Reply to thread

Message: <blockquote data-quote="asachan" data-source="post: 4443397" data-attributes="member: 189916">Background When <a href="http://en.wikipedia.org/wiki/Netscape" target="_blank">Netscape</a> first introduced the <a href="http://en.wikipedia.org/wiki/JavaScript" target="_blank">JavaScript</a> language, they realized the security risks of allowing a <a href="http://en.wikipedia.org/wiki/Web_server" target="_blank">Web server</a> to send executable code to a browser (even if only in a browser <a href="http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29" target="_blank">sandbox</a>). One key problem with this is the case where users have more than one browser window open at once. In some instances, a script from one page should be allowed to access data from another page or object, but in others, this should be strictly forbidden, as a malicious Web site could attempt to steal sensitive information this way. For this reason, the same-origin policy was introduced. Essentially, this policy allows any interaction between objects and pages, so long as these objects come from the same <a href="http://en.wikipedia.org/wiki/Domain_name_system" target="_blank">domain</a> and over the same <a href="http://en.wikipedia.org/wiki/Protocol_%28computing%29" target="_blank">protocol</a>. That way, a malicious Web site would not be able to access sensitive data in another browser window via JavaScript. Since then, other similar access-control policies have been adopted in other browsers and client-side scripting <a href="http://en.wikipedia.org/wiki/Programming_language" target="_blank">languages</a> to protect users from malicious Web sites. In general, cross-site scripting holes can be seen as vulnerabilities which allow attackers to bypass these mechanisms. By finding clever ways of injecting malicious script into pages served by other domains, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other objects. <a href="http://www.elakiri.com/forum/" target="_blank">http://www.elakiri.com/forum/</a> Terminology The term cross-site scripting is not a very accurate description of this class of vulnerability. In the words of XSS pioneer Marc Slemko: This issue isn't just about scripting, and there isn't necessarily anything cross-site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. The acronym CSS was often used in the early days to refer to cross-site scripting vulnerabilities, but this quickly became confusing in technical circles because both <a href="http://en.wikipedia.org/wiki/Cascading_Style_Sheets" target="_blank">Cascading Style Sheets</a> and the <a href="http://en.wikipedia.org/wiki/Content-scrambling_system" target="_blank">Content-scrambling system</a> shared the same acronym. Perhaps the first use of the abbreviation XSS was by Steve Champeon in his <a href="http://en.wikipedia.org/wiki/Webmonkey" target="_blank">Webmonkey</a> article <a href="http://www.webmonkey.com/webmonkey/00/18/index3a.html" target="_blank">"XSS, Trust, and Barney"</a>. In 2002, Steve also posted the suggestion of using XSS as an alternative abbreviation to the <a href="http://en.wikipedia.org/wiki/Bugtraq" target="_blank">Bugtraq</a> mailing list. In a rare show of unity, the security community quickly adopted the alternative, and CSS is seldom used today to refer to cross-site scripting, although a few existing pages still use it this way. <a href="http://www.elakiri.com/forum/" target="_blank">http://www.elakiri.com/forum/</a> Types There are three distinct known types of XSS vulnerability to date. (These will be labeled Type 0, Type 1, and Type 2 for the purposes of this discussion, but these names are by no means industry standard nomenclature. Where possible, other names for these will be provided.) <a href="http://www.elakiri.com/forum/" target="_blank">http://www.elakiri.com/forum/</a> Type 0 This form of XSS vulnerability has been referred to as DOM-based or Local cross-site scripting, and while it is not new by any means, a recent paper (<a href="http://www.webappsec.org/projects/articles/071105.shtml" target="_blank">DOM-Based cross-site scripting</a>) does a good job of defining its characteristics. With Type 0 cross-site scripting vulnerabilities, the problem exists within a page's client-side script itself. For instance, if a piece of JavaScript accesses a URL request parameter and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS hole will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side script.   In practice, exploiting such a hole would be very similar to the exploit of Type 1 vulnerabilities (see below), except in one very important situation. Because of the way <a href="http://en.wikipedia.org/wiki/Internet_Explorer" target="_blank">Internet Explorer</a> treats client-side script in objects located in the "local zone" (for instance, on the client's local hard drive), an XSS hole of this kind in a local page can result in remote execution vulnerabilities. For example, if an attacker hosts a malicious website, which contains a link to a vulnerable page on a client's local system, a script could be injected and would run with privileges of that user's browser on their system. This bypasses the entire client-side sandbox, not just the cross-domain restrictions that are normally bypassed with XSS exploits. <a href="http://www.elakiri.com/forum/" target="_blank">http://www.elakiri.com/forum/</a> Type 1 This kind of cross-site scripting hole is also referred to as a non-persistent or reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.   