Professional Documents
Culture Documents
Objectives
Overview
Cross Site Scripting (XSS) is one of the most prevalent vulnerabilities in modern web
apps, simply because it’s so easy to overlook, and sometimes can be very subtle. In this
lab, you’ll find, exploit, and then fix two different kinds of XSS vulnerabilities.
Scenario
In this scenario, you have a web application that supports both anonymous and
authenticated users, the latter of which are authenticated using ASP.NET Forms logon.
The application is a message board which allows any user to post a message that all
others can read.
Setup
Open the before\XSSWeb.sln solution. This includes a skeletal application where you
will do your work. There is also a fully completed lab in the after\ directory that you can
use to compare with your work if you get stuck.
You’ll need to set up a virtual directory for this lab. In the before\ directory you’ll find a
program called installvdirs.exe. Run that program (it requires admin privileges to
function properly). It will create a vdir at http://localhost/FabrikamXSS. If you want to
clean up after the lab, you can run the corresponding uninstallvdirs.exe.
Effective exploits are difficult to write. Multi-browser exploits are even harder. This
particular lab was designed to work well with Internet Explorer, so even if you normally
use a different browser, please use Internet Explorer when working this lab.
Lab – Cross Site Scripting (XSS)
c. Note the line in web.config that disables page request validation. This is
an important ASP.NET feature that helps prevent some XSS exploits, but
it’s not perfect and you should never rely upon on it for your sole
protection.2 At the end of the lab you will enable it again (so you can see
exactly what it does) just like you would in a production application. Do
your penetration testing without it, but don’t forget to turn it back on when
you go live.
Note: Each message is stored in a text file named with a GUID. You’ll see this
implementation shortly when you look more closely at the source code for
PostMessage.aspx.
1
The passwords used here as well as the authentication mechanism are purposely simple because this is a
lab – obviously we don’t recommend using such lousy passwords in the real world!
2
There has been at least one public and successful exploit in the past that allowed the bad guys to get
around this protection mechanism.
Lab – Cross Site Scripting (XSS)
Note: This message was carefully crafted by an attacker who simply studied the
ViewMessages.aspx page where his message will be displayed after it’s posted.
Note: Some experts classify this as “persistent” XSS vulnerability, because the malicious
HTML is stored on disk and replayed over and over by the website. This is a very nasty
attack, as it affects all users who view messages at Fabrikam. By simply visiting the page,
a legitimate user of this website will be immediately exposed to attack.
Lab – Cross Site Scripting (XSS)
7. Examine the source code for the Error.aspx page. There is a subtle XSS
vulnerability here.
a. Do you see the problem? Part of the query string is being copied directly
into the HTML output for this page. Echoing untrusted user input into an
HTML stream leads to XSS vulnerabilities.
Note: If we classified the last XSS vulnerability as “persistent”, then this would be an
ephemeral one. Because the vulnerable page simply echoes the query string in its output,
to exploit it the attacker constructs a malicious link containing a query string with an
embedded script. If he can convince a legitimate Fabrikam user to click his link, that user
will be vulnerable. The most common delivery vehicle is the phishing email, where the
attacker sends out a convincing email to Fabrikam’s customers, offering carefully crafted
links to the vulnerable web page.
Lab – Cross Site Scripting (XSS)
Note: If this were real attack, the script would likely post this data to a different website
under the attacker’s control. This script simply shows you that it has indeed accessed
your user name and password and can do with them as it pleases.
10. Enable ASP.NET XSS protection and try both exploits again.
a. In web.config, change the page’s validateRequest setting from false to
true.
Note: You’ve just returned to ASP.NET’s default setting, and from now on, query strings
and form fields will be checked for dangerous characters that could represent an XSS
attack. This feature has never been perfect, which is why we asked you to turn it off while
securing the application, but turning back on is a fantastic defense-in-depth measure.
b. Build the application and try the phishing attack once more. In this
particular case, ASP.NET catches the danger before your code even runs.
c. Try posting an HTML message. You should see the same thing.
Lab – Cross Site Scripting (XSS)
Conclusion
Does HtmlEncode always protect you? Keep in mind that it only encodes a few
characters, such as greater-than (<). But what would happen if you were already in a
<script> tag and you happened to be concatenating some user input while in that context?
An attacker who knows that he’s already in a <script> tag doesn’t need to use any angle
brackets in his attack. He can simply terminate the string you’re emitting into your script
and begin writing his own script statements, similar to a SQL injection attack. Be very
cautious about injecting any untrusted input into your HTML streams. And be sure to
consider the context – HtmlEncode may not be enough!
In this lab you’ve seen three ways to protect against Cross Site Scripting (XSS) attacks.
You’ve learned to encode any untrusted data before injecting it in your HTML stream.
You’ve learned to validate input as it comes in. And finally, you’ve learned how to
enable ASP.NET page validation, but you’re (hopefully) not going to rely on it as your
sole protection mechanism.
Resources