Professional Documents
Culture Documents
XSS
Web applications need to display user supplied data back to the user
Difficulty in parsing user supplied data properly
Causes
Data Instructions
Effects
Attacker injects JavaScript into display The Javascript can take many forms:
<a onMouseOver=javascript:alert('foo');>
<p style=foo:expression(alert('foo'))>
Reflected XSS
Script that is passed to the site is rendered back to the browser Like string format vulnerabilities, originally considered a harmless bug Common scenarios is a search engine that returns a value of Your search for X returned Y records Developers didn't care if site users cause popups to appear
Copyright Justin C. Klein Keane
Example
?>
What happens
<script>Some javascript;</script>
The Javascript executes in the search results page Most developers, understandably, look at this and dismiss it
Weaponizing
Sanitizing Text
Often times developers want users to be able to enter SOME tags (like bold, italics, etc.)
Many strategies for sanitizing XSS can be evaded
Application searches input for all occurrences of '<script' and replaces them with ''
Attacker enters: The substitution actually corrects the tag
<<scriptscript>Some JavaScript;</script>
Persistent XSS
Another Example
Example:
<?php
echo '<img src=file.jpg alt=' . $user_desc . '>'; ?>
Attacker sends an e-mail to a user insisting they change their account credentials and includes a link to your site the link actually includes an XSS that redirects the user to attacker controlled site where credentials are harvested Attacker injects JavaScript to steal cookies which are used for session hijacking
XSRF Attacks
Client side scripts that perform background actions using the authentication of a user Can be extremely useful in bypassing authentication XSRF exploits the fact that browsers send cookies by default with every page request Limited somewhat by the same domain origin policy of JavaScript
Copyright Justin C. Klein Keane
Typical XSRF
User logs into a target site as an admin User views a page with a persistent XSS The script then calls a form or submits an AJAX request with attacker determined values Can be used to do things like change the user's password or perhaps exploit other vulnerabilities in authenticated areas of the site Attacker uses XSRF to reset SOHO router settings
Copyright Justin C. Klein Keane
Forms contain a transitory token that is tied to the user account Token must then be passed in the form submission in order to carry out an action Even this is not foolproof as a clever XSRF can instantiate an iframe that includes a legitimate call to the form, with a valid token
Require a user to fill in existing password in order to change it Auto complete on form fields can defeat even this protection, however
Obscure XSS
Image tags can be used to display JavaScript CSS can also be used to display JavaScript on IE using the exec() statement Iframe source can be JavaScript META refresh tags Object tags For more see http://ha.ckers.org/xss.html
Copyright Justin C. Klein Keane
Essentially a problem of validating user input Filters for known bad are especially dangerous with XSS
New techniques emerge regularly
Browsers change
New web browsers emerge
Mitigation Strategy
Disallow HTML Don't utilize user supplied input in display (including scripts) without careful sanitization DO NOT ALLOW BAD DATA INTO THE DB!
Do NOT sanitize exclusively on output!
htmlspecialchars()
'&' to '&' to " ' to '
< to <
> to > Much more thorough, all characters with HTML equivalents are translated.
Copyright Justin C. Klein Keane
htmlentities()
More PHP
fgetss() - same as fgets(), which gets a line from a pointer, but strips tags
ereg_replace()
Allow only characters you want
eregi_replace() preg_replace()
Largely manual
Include input that contains multiple control characters (',,>,<, \, ;)
View the source of the displayed input to determine if the result is vulnerable
Viewing source code is not always helpful in this testing
Automated Testing
Filter Exploitation
Be careful that any filters you use can't be used against you Filters that remove text might actually be used to de-mangle input:
A filter that removes the string <script> can be defeated using the input:
<scr<script>ipt>
Other Concerns
XSS in uploaded files (images, PDF, etc.) Code analysis may not be as effective Extremely difficult to spot given the dynamic nature of HTML display AJAX and other interactions complicate page rendering
Exploit Techniques
Enter text such as <script>alert('foo');</script> in every possible input value and observe results Be sure to examine source to reveal subtleties or partially effective injection that can be manipulated to full XSS Upload images with names like
<iframe src='blah' onerrror='alert(document.cookie)'>.jpg