Cross Site Scripting – part 2

DEMO

Lets get our hands dirty with XSS  😛

EXAMPLE 1

1)Prompted to input data in a text field , insert a script there.

1xss.PNG

2)Here we have the output.

3xss

EXAMPLE 2

How about the comment fields..??

4xss

1)Tried entering <script>, but all in vane

5xss

3)Images are go0d8xsslevel2

3)SUCCESS

9xss level2

EXAMPLE 3

1)Here the code is not designed to handle errors.

4xss level

2)We enter 112=no image

5xx

3)SUCCESS

6xss

MUCH OF PLAY.. ……………………….LETS FIX THIS 

REMEDIATION

  • Data should be allowed to break out of the entry point
  • Should not be able to interact with the code
  • Data should not be considered as a code
  • Input Filtering/sanitation
  • HTML Encoding
  • Escaping
  • Content Security Policy (CSP)
  • Web browser security
  • Secure coding

Filtering or sanitation is one of the way to evade XSS. There is a small difference between the two filtering.

  • Input filtering will filter for all the data that is parsed.
  • Out filtering will filter all the data that is written back to the page.

Lets take an example – a filter (a simple one) will search for <script> and remove that .

For the below query

<scr<script>ipt>alert('xss present')

If the above input wil be filtered and the out will be :

<script>alert('xss present')

Thus making the attack successful

We can alternatively also use a WAF (web application firewall), this will also be of much help as it will alert or drop the request based on the configuration. Will deal with WAF in a separate article.

ENCODING and ESCAPING

Usage of secure encoding libraries ex. microsoft Anti cross site scripting library.HTML encoding can be done but it wil not help if script tags or evenmt handlers are used(onMouseEntry do something etc).– ESCAPE THEM

Escaping is masking the input, so that the resulting will not be interpreted as a code.

<script>alert  –before esacaping

&ltscript&gtalert   –fter escaping

CSP

This creates a source whitelist for the client side resourcesWhat should be the source of the scripts, source of images , source of CSS. It has certain directives to do this:

  • image-src:
  • style-src:
  • script-src:

These will be present in the CSP HTTPresponse header.

WEB Browser Security

  • Browser selection – Since attackers want to target most of the audiance, the aim will be to build a attack which will work on the most common browsers. It can be helpful if the choice of browser is rare.
  • Use of extensions ex No Script for Firefox
  • Disabling some features(JS) – This might break the site but will provide protection
  • Use VM(Virtual Machines) – Even if the browser in VM is compromised the important data can be stored safely in the host.
  • Don’t click links in Email s – manuaally browse to the site, hover over the URLs to see the destination
  • Long URLs – Decode them and see if HTML is embedded in it
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s