Professional Documents
Culture Documents
Cross-Site Scripting Attack in Social Networking Environment
Cross-Site Scripting Attack in Social Networking Environment
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 70
Abstract—Presently social network is an effective means of sharing end user information and views, as the availability of the
high network bandwidth and enough memory space the effective use of social network is possible for end user to share
information. Security and privacy are still vague. In recent years many social network sites have suffered from cross site
scripting attacks and phishing attacks, which were conducted by suspicious users through inserting a vulnerable script into web
form components. In this work the attack scenario in social network environment is implemented to demonstrate how an
attacker uses the vulnerability of poor written application code to degrade the server performance and phishing attack in the
social website. Challenges in handling cross side scripting attacks in web environment are also presented.
Index Terms—XSS, Social network, Malicious Code, Phishing, Privacy and Security.
————————————————————
1 INTRODUCTION
Fig. 2. A Ph
hishing Mail Exam
mple.
In Fig. 2 an
n example of a Phishing Maail is shown. This
T
Mail Contains a Malicious Link. Wheneever user click k on
5.2 Ca
ase- 02 - Phis
shing throug
gh XSS vulne
erability Fig. 3. A Fakke Online Banking page.
Phishin
ng is the crim
minally fraudu
ulent process of
o attempt-
ing to acquire sensiitive informattion such as usernames,
u
k it opens a new
the given link n webpage which looks like
passwoords and creddit card detaills by masquerrading as a
the page showwn in Fig. 3
trustw
worthy entity in an elecctronic comm munication.
As shown in Fig. 3, the page is user is
i forwarded to a
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 73
page which looks like the original banking website. This scripted content to be selectively executed based on a
page contains a submit button and asks for entries which whitelist[1].
will never be asked by the original banking website.
When user clicks on submit button a stored jsp page will 6.3 Content inspection
executed it will write all the information into a text file. In The most common form of content inspection as far as
future the attacker can use this text file’s information. web content goes is the use of some application that fil-
ters incoming HTTP traffic. The filter will typically in-
JSP code to write user’s information into a file for fu- volve posted or passing content to an anti-script engine in
ture use order to filter containing known malicious script. The
<% ability to filter potentially undesirable content based on
String uname = request.getParameter("uname"); keyword blacklists. In this way there is a possibility to
String acc = request.getParameter("accnum"); reduce persistent or stored scripting injection attack.
String pass = request.getParameter("pass"); By filtering content at the web gateway, anti-script fil-
String tpass = request.getParameter("tpass"); ters are able to add a major layer of protection to social
String bname = request.getParameter("bname"); network’s users. If anti-script filter detect suspicious con-
String str = "Username: " + uname + ": AccountNum: " + tent that posted content can be blocked or a warning gen-
acc+ ": Password: " + pass+ ": T Password: " + tpass+ ": erated for users. Advanced products will optimize the
BranchName: " + bname; detection capabilities for a web environment. One of the
String nameOfFile = "impData.txt"; challenges with web content filtering is performance. Un-
try { like social networking sites are interactive, so response
PrintWriter pw = new PrintWriter(new FileOutput- must be in short time, so there is a requirement upon web
Stream(nameOfFile)); application to avoid reaction time. These conflicts with
pw.println(str); the increasing need to do expensive analysis of complex
pw.close(); obfuscated malicious scripts.
} catch(IOException e) { out.println(e.getMessage());}
6.4 URL filtering
%>
URL categorization is also used as a method to reduce or
protect from code injection attack. In this fashion, requests
6 APPROACHES AGAINST CROSS SIDE SCRIPTING from malicious URLs or known websites which are suspi-
ATTACKS cious can be blocked, despite of whether the content would
This paper is concerned how the social networking sites be identified or not. Clearly this is useful when we know
are protected by attacker for protecting the end user. that hackers are dynamically using automation to continual-
ly change threats in order to evade revealing. The achieve-
6.1 Network separation ment of blocking requests to known suspicious websites
relies on maintaining a modern list of such websites. Several
Web sites can be categorized into various different types,
factors say how effective such a list may be, including:
viz. trusted global brands, small businesses, personal sites
Pertinent data: - Gathering adequate information about
and social networking. Each web site has a different level of
code injection which is available online in order to know
security. Though the sites of large organizations who have
about new attacks as quickly as possible. Systems must up-
dedicated teams for web security are not immune to attack,
date day by day. Solutions may involve tools gather as much
the probability of them becoming compromised is far lower
data as possible about code injection available online.
than that for smaller organizations who may outsource their
URL filtering can also be used to provide control over the
web development. Implementing a security policy that ac-
types of sites which users can browse. Sites classified into
knowledges such distinctions can help to mitigate risk at the
categories such as smut, gambling or entertainment may be
endpoint. A popular way to achieve this is to implement
blocked within an organization. The accuracy of the classifi-
separate networks, with differing browsing policies on each.
cation data governs how successful URL filtering may be.
