Cross Site Scripting: Moutasem Hamour
Cross Site Scripting: Moutasem Hamour
Cross Site Scripting: Moutasem Hamour
Moutasem Hamour
The goal of the CSS attack is to steal the client cookies, or any
other sensitive information, which can identify the client with
the web site. With the token of the legitimate user at hand, the
attacker can proceed to act as the user in his/her interaction
with the site specifically, impersonate the user.
Introduction (Cont....)
Example :-
www.vulnerable.com
How can this be abused? Well, the attacker manages to lure the
victim client into clicking a link the attacker supplies to
him/her. This is a carefully and maliciously crafted link, which
causes the web browser of the victim to access the site
(www.vulnerable.site) and invoke the vulnerable script. The
data to the script consists of a Javascript that accesses the
cookies the client browser has for www.vulnerable.site. It is
allowed, since the client browser experiences the Javascript
coming from www.vulnerable.site, and Javascripts security
model allows scripts arriving from a particular site to access
cookies belonging to that site.
Full explanation the CSS
technique(Cont...)
The attack can take place only at the victims browser, the same
one used to access the site (www.vulnerable.site). The attacker
needs to force the client to access the malicious link. This can
happen in several ways:
- The attacker sends an email containing an HTML page that
forces the browser to access the link. This requires the victim
use the HTML enabled email client, and the HTML viewer at
browser.
- RAM cookies (of www.vulnerable.site) maintained by this
instance of the browser, only when it is currently browsing
www.vulnerable.site
- Names of other windows opened for www.vulnerable.site
<script>var
victim_window=open('','foobar');alert('Can
access:'+victim_window.location.search)
</script>
Variations on the theme
The weak spot in the application is the script that echoes back its
parameter, regardless of its value. A good script makes sure that the
parameter is of a proper format, and contains reasonable characters,
etc. There is usually no good reason for a valid parameter to include
HTML tags or Javascript code, and these should be removed from
the parameter prior to it being embedded in the response or prior to
processing it in the application, to be on the safe side!
Securing a site against CSS attacks
in security.
It requires the programmer to cover all possible input
sources (query parameters, body parameters of POST
request, HTTP headers).
It cannot defend against vulnerabilities in third party
scripts/servers. For example, it wont defend against problems in error
pages in web servers (which display the path of the resource).
Securing a site against CSS attacks(Cont...)
2. By performing output filtering, that is, to filter the user data when
it is sent back to the browser, rather than when it is received by a
script. A good example for this would be a script that inserts the
input data to a database, and then presents it. In this case, it is
important not to apply the filter to the original input string, but only
to the output version. The drawbacks are similar to the ones in input
filtering.
3. By installing a third party application firewall, which intercepts CSS
attacks before they reach the web server and the vulnerable scripts,
and blocks them. Application firewalls can cover all input methods
(including path and HTTP headers) in a generic way, regardless of
the script/path from the in-house application, a third party script, or a
script describing no resource at all (e.g. designed to provoke a 404
page response from the server). For each input source, the
application firewall inspects the data against various HTML tag
patterns and Javascript patterns, and if any match, the request is
rejected and the malicious input does not arrive to the
server.
How to check if your site is protected
from CSS
Just like securing a site against CSS, checking that the site is indeed
secure can be done manually (the hard way), or via an automated
web application vulnerability assessment tool, which offloads the
burden of checking. The tool crawls the site, and then launches all
the variants it knows against all the scripts it found trying the
parameters, the headers and the paths. In both methods, each input
to the application (parameters of all scripts, HTTP headers, path) is
checked with as many variations as possible, and if the response
page contains the Javascript code in a context where the browser
can execute it then a CSS vulnerability is exposed. For example,
sending the text:
<script>alert(document.cookie)</script>
How to check if your site is protected
from CSS (Cont....)
Of course, there are several variants, and therefore, testing only the
above variant is insufficient. And as we saw above, it is possible to
inject Javascript into various fields of the request the parameters,
the HTTP headers, and the path. In some cases (notably the HTTP
Referer header), it is awkward to carry out the attack using a
browser.
How Sanctums AppShield protects
against CSS attacks
For each script it tries to attack, AppScan will inspect the results (the
script response), and if the Javascript code is detected (that is, if the string
returned as is - intact and in fullness:
<script>alert("CSS is possible")</script>), it indicates that the attack
succeeded (because the browser of the victim will execute the JS code).
Moreover, the internal browser in AppScan will pop-up the
Javascript alert window with the text "CSS is possible", which graphically
demonstrates that the Javascript code was indeed executed.
Conclusion
Cross Site Scripting is one of the most common application level attacks
that hackers use to sneak into web applications today, and one of the
most dangerous. It is an attack on the privacy of clients of a particular
web site which can lead to a total breach of security when customer
details are stolen or manipulated. Unfortunately, this is often done
without the knowledge of either the client or the organization being
attacked. In order to prevent this malicious vulnerability, it is critical
that an organization implement both an online and offline security
strategy. This includes using an automated application vulnerability
assessment tool, like AppScan from Sanctum, which can test for all
the common web vulnerabilities, and application specific
vulnerabilities (like cross site scripting) on a site. And for a full online
defense, installing an application firewall, like AppShield from
Sanctum, that can detect and defend against any type of manipulation
to the code and content sitting on and behind the web servers.
TANK YOU