At first blush, this does not appear to be a serious problem since users can only inject code into their own pages. However, with a small amount of <a href="http://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29" target="_blank">social engineering</a>, an attacker could convince a user to follow a malicious URL which injects code into the results page, giving the attacker full access to that page's content. Due to the general requirement of the use of some social engineering in this case (and normally in Type 0 vulnerabilities as well), many programmers have disregarded these holes as not terribly important. This misconception is sometimes applied to XSS holes in general (even though this is only one type of XSS) and there is often disagreement in the security community as to the importance of cross-site scripting vulnerabilities. <a href="http://www.elakiri.com/forum/" target="_blank">http://www.elakiri.com/forum/</a> Type 2 This type of XSS vulnerability is also referred to as a stored or persistent or second-order vulnerability, and it allows the most powerful kinds of attacks. A type 2 XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities. A classic example of this is with online message boards, where users are allowed to post HTML formatted messages for other users to read.   These vulnerabilities are usually more significant than other types because an attacker can inject the script just once. This could potentially hit a large number of other users with little need for <a href="http://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29" target="_blank">social engineering</a> or the web application could even be infected by a <a href="http://www.bindshell.net/papers/xssv/" target="_blank">cross-site scripting virus</a>.   The methods of injection can vary a great deal, and an attacker may not need to use the web application itself to exploit such a hole. Any data received by the web application (via email, system logs, etc) that can be controlled by an attacker must be encoded prior to re-display in a dynamic page, else an XSS vulnerability of this type could result. <a href="http://www.elakiri.com/forum/" target="_blank">http://www.elakiri.com/forum/</a> Exploit scenarios Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. (The names below come from the <a href="http://en.wikipedia.org/wiki/Characters_in_cryptography" target="_blank">cast of characters</a> commonly used in computer security.) Type-0 attack<ol> <li data-xf-list-type="ol">Mallory sends a URL to Alice (via email or another mechanism) of a maliciously constructed web page.</li> <li data-xf-list-type="ol">Alice clicks on the link.</li> <li data-xf-list-type="ol">The malicious web page's <a href="http://en.wikipedia.org/wiki/JavaScript" target="_blank">JavaScript</a> opens a vulnerable HTML page installed locally on Alice's computer.</li> <li data-xf-list-type="ol">The vulnerable HTML page contains <a href="http://en.wikipedia.org/wiki/JavaScript" target="_blank">JavaScript</a> which executes in Alice's computer's local zone.</li> <li data-xf-list-type="ol">Mallory's malicious script now may run commands with the privileges Alice holds on her own computer.</li> </ol>Type-1 attack<ol> <li data-xf-list-type="ol">Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.</li> <li data-xf-list-type="ol">Mallory observes that Bob's website contains a reflected XSS vulnerability.</li> <li data-xf-list-type="ol">Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob (ie. the email is <a href="http://en.wikipedia.org/wiki/Spoofing_attack" target="_blank">spoofed</a>).</li> <li data-xf-list-type="ol">Alice visits the URL provided by Mallory while logged into Bob's website.</li> <li data-xf-list-type="ol">The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server. The script steals sensitive information (authentication credentials, billing info, etc) and sends this to Mallory's web server without Alice's knowledge.</li> </ol>Type-2 attack<ol> <li data-xf-list-type="ol">Bob hosts a web site which allows users to post messages and other content to the site for later viewing by other members.</li> <li data-xf-list-type="ol">Mallory notices that Bob's website is vulnerable to a type 2 XSS attack.</li> <li data-xf-list-type="ol">Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it.</li> <li data-xf-list-type="ol">Upon merely viewing the posted message, site users' session cookies or other credentials could be taken and sent to Mallory's webserver without their knowledge.</li> <li data-xf-list-type="ol">Later, Mallory logs in as other site users and posts messages on their behalf....</li> </ol>Please note, the preceding examples are merely a representation of common methods of exploit and are not meant to encompass all vectors of attack.</blockquote>

Verification: Winadiyakata thappara keeyak tibeda?

Top Bottom