Cross Site Scripting (XSS)

-


Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. 
 
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. 
 
Security on the web depends on a variety of mechanisms, including an underlying concept of trust known as the same-origin policy. This essentially states that if content from one site (such as https://mybank.example1.com) is granted permission to access resources on a system, then any content from that site will share these permissions, while content from another site (https://othersite.example2.com) will have to be granted permissions separately.

Cross-site scripting attacks use known vulnerabilities in web-based applications, their servers, or the plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, to session cookies, and to a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are a case of code injection.

Microsoft security-engineers introduced the term "cross-site scripting" in January 2000.The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an unrelated attack-site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain (taking advantage of a reflected or non-persistent XSS vulnerability). The definition gradually expanded to encompass other modes of code injection, including persistent and non-JavaScript vectors (including ActiveX, Java, VBScript, Flash, or even HTML scripts), causing some confusion to newcomers to the field of information security.

XSS vulnerabilities have been reported and exploited since the 1990s. Prominent sites affected in the past include the social-networking sites Twitter, Facebook,MySpace, YouTube and Orkut.Cross-site scripting flaws have since surpassed buffer overflows to become the most common publicly reported security vulnerability,with some researchers in 2007 estimating as many as 68% of websites as likely open to XSS attacks.

Types

Reflected (non-persistent)

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS.

Persistent(Stored )

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.
For example, suppose there is a dating website where members scan the profiles of other members to see if they look interesting. For privacy reasons, this site hides everybody's real name and email. These are kept secret on the server. The only time a member's real name and email are in the browser is when the member is signed in, and they can't see anyone else's.
Suppose that Mallory, an attacker, joins the site and wants to figure out the real names of the people she sees on the site. To do so, she writes a script designed to run from other people's browsers when they visit her profile. The script then sends a quick message to her own server, which collects this information.

To do this, for the question "Describe your Ideal First Date", Mallory gives a short answer (to appear normal) but the text at the end of her answer is her script to steal names and emails. If the script is enclosed inside a tags. Other tags will do exactly the same thing, for example: 





or other attributes like: onmouseover, onerror. 
 
onmouseover 





  



onerror 





 






 



 



XSS
using Script Via Encoded URI Schemes

If we need to hide against web
application filters we may try to encode string characters, e.g.:
a=&#X41 (UTF-8) and use it in IMG tag:

 














There are many different UTF-8
encoding notations what give us even more possibilities. 




XSS
using code encoding

We may encode our script in base64
and place it in META tag. This way we get rid of alert() totally.
More information about this method can be found in RFC
2397







  


















These and others examples can be found
at the OWASP XSS
Filter Evasion Cheat Sheet which is a true encyclopedia of the
alternate XSS syntax attack. 




Examples

Cross-site scripting attacks may
occur anywhere that possibly malicious users are allowed to post
unregulated material to a trusted web site for the consumption of
other valid users. 


The most common example can be
found in bulletin-board web sites which provide web based mailing
list-style functionality. 




Example
1

The following JSP code segment
reads an employee ID, eid, from an HTTP request and displays it to
the user. 



        















The code in this example operates
correctly if eid contains only standard alphanumeric text. If eid has
a value that includes meta-characters or source code, then the code
will be executed by the web browser as it displays the HTTP response. 

 


Initially this might not appear to
be much of a vulnerability. After all, why would someone enter a URL
that causes malicious code to run on their own computer? The real
danger is that an attacker will create the malicious URL, then use
e-mail or social engineering tricks to lure victims into visiting a
link to the URL. When victims click the link, they unwittingly
reflect the malicious content through the vulnerable web application
back to their own computers. This mechanism of exploiting vulnerable
web applications is known as Reflected XSS. 




Example
2

The following JSP code segment
queries a database for an employee with a given ID and prints the
corresponding employee's name. 



 
     





























As in Example 1, this code functions
correctly when the values of name are well-behaved, but it does
nothing to prevent exploits if they are not. Again, this code can
appear less dangerous because the value of name is read from a
database, whose contents are apparently managed by the application.
However, if the value of name originates from user-supplied data,
then the database can be a conduit for malicious content. Without
proper input validation on all data stored in the database, an
attacker can execute malicious commands in the user's web browser.
This type of exploit, known as Stored XSS, is particularly insidious
because the indirection caused by the data store makes it more
difficult to identify the threat and increases the possibility that
the attack will affect multiple users. XSS got its start in this form
with web sites that offered a "guestbook" to visitors.
Attackers would include JavaScript in their guestbook entries, and
all subsequent visitors to the guestbook page would execute the
malicious code. 


As the examples demonstrate, XSS
vulnerabilities are caused by code that includes unvalidated data in
an HTTP response. There are three vectors by which an XSS attack can
reach a victim: 



    

  • 

    
As
 in Example 1, data is read directly from the HTTP request and
 reflected back in the HTTP response. Reflected XSS exploits occur
 when an attacker causes a user to supply dangerous content to a
 vulnerable web application, which is then reflected back to the user
 and executed by the web browser. The most common mechanism for
 delivering malicious content is to include it as a parameter in a
 URL that is posted publicly or e-mailed directly to victims. URLs
 constructed in this manner constitute the core of many phishing
 schemes, whereby an attacker convinces victims to visit a URL that
 refers to a vulnerable site. After the site reflects the attacker's
 content back to the user, the content is executed and proceeds to
 transfer private information, such as cookies that may include
 session information, from the user's machine to the attacker or
 perform other nefarious activities. 
    
