There is a lot of talk about Cross Site Scripting(XSS) vulnerabilities and I thought an introduction might be helpful to some in our community. Simply put an XSS exploit is caused by a coding error in the web page that lets attacks add unwanted code to a page which is executed by the victims browser. This post will cover the anatomy of an attack, techniques for detecting vulnerabilities and methods for mitigation.
An XSS exploit can take many shapes, but the most common is phishing emails. The attack scenario looks something like this:
- Phishing email from fake trusted domain includes a link to the trusted domain
1list]http://example.com/index.php?i=”><script>alert(‘XSS’)</script>
User hovers over link, notices it goes to example.com and clicks on link
The web page does not handle the user input in the URL correctly and it adds it to the web page
The users browser executes the code nested in the url and is prompted to update their XY software, installing malware from the attackers site instead of the actual XY software[/list]Let’s go in to a little more detail here, in Step 1 above someone has found a weakness on a web page that lets code be executed by the client browser. How does this occur? There is an error in the coding of the web page with regard to handling user input. However I think it is appropriate to call it like it is, sloppy coding. There is no excuse for this to occur anymore. Every modern language has built in methods/functions for handling this. Some people will write their own regular expressions, but please just use the method. Some examples are:
- PHP: htmlspecialchars
- Java: JSTL
- Closure: SantizedContent
- Ruby: h
In the example URL in Step 1 above the php page is accepting input from the user for the variable i. When the web server processes the client request the text from I which would be a search field in the page is rendered on the page. What is happens in your browser is the following:
- 1. The characters “> instructs your browser to close a tag.
- 2. <script> instructs your browser that it is getting a javascript instruction
- 3. alert(‘xss’) is the code being executed by your browser
- 4. </script> closes the javascript and the rest of the page is rendered as usual.
Now this is a simple, but effective example. There are many ways to manipulate the browser in to executing code. A reason to not write your own reg ex filter, an example is to base64 encode the text so the statement in Step 1 looks like this “Ij48c2NyaXB0PmFsZXJ0KCJYU1MiKTwvc2NyaXB0Pgo=” . Although you may unable to read this, your browser has recognizes without a problem.
What should happen in the event a user inputs unwanted text is to handle the input from users in a safer manner by sanitizing, escaping and rendering as just text to your browser. Using htmlspecialchars() in php would render the “><script>alert(“XSS”)
</script> as the HTML below:
"><script> ;alert( "XSS" ; ) "><.script>
Your browser would display it without executing it as javascript code.
Your site may have too much code to manually review every user input. To do this automated tools can be used. The excellent tools W3AF or nikto are open source and can be downloaded and installed individually or are available in the Backtrack and Samurai live distributions. Simply start the tools up, enter your URL and run the tools. This process may take time so be patient.
Are you in a hurry? Well then check out the website http://xssed.org it is a public database of site with known XSS vulnerabilities. Go to the site and search your domain name. Vulnerable sites that are known and probably exploited are listed.
I hope this has helped out. Please let me know if you have any questions.
Cheers
-Joe