How Cross-Site Scripting (XSS) Attacks Sneak into Unprotected Websites (Plus: How to Block Them)

Oct 14, 2011 11:42 PM

XSS stands for cross-site scripting, which is a form of web-based exploitation that uses client-side vulnerabilities in a web page to execute malicious JavaScript codes. JavaScript is referred to as "cross-site" because it usually involves an external website containing the malicious code. That code is most commonly used to steal cookies with a website that the attacker created and hosted on another server. The cookies can then be used to escalate privileges and gain root access to someone's website. XSS can be used for a number of other things, such as crashing users' web browsers. As many as 68% of websites have XSS vulnerabilities.

This is not good.

What Makes it Happen?

When a web developer isn't sanitizing user input by stripping malicious tags (i.e.

This would cause an alert to appear with your session cookie in the browser, but the web page executed it. What does this mean? It's vulnerable.

We could then alter the attack to be directed towards a cookie logging script at our domain, and mask it in HTML and send it to fellow users:

">www.google.com

That would appear legitimate to the person being attacked. If there was no HTML allowed, you could always mask the link with a URL shortener.

Persistent Attacks

Persistent attacks are probably what you assume they are—persistent. The effect of persistent XSS attack will remain, not just temporarily effecting a specific user. This is because the attack vector is stored on the server, and the changes to the webpage are permanent. These are commonly executed on forums or on sites where you can customize your webpage with HTML and save the malicious JavaScript, rather than just execute it.

The attack is performed similar to the last attack, aside from being posted in a static location. Let's take a look at how the attacks will differ:

Everyone who views this page will have their cookies logged to a remote cookie-logging script.

How to Defend Yourself

If you're a web developer, there is only one way to prevent this. Close your tags properly and sanitize input!

For the rest of us, there exists NoScript, a plugin for Firefox that blocks JavaScript and filters XSS attacks. It allows you to white list and selectively allow which domains have the right to use JavaScript. It is the single best plugin you can have for your browser, hands down.

That's all for this Null Byte.

I know this is a hard subject to wrap your head around, so if you're a beginner, keep me and the rest of the crew entertained with your questions in IRC!

Comments

No Comments Exist

Be the first, drop a comment!