 
 
    

    • 

  • 

    
As
 in Example 2, the application stores dangerous data in a database or
 other trusted data store. The dangerous data is subsequently read
 back into the application and included in dynamic content. Stored
 XSS exploits occur when an attacker injects dangerous content into a
 data store that is later read and included in dynamic content. From
 an attacker's perspective, the optimal place to inject malicious
 content is in an area that is displayed to either many users or
 particularly interesting users. Interesting users typically have
 elevated privileges in the application or interact with sensitive
 data that is valuable to the attacker. If one of these users
 executes malicious content, the attacker may be able to perform
 privileged operations on behalf of the user or gain access to
 sensitive data belonging to the user.
    
 
 
    

    • 

  • 
A source outside the
 application stores dangerous data in a database or other data store,
 and the dangerous data is subsequently read back into the
 application as trusted data and included in dynamic content. 
 
    


    • 




Attack
Examples

Example 1 : Cookie Grabber

 



If the application doesn't validate
the input data, the attacker can easily steal a cookie from an
authenticated user. All the attacker has to do is to place the
following code in any posted input(ie: message boards, private
messages, user profiles): 













The above code will pass an escaped
content of the cookie (according to RFC content must be escaped
before sending it via HTTP protocol with GET method) to the evil.php
script in "cakemonster" variable. The attacker then checks
the results of his evil.php script (a cookie grabber script will
usually write the cookie to a file) and use it. 




Error
Page Example

Let's assume that we have an error
page, which is handling requests for a non existing pages, a classic
404 error page. We may use the code below as an example to inform
user about what specific page is missing: 













 





















Let's see how it works: 



http://testsite.test/file_which_not_exist

In response we get: 



Not found: /file_which_not_exist

Now we will try to force the error
page to include our code: 
















The result is: 














We have successfully injected the
code, our XSS! What does it mean? For example, that we may use this
flaw to try to steal a user's session cookie. 







































Comments











Post a Comment



















Popular posts from this blog









How to Repair Kali Linux grub after installing Windows in Dual boot System






-














Image







           If your System has primary OS Windows then you install your secondary OS Kali Linux. That will be OK, Kali Linux puts boot entry of Windows automatically for you. At initial boot menu you can see both OS entry to boot.     If your windows is corrupt in dual boot system or if you want to install windows as secondary OS after installing Kali Linux as primary OS. You may face corrupt boot-loader menu. You wont be able to boot Kali Linux any more because Windows wont put entry of Kali Linux automatically in their boot menu.     So this post motive is to help those guys which are facing those problems subjecting to corrupt Boot-loader. There are mainly two methods:     1. Repair Grub via Kali Linux live USB.     2. Repair Grub Via Boot-rapair-disk.   Method 1# Repair Grub via Kali Linux live USB   It is up to you which you want to choose but if you are Linux familiar then go for this method.   Requirements   1. A Kali Linux ISO image. You can download here:    Download Kali Linux








Read more










PDFCrack - Password Cracking Tool for PDF-files






-














Image







       PDFcrack is a GNU/Linux  tool for cracking password protected PDF files. It is a very small command line application. It is not preinstalled in kali linux. We can install through command line.     For installing pdfcrack      open a terminal and enter apt install pdfcrack           Syntax and options     Usage: pdfcrack -f filename [OPTIONS]               : pdfcrack -f filenmae -w passwordfile.txt      OPTIONS :     -b, --bench  perform benchmark and exit   -c, --charset=STRING Use the characters in STRING as charset   -w, --wordlist=FILE Use FILE as source of passwords to try   -n, --minpw=INTEGER Skip trying passwords shorter than this   -m, --maxpw=INTEGER Stop when reaching this passwordlength   -l, --loadState=FILE Continue from the state saved in FILENAME   -o, --owner  Work with the ownerpassword   -u, --user  Work with the userpassword (default)   -p, --password=STRING Give userpassword to speed up breaking      ownerpassword (implies -o)   -q, --quiet  Run quietly   -s,








Read more










Avet – Open Source Anti-Virus Evasion Tool






-














Image







               When we  want to perform an exploitation to a windows target, we need a payload that is undetectable to Antivirus Solutions. Msfvenom on its own is not enough. So we need an AV evasion tool to make this easy for us. Avet is a tool for building exe files with shellcode payloads for antivirus evasion.   Installing Avet       First  clone the repository to our machine.   git clone https://github.com/govolution/avet.git       After that go inside the folder and run the setup file to install wine and other missing components.   cd avet/            Run the setup file to install the missing components.      ./setup.sh          Select create   for new installation                        Running Avet   There are two ways to run avet.  Run avet by typing the command below.   python avet_fabric.py        There are two ways to run avet. Either by compiling the make_avet script as shown below, or by  running the avet_fabric.py script, as shown.  gcc -0 make_avet make_avet.c         








Read more