1. 23/02/2011
Cross Site Scripting (XSS)
• Is a type of computer security vulnerability
typically found in web applications that enables
malicious attackers to inject client-side script into
Cross Site Scripting (XSS)
web pages viewed by other users
• The attack steals access credentials, executes
denial-of-service and modifies web pages in
order to execute any command at the client
machine
The players
Input Vulnerabilities
– An Attacker
1. A Web application that accepts user input • Anonymous Internet User
• Malicious Internal User
– A company’s Web server (i.e. Web application)
2. The input is used to create dynamic content
• External (e.g.: Shop, Information, CRM,
Supplier)
3. The input is insufficiently validated • Internal (e.g.: Employees Self Service Portal)
– A Client
• Any type of customer
• Anonymous user accessing the Web-Server
XSS Steps Example: XSS (jsp)
Attacker Web Server
Post Forum Message: Did you know this?
Subject: GET Money for FREE !!! .....
http://myserver.com/test.jsp?name=Stefan
GET Money for FREE !!!
Body:
<script> attack code </script>
<script> attack code </script> <HTML>
Re: Error message on startup
.....
I found a solution!
<Body>
.....
Can anybody help? Welcome Stefan
.....
Get /forum.jsp?fid=122&mid=2241
Error message on startup </Body>
.....
</HTML>
1. Attacker sends malicious code
http://myserver.com/welcome.jsp?name=<script>alert("Attacked")</script>
2. Server stores message GET Money for FREE !!!
<script> attack code </script>
<HTML>
3. User requests message <Body>
4. Message is delivered by server Client Welcome
<script>alert("Attacked")</
5. Browser executes script in message !!! attack code !!! script>
(c) 2005, EUROSEC GmbH Chiffriertechnik & Sicherheit
</Body> 6
(c) 2005, EUROSEC GmbH Chiffriertechnik & Sicherheit 5 </HTML>
1

2. 23/02/2011
Mitigation Mitigation
• Input Validation • Implement Cookie Options
– Check if the input is what you expect – "httpOnly" Cookies
• Prevent disclosure of cookie via DOM access
• Do not try to check for "bad input"
– use with care, browser compatibility problems may occur
– Whitelist testing is better • But: cookies are sent in each HTTP requests
– E.G. Trace-Method can be used to disclose cookie
• Only what you expect will pass
• Passwords still may be stolen via XSS
• (correct) Regular expressions – "secure" Cookies
* Blacklist testing is no solution because blacklists are • Cookies are only sent over SSL
never complete.
Mitigation Mitigation
• Use Web Application Firewalls • XSS-Prevention Best Practices
– Check for malicous input values – Implement the mentioned XSS-Mitigation in
– Check for modification of read-only parameters applications
– Block requests or filter out parameters – Do not assume input values are benign
– Do not trust client side validation
– Check and validate all input before processing
– Do not echo any input value without validation
– Use one conceptual solution in all applications
2