Cross site scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it
- OWASP
In order to achieve XSS there are two things that need to be satisfied.
1. Attacker has to inject a malicious code to a client side user agent.
2. It has to execute.
There are two types of Cross Site Scripting techniques.
1. Reflected XSS - At the run time script gets in to the body and execute.
2. Stored XSS - Script is going to be stored in somewhere(eg- database).
The main element which is hardly threatened by XSS is user sessions, cookies. Once an attacker exploits XSS vulnerability on any website which has a login feature , he can make each and every session cookie of the users send to him (account hijacking). When he has cookies he can pretend to be someone else (identity theft).
Unlike a reflected attack, where the script is activated after a link is clicked, a stored attack only requires that the victim visit the compromised web pages.
Stored XSS example
There are two ways to fix XSS.
1. Input validation - ( check whether user inputs contains unnecessary special characters or not. If they have escape them).
2. Output encoding/sanitizing
Now lets see how XSS works with some examples.
(All the web pages that are required for these tasks are uploaded to github. You can either download or clone the zip file and run it on apache tomcat server or whatever the server you use).
https://github.com/sajith01prasad/Cross-Site-Scripting.git
Home.html is the Home page of this project. You can access it from the browser using this link.(This can be different)
http://localhost/xss/Home.html
Now you will see the home page
In the home page as you can see I have divided it into two parts ( Reflected XSS and stored XSS). Under reflective XSS I am going to show how an attacker achieves cross site scripting using four different methods. In all these four situations user input takes from the user and it will be showed as it is in the web page.
1. If user input goes to p tag or h tag
Click on the first link.
In here if you provide your first name and last name something like this will be displayed.
Now I will show how an attacker use these two textboxes to do XSS on this particular web page.
Only thing he has to do is provide this line in one of the textboxes.
<script>alert(‘Cross Site Scripting’)</script>
2. If user input goes in to a textbox
Click on the second link in the home page.
If you give user name as Sajith and password as SAJITH something like this will be displayed.
Now let's see of someone input this line to the password field what will happen.
"/><script>alert('Cross Site Scripting')</script>
3. If user input goes to HTML hyperlink.
Click on the 3rd link in home page.
When you give a website name to this text box(eg: google.com) it will be taken as the value of the hyperlink. Then the next page will be displayed where we have the hyperlink to visit the web site.
When you click on "click here" it will direct you to the particular web site you entered in the previous page.
What will happen if we enter something like this in the text box?
"></a><a HREF="javascript:alert('Cross Site Scripting’)
click on "click here".
4. If user input goes in to javascript
click on the 4th link in home page.
Input your name and click on the button.
This javascript alert box will be displayed.
What will happen if an attacker inputs this line to the textbox?
");alert("Cross Site Scripting
First it will show the same pop up we got earlier. ( just Hello)
When we click ok now another pop will be displayed.
Those who are made up to this point CHEERS !!!
If you have any doubt or problem leave in the comment section.
No comments:
Post a Comment