3. Cross Site Scripting (XSS)
• One of the most common application-layer web
attacks.
• Operates on the client-side (in the user‟s web
browser).
• 13% of total hacking technics (in 2011).
• Neglected by the developers. WHY ?!.
• Executed every time the page is loaded.
• JavaScript, VBScript, ActiveX, HTML, or Flash.
4. Cross Site Scripting (XSS)
• XSS can cause a variety of problems for the
end user (annoyance “alerts” ~ complete
account compromise “session hijacking”).
• Installation of Trojan horse programs.
• Page modification and redirection.
5. XSS types
• Stored XSS Attacks.
• Reflected XSS Attacks.
• DOM Based XSS.
6.
7.
8. How it works
<form method=“get” action=“index.php”>
<input name=“hack_me” />
<input type=“submit” value=“Submit” />
</form>
9. How it works
<?php
$txt=$_GET[„hack_me‟];
echo $txt; // echo “<script>alert("Hacked");</script>”
?>
10. Alternate XSS Syntax
• Using Script in Attributes
• <body onload=alert(Hacked ')>
• <img src="http://url.to.file.which/not.exist"
onerror=alert(document.cookie);>
• XSS using Script Via Encoded URI Schemes
• <img src=jAvascript:alert(„Hacked')>
11. Commonly used to achieve the following malicious results:
• Identity theft.
• Accessing sensitive or restricted information.
• Gaining free access to otherwise paid for
content.
• Spying on user‟s web browsing habits.
• Altering browser functionality.
• Web application defacement.
• Denial of Service attacks.
12. XSS Countermeasures
• There are a huge number of XSS attack
vectors, following a few simple rules can
completely defend against this serious attack.
• The simplest form of XSS protection is to pass
all external data through a filter (in server-side).
• It is recommended to use libraries that has
been tried and tested by the community.
• XSS techniques keep changing (your filters will
need to be updated periodically).
• ESAPI (OWASP), AntiXSS (Microsoft).
13. XSS Countermeasures
• HTML Escape Before Inserting Untrusted Data
into HTML Element Content:
• ESAPI Encoder Example:
String safe = ESAPI.encoder().encodeForHTML(
request.getParameter( "input" ) );
• AntiXSS Equivalent:
string safe =
Microsoft.Security.Application.AntiXss.HtmlEncode(
Request.QueryString[ "input" ] );
14. XSS Countermeasures
• Also untrusted Data into:
• HTML Common Attributes.
• JavaScript Data Values.
• HTML Style Property Values.
• HTML URL Parameter Values.
• Also use HTTPOnly cookie flag.