site nor the client has
enough information to recognize that this has happened and take protective actions." (CERT
Coordination Center).
Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML,
or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in
order to gather data. The use of XSS might compromise private information, manipulate or steal
cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on
the end-user systems. The data is usually formatted as a hyperlink containing malicious content andwhich is distributed over any possible means on the internet.
As a hacking tool, the attacker can formulate and distribute a custom-crafted CSS URL just by
using a browser to test the dynamic website response. The attacker also needs to know some
HTML, JavaScript and a dynamic language, to produce a URL which is not too suspicious-looking,
in order to attack a XSS vulnerable website.
Any web page which passes parameters to a database can be vulnerable to this hacking technique.
Usually these are present in Login forms, Forgot Password forms, etc
N.B. Often people refer to Cross Site Scripting as CSS or XSS, which is can be confused with
Cascading Style Sheets (CSS).
The Theory of XSS
In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side
http://javascript.htm/http://javascript.htm/http://javascript.htm/7/28/2019 Preventing XSS Attacks
7/10
script. When a user visits this web page the script is downloaded to his browser and executed. There
are many slight variations to this theme, however all XSS attacks follow this pattern, which is
depicted in the diagram below.
As a web developer you are putting measures in place to secure the first step of the attack. You want
to prevent the hacker from infecting your innocent web page with his malicious script. There are
various ways to do that, and this article goes into some technical detail on the most important
techniques that you must use to disable this sort of attack against your users.
XSS Attack Vectors
So how does a hacker infect your web page in the first place? You might think, that for an attacker
to make changes to your web page he must first break the security of the web server and be able toupload and modify files on that server. Unfortunately for you an XSS attack is much easier than
that.
Internet applications today are not static HTML pages. They are dynamic and filled with ever
changing content. Modern web pages pull data from many different sources. This data is
amalgamated with your own web page and can contain simple text, or images, and can also contain
HTML tags such as
for paragraph, for image and for scripts. Many times the
hacker will use the comments feature of your web page to insert a comment that contains a script.
Every user who views that comment will download the script which will execute on his browser,
causing undesirable behaviour. Something as simple as a Facebook post on your wall can contain a
malicious script, which if not filtered by the Facebook servers will be injected into your Wall andexecute on the browser of every person who visits your Facebook profile.
By now you should be aware that any sort of data that can land on your web page from an external
source has the potential of being infected with a malicious script, but in what form does the data
come?
The tag is the most popular way and sometimes easiest to detect. It can arrive to your
page in the following forms:
External script:
Embedded script:
7/28/2019 Preventing XSS Attacks
8/10
alert(XSS);
The tag can contain an embedded script by using the ONLOAD event, as shown below:
The BACKGROUND attribute can be similarly exploited:
Some browsers will execute a script when found in the tag as shown here:
There are some variations of this that work in some browsers:
The tag allows you to import HTML into a page. This important HTML can contain a
script.
If the TYPE attribute of the tag is set to IMAGE, it can be manipulated to embed a
script:
The tag, which is often used to link to external style sheets could contain a script:
The BACKGROUND attribute of the TABLE tag can be exploited to refer to a script instead of an
image:
The same applies to the tag, used to separate cells inside a table:
The tag, similar to the and tags can also specify a background and
therefore embed a script:
The STYLE attribute can also be manipulated in the following way:
The tag can be used to pull in a script from an external site in the following way:
7/28/2019 Preventing XSS Attacks
9/10
If the hacker places a malicious script inside a flash file, it can be injected in the following way:
Is your site vulnerable to Cross Site Scripting?
Our experience leads us to conclude that the cross-site scripting vulnerability is one of the mosthighly widespread flaw on the Internet and will occur anywhere a web application uses input from a
user in the output it generates without validating it. Our own research shows that over a third of the
organizations applying for our free audit service are vulnerable to Cross Site Scripting. And the
trend is upward.
Example of a Cross Site Scripting Attack
As a simple example, imagine a search engine site which is open to an XSS attack. The query
screen of the search engine is a simple single field form with a submit button. Whereas the results
page, displays both the matched results and the text you are looking for.
Search Results for "XSS Vulnerability"
To be able to bookmark pages, search engines generally leave the entered variables in the URL
address. In this case the URL would look like:
http://test.searchengine.com/search.php?q=XSS%20
Vulnerability
Next we try to send the following query to the search engine:
alert ('This is an XSS Vulnerability')
By submitting the query to search.php, it is encoded and the resulting URL would be something
like:
http://test.searchengine.com/search.php?q=%3Cscript%3
Ealert%28%91This%20is%20an%20XSS%20Vulnerability%92%2
9%3C%2Fscript%3E
Upon loading the results page, the test search engine would probably display no results for the
search but it will display a JavaScript alert which was injected into the page by using the XSS
vulnerability.
How to Check for Cross Site Scripting Vulnerabilities
To check for Cross site scripting vulnerabilities, use a Web Vulnerability Scanner. A Web
Vulnerability Scanner crawls your entire website and automatically checks for Cross Site Scriptingvulnerabilities. It will indicate which URLs/scripts are vulnerable to these attacks so that you can
fix the vulnerability easily. Besides Cross site scripting vulnerabilities a web application scanner
will also check forSQL injection & other web vulnerabilities.
Acunetix Web Vulnerability Scannerscans forSQL injection, Cross site scripting, Google hacking
and many more vulnerabilities.
Preventing Cross Site Scripting Attacks
The purpose of this article is define Cross Site Scripting attacks and give some practical examples.
Preventing XSS attacks requires diligence from the part of the programmers and the necessary
security testing. You can learn more about preventing cross-site scripting attacks here.
Scanning for XSS Vulnerabilities with Acunetix Web Vulnerability Scanner Free Edition!
To check whether your website has cross site scripting vulnerabilities, download the Free Edition
http://sql-injection.htm/http://www.acunetix.com/vulnerability-scanner/http://sql-injection.htm/http://google-hacking.htm/http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/http://sql-injection.htm/http://www.acunetix.com/vulnerability-scanner/http://sql-injection.htm/http://google-hacking.htm/http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/7/28/2019 Preventing XSS Attacks
10/10
from http://www.acunetix.com/cross-site-scripting/scanner.htm. This version will scan any website /
web application forXSS vulnerabilities and it will also reveal all the essential information related to
it, such as the vulnerability location and remediation techniques. Scanning for XSS is normally a
quick exercise (depending on the size of the web-site).
Articles on Web Security Exploiting a cross-site scripting vulnerability on Facebook
CRLF Injection attacks and HTTP Response Splitting
Apache Web Server Security
IIS Web Server Security
Web Server Security and Database Server Security
More Articles
White Papers on Web Security
A complete guide to securing a website
Why File Upload Forms are a major security threat
Finding the right web application scanner; why black box scanning is not enough
The Payment Card Industry Compliance - Securing both Merchant and Customer data.
Web Services - The Technology and its Security Concerns
More White Papers
http://www.acunetix.com/cross-site-scripting/scanner.htmhttp://xss.htm/http://website-auditing-wp.htm/http://upload-forms-threat.htm/http://rightwvs.htm/http://pci-compliance-wp.htm/http://web-services-wp.htm/http://www.acunetix.com/cross-site-scripting/scanner.htmhttp://xss.htm/http://website-auditing-wp.htm/http://upload-forms-threat.htm/http://rightwvs.htm/http://pci-compliance-wp.htm/http://web-services-wp.htm/