Monday, April 11, 2011

Cross Site Scripting

Previously I wrote about the OWASP top 10 vulnerabilities. However my GURUJI asked me to post each topic individually.

Cross Site Scripting

Robert ‘rsnake’ Hensen is considered as Guru of XSS .Lets learn about what the XSS is

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Cross-site scripting holes in general can be seen as vulnerabilities which allow attackers to bypass security mechanisms. By finding clever ways of injecting malicious scripts into web pages an attacker can gain access privileges to sensitive page content, session cookies, and a variety of other objects.


XSS can be classified into three types


1. Non-Persistent

2. Persistant and

3. DOM based


Non-Persistent:


The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net. It's commonly named as "non-persistent" because it works on an immediate HTTP response from the victim website. It shows up when the webpage get the data provided by the attacker's client to automatically generate a result page for the attackers himself. Standing on this the attacker could provide some malicious code and try to make the server execute it in order to obtain some result.


Persistent:

A persistent XSS is also known as Stored XSS. The Persistent XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, file system, or other location), and later displayed to users in a web page without being encoded using HTML entities. A classic example of this is with online message boards, where users are allowed to post.


DOM Based XSS:

The DOM-Based Cross-Site Scripting allow to an attacker to work not on a victim website but on a victim local machine.

The attacker creates a malicious site and sends to the victim. When the victim opens the vulnerable webpage or site on his machine the vulnerable page executes commands with the victim’s privileges and the attacker can easily gain control on the victim computer.


Finding the XSS Vulnerabilities


We most have tried finding an XSS hole by inserting a script like this

<script>alert('XSS')</script>

in Search fields and hoping for a box to popup saying XSS. But its not always the way to find a XSS vulnerability.

Some time we need to bypass the filters.

Here we will be using a JavaScript built in function called String.FromCharCode() that is used to encode/decode strings

For Example


<script>alert('XSS')</script>

and

<script>alert(String.fromCharCode(88, 83, 83))</script>


Note: 88 and 83 are ASCII values for X and S respectively. Visit this http://www.asciitable.com for more.

We have many ways to bypass filters. Some of are

site.com/search.php?q="><script>alert('Hyderbad Hacker')</script>

site.com/search.php?q="><script>alert("Hyderbad Hacker")</script>

site.com/search.php?q="><script>alert("Hyderbad Hacker");</script>

site.com/search.php?q="><script>alert(/Hyderbad Hacker");</script>

site.com/search.php?q=//"><script>alert(/Hyderbad Hacker/);</script>

site.com/search.php?q=abc<script>alert(/Hyderbad Hacker/);</script>

site.com/search.php?q=abc"><script>alert(/Hyderbad Hacker/);</script>

Securing XSS

To fix the XSS Vulnerability use htmlentities and

Sanitize all user input and escape special characters in your SQL Queries

For Example

The vulnerability code site looks like this

<span class="abc">Search result :</span>&nbsp;<strong><?php echo $_POST['vulnerability']; ?></strong>

To secure change this to

<span class="abc">Search result :</span>&nbsp;<strong><?php
if(isset($_POST['vulnerability']))

{ echo htmlentities($_POST['vulnerability']); } ?></strong>

use htmlspecialchars() function in PHP

other functions:

htmlentities() quotes

strip_tags()

--


I Hope You Like This Aritcle

0 comments: