Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 116|Likes:
Published by anil

More info:

Published by: anil on Aug 29, 2008
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Cross Site ScriptingFirst Some Credit
David Zimmer: “Real World XSS” article.
Gunter Ollmann: “HTML CodeInjection and XSS” 
 AmitKlein: “XSS Explained” 
Definition of XSS
 An app level attack 
Involves 3 parties
Want diverse and personalizeddelivery
but web app fails to validate usersupplied input
Marc Slemko: XSS doesn’t have to beXS, or S.
Goal: STEAL!!!
vulscriptat vulsite, reads HTTP req,echoes back w/o first sanitizing…
GET /vulscript.cgi?name=dylimHTTP/1.0Host: www.vulsite.org
<HTML><Title>Welcome</Title> Hidylim</HTML>
 Attacker can craft link which causes theweb browser to access vulsite, invokevulscript, with data=evilscript.
Note that evilscriptcan access mycookies related to vulsite.
Example cont’d
Such a link could be:
Other HTML tags
<b onMouseOver="self.location.href='http://evil.org/'"> boldedtext</b>
POST, HTTP headers (referrer), path of HTTP req(e.g. if error page returns theerroneous path)
Typical formatting
<imgsrc= "malicious.js">
<iframe= "malicious.js">
<a href="javascript:…">click-me</a>
Flash! attack…
 ActionScript, getURL()
What about…
Self contained! i.e. doesn’t requirevulnerable web resource to echoinput.
allows dynamic creation of binary filesfrom JavaScript (can create filescontaining malicious payload forexploiting overflow vulnerabilities.)
XSS as an attack vector
Can include very large audience w one injectionpoint
Can force users to some action, and access infothey can access
Can be hard to detect and slipped in quietly
Can be powerful for info display and alteration.
95% can be avoided with proper filtering onany user supplied data (several tools)
Theft of Account/Services
User Tracking/Stats
Browser/User exploitation
Credentialed Misinformation
Free Information Dissemination
Together with Phishing, etc…
Only here! By everything forcheap.msg
PayPalUrgent Problems with Account Information.msg
Save the world.msg
Securing a site
Input sanitation
Programmer needs to cover all possible inputsources (query params, HTTP headers, etc)
Useless against vulnerabilities in 3
partyscripts/servers (e.g. err pages)
Output filtering..
 App firewalls
Can cover all input methods in a generic way.
Intercepts XSS attacks b4 they reach server.
Injection Points
 Active XSS attacks
Parameters passed in thru query stringarguments that get written directly to apage.
 Any where an html form can be injectedand have the user click a submit button
Passive XSS attacks
Database storage!
Error pages!
Do you want to deny users the abilityto use any form of HTML?
If not, what do you filter?
10M x 10M image of attacker
Imgsrcand href…
Parse out src= element and validate it:
Remove quotes
Deny urlswith ? Querystringids, make sureno .cgi, .pl, etc.
Chkthe protocol and deny everything excepthttp
Many ways to circumvent
Simple filtering < and >
Use \x3c and \x3e
Commenting out malicious code
Just close the comment filter:<script>---></comment>…</script>
Separate window handling
<a href="javascript:…">click-me</a> becomes:<a href="javascript:…" target="_blank">click-me</a>
<a href="javascript:..." foo="bar>click-me</a><a href="javascript:..." foo="bartarget="_blank">click-me</a>
XSS tips and tricks.
script injection in an image srctag..
Embed nested quotes..
\’or \”, or \u0022 \u0027
Keyword filters that allow any jstoexecute are useless:
 A = ‘navi’; B = ‘gator.userAgent’;alert(eval(A+B))
XSS tips and tricks..
Limited input length + script block embed= unlimited script power (script src=)
SSL pages warn if script srccomes fromuntrustedsite,
but if you can upload say imgthat is actually .jscommands..
methods of script encoding.
<imgsrc='vbscript:do%63ument.lo%63ation="http:/ /a.b.com"'>
<IMG SRC="javascript:alert('test');">
<IMG SRC="javascript:alert('test');">
Line break trick 

Activity (4)

You've already reviewed this. Edit your review.
1 hundred reads
Ravi Ranjan liked this
Tanjeeb liked this
dnayak1 liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->