Mar 17, 2010

Cross Site Scripting | XSS

The use of cookies in dynamic web applications has often found, among others to save the unique association of user accounts. Some websites like yahoo, hotmail and netscape can be used as an example the use of these. In addition to these sites, some electronic commerce sites also use cookies to place a unique identity for the purposes of user authentication and authorization - on sites that use the scenario log on, usually used two token authentication, ie username and password , the token is then stored in cookies to facilitate the identification of the number of users, also for purposes of session to the site.

Perhaps the use of techniques Cross Site Scripting (XSS), is a technique that is widely used for the purposes of getting this cookie. Once the cookie is established, the attacker will be able to load the value of the stolen cookies, then directs the browser to the application site that use cookies, and access to victim accounts, without having to spend time to break the password and encryption on a combination of username and password. There are some other techniques such as "cache poisoning control techniques", utilizing weaknesses in the client browser and the social engineering to trick users into installing Trojan horses, these techniques only less popular than XSS.

Cross Site Scripting (XSS) is relatively easy to learn, because it only requires knowledge of HTML programming language such as javascript and vbscript, and supported with a creative mind and the knowledge of the browser. XSS attacks also take advantage of weakness in the share of trust between the site owners and users, therefore, quite difficult to know whether a site has been attacked XSS or not.

Introduction to XSS Vulnerability

XSS or cross-site scripting, is a type of attack intended to other users. This attack will not provide root access in the system or web server, this attack was just trying to get information related to web applications that are used. This web application can be web-based email application, an online forum or e-shopping sites.

XSS simple example, imagine a guest book where people can discuss their response to a site, when he saw the guest book, we can see what the previous user commented about the site, and these sites sometimes allow the use of HTML tags, then why do not we write a comment using the letter 'comic sans' and red, so that everyone can see that our comments. Because HTML is a scripting language and browser programs we are interpreters for it. So with a little creativity, a comment on this guest book, we insert a secret program Scrip, other users would not notice.

With the presence of technology that allows a web site more interactive and dynamic, XSS is also experiencing growth. By using java script, XSS attacks can not erase the contents of the data on the client hard drive, but it can access the url that is being accessed by client, see the history of the client web access or view the existing cookie. Little things that will bring a big impact.

Anatomy of XSS attacks

A cross-site scripting attacks carried out by providing specific addresses that are packed by the attacker to his victim. In the context of XSS, an attacker invited the victim to execute a given URL address and allow victims to follow the link to run the previous script in action on the client computer to obtain the desired information.

Well, now we actually observe how a XSS attack walk, there are three things that relate and can be arranged as an XSS attack that anatomical findings, attack, and exploitation.

Anatomical Findings
The imperfections of web-base application especially during requesting input from user and the data validation flaws in particular input form will lead the initial stage of XSS attacks.
This could allow an attacker to insert additional HTML code where they can control the execution on the page under the permit granted by the site itself. A simple example of pages that can be used for cross-site scripting as below:

Once these pages can be accessible, these variables sent through GET method directly to the intended page. Where the input is not marked as an input variable, the user can insert a few characters that are interpreted as a meta command characters, quite similar to SQL injection.

By inserting HTML meta character allows undesirable outputs: Where the input is not validated before the output is sent to the browser client. The above provides the user to control the HTML to paste the script into the page.

Some point at which there is usually XSS on the confirmation page (such as a search engine which provides the output from the user input in the search aktvitas) and an error page (error page) that helps the user to fill out the form to correct errors.

The Attack
Once entries prone identified HTTP method - which relies on the HTTP protocol facilities, then the activity can be done either attack with GET method, POST and other methods.

Insertion with the GET method is the easiest way but also frequently encountered. Because the user will see quite a lot of redirection (redirection) or any other address that the call appeared in tabulation address (address bar). The method is seen in the URL and are usually recorded in the HTTP server. Examples of attacks with this method can be seen as follows:


Because the nature of XSS, an attacker can not directly use the vulnerability to their own benefit. Victims must see the code that is inserted in order to be executed. And so the victims to see the code, and executing, information about the victim can be known by the attacker.

Attacks compared with the GET method, POST method a little more complicated, which sent the POST variables are independent of the request URL, which takes the page to force the victim's transition to execute POST requests that contain XSS code.

Recently the method has XSS attacks using TRACE method, these attacks take advantage of activeX, where information about the user is sent through the TRACE request through the browser client, this information can also be converted into xml, so the client and the web site does not realize it. This method is able to pass security HTTP.

After the attack, an attacker can exploit the web site of the target. Plowing is usually done with the victim's session and do act like the victim to access the target web site. Losses that arise can harm the website itself, nor the victims. After this exploit, session XSS attacks can be said to have been perfect.

Cross Site Scripting is often ignored in the development of a web site, along with the use of dynamic web applications. Vulnerabilities that arise even threaten the relationship of users and website owners. XSS attack methods used also evolve with the development of web application protocol, the language used is also growing. Therefore there is no guarantee XSS attack did not occur.

There are a few suggestions that effective safeguards, suggestions include:
  1. The web developer should do the test for each page built, re-checking is also done for each input from the user, to avoid gaps XSS attacks.

  2. The dynamic web application user, should be careful in using web applications for encryption and firewalls is no guarantee that these web applications safe.


Post a Comment

Related Posts with Thumbnails