6.2 Client browsers For this reason, several products license data from 3rd party
Client web browsers also play a major role in web appli- companies in order to boost their URL classification abilities.
cation attack. Internet Explorer, Mozilla Firefox, Google 6.5 Endpoint protection
Chrome are the most targeted web browsers, As other
Security on the endpoint is indispensable regardless of
browsers have gained in popularity, so the hackers have
whether the user is connected on network or not. Anti-virus
started using exploits that target them. The appropriate
products that is important in taking the most appropriate
selection of browser may be better influenced by security-
solution. One of those features is the ability of the anti-virus
minded configuration options or plug in that may be
to provide pro-active detection – i.e. the detection of pre-
available. A popular plug-in for Mozilla-based browsers
viously unknown code injection or malicious script. There
is NoScript, which provides control over Java and Java-
are several methods by which endpoint security product
script execution. NoScript is a free and open-source ex-
may use to detection of known or unknown malicious code.
tension for Mozilla Firefox, SeaMonkey, Flock and
Signature based detection, Heuristic-based detection, File
otherMozilla-based web browsers. NoScript allows Java-
emulation with help of these methods we can determine if
Script, Java, Flash, Silverlight, and other plugins and
the code or script is malicious or not and then carry out the
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 74
suitable actions. REFERENCES
6.6 Web server protection [1] “Wikipedia” [online] Available: http://www.en.wikipedia.org/wiki/
[Accessed: June. 15, 2010].
Web servers provide a portal to network, so they require a
[2] Modern web attacks, Fraser Howard, SophosLabs UK, August 2007.
more impressive and customized level of protection above
[3] “Cross Site Scripting” [online] Available:
and beyond what network firewalls or IDS can provide. At-
http://www.cgisecurity.com/xss-faq.html [Accessed: June. 13, 2010].
tacker could use to attack web servers in order to negotiation
[4] “HTTP Header Injection” [online] Available:
sites they host. Entry points include: weak user-
http://blogs.msdn.com/b/esiu/archive/2007/09/22/http-header-
name/password combinations, vulnerable web applications,
injection-vulnerabilities.aspx [Accessed: June. 10, 2010].
vulnerable operating system and vulnerable web server
[5] HTTP Response Splitting” [online] Available:
software, database, tools or libraries.
http://www.owasp.org/index.php/HTTP_Response_Splitting
Once a doorway point has been identified, the attacker
[Accessed: June. 10, 2010].
will likely attempt to install some form of remote shell on the
[6] “Approaches against XSS” [Online] Available:
machine. For example shell attack in which attacker upload
www.securecontenttechnologies.com [Accessed: May: 25, 2010].
file on web server to gain whole access of the server. The
functionality varies between shell scripts, most shell scripts
Fahim Mohammed M.Tech in Computer Science &
provide the ability to upload additional files and issue re- Engg., B.E. in Information Technology and research
mote commands. Several provide functionality specifically scholar of National Institute of Technology Bhopal.
designed for compromise attacks, for example the shell
script can execute windows commands.
Prof Deepak Singh Tomar M.Tech & B.E. in Computer
It is clear that a considerable number of web servers are
Science & Engg. and working as Assistant Professor
not use an access filter. Use of filtering tools can protect the Computer Science & Engg. Department. Total 14 Years
server itself (from various forms of attack or infection) and Teaching Experience (PG & UG). Guided 16 M.Tech
also inform the administrator when malicious script run. For Thesis.
smaller sites, simple steps such as running scripts to check
the files in the web root can also help to alert the administra- Dr. J.L. Rana Professor & retired, Ex. Head of Depart-
tor of a problem. ment of in Computer Science & Engg, MANIT, Bhopal.
PhD. IIT Mumbai M.S. USA (Huwaii). Guided 30
M.Tech. Thesis & Six Ph.D.
7 CONCLUSION
Handling the vulnerable code/script on the social
network is still major challenge for social network. In
this paper the attacks scenario are implemented to
demonstrate how XSS is enforced to degrade the serv-
er performance and conducting phishing attack. These
issues should be considered seriously by the web pro-
grammer involved in developing social networking
websites. Policy, network and coding based approach-
es are discussed to prevent these attacks. But the prac-
tically policy enforcement on the specific content using
platform for Privacy Preferences Project (P3P) are still
challenging. The code inspection technique to prevent
XSS attack is time consuming.
Future work will be forced on a wider experiment in-
volving large set of XSS case studies and integrating
the presented approaches to make the effective solu-
tion to prevent cross site scripting on the social net-
working environment.
ACKNOWLEDGMENT
The research presented in this paper would not have been
possible without our college, at MANIT, Bhopal. We wish
to express our gratitude to all the people who helped turn
the World-Wide Web into the useful and popular distri-
buted hypertext it is. We also wish to thank the anonym-
ous reviewers for their valuable suggestions
.