Cross-Site Scripting (XSS)
What is Cross-Site Scripting?
Cross-Site Scripting (XSS, or less commonly CSS) is a technique attackers use to manipulate web pages a website sends to its visitors. This can be achieved without the attacker having 'hacked' the website in the traditional sense – the website, its source code and data are not necessarily altered by the attacker. At first, XSS attacks were mainly used to steal users' account information and for 'graffitiing' the vulnerable site. It is now known that XSS attacks have a much greater potential for damage; it allows, for instance, users' PCs and intranets to be attacked and allows huge resources to be commandeered for use in attacks on other websites. Estimates suggest at least 7 out of 10 sites have cross-site scripting vulnerabilities.What makes a site vulnerable to XSS?
Cross-site scripting is made possible when user-supplied information is included in the webpage constructed by the website, without proper checks that the user input is 'safe'. It is this which allows the attacker to place content into the webpage and achieve a number of malicious aims. Estimates suggest that around 70-80% of sites are vulnerable to XSS. Websites with XSS vulnerabilities will also be vulnerable to Cross-Site Request Forgeries (CSRF) as the XSS vulnerability can be exploited to obtain any secret tokens used to defend against a CSRF attack.XSS attacks can be local, persistent or non-persistent
There are three types of XSS attack, local, persistent and non-persistent.In a local XSS attack, the vulnerability is located in client-side script within a webpage. Locally executed JavaScript within the page may use the value of, for example, a URL parameter when generating HTML written to the page. An attacker may be able to insert JavaScript via this parameter for local execution within the page, resulting in the XSS attack. By linking to a vulnerable page on a user's PC, the attacker can potentially even run script with access to the user's entire filesystem, leading ultimately to compromise of the user's system.
In a persistent XSS attack, the XSS attack string is stored on the website’s server (e.g. in a database). Every time the page is viewed, the attack string is embedded in the page. In a non-persistent attack, the attack string is placed in a link or other reference to the site. When a user follows the link / reference (perhaps being persuaded to do so through social engineering), the attack string is inserted into the page and returned to the user. Even if a site is vulnerable only to non-persistent XSS, the attacker can achieve offsite persistence by having the link permanently stored on some other site.
XSS attack vectors
XSS attacks occur when an attacker successfully manipulates data included in the webpage sent to a user. The opportunities to do so can often be subtle. This is illustrated by image upload XSS attacks. If a website allows its users to upload images, the attacker can insert an XSS attack string within the image filename. If this filename is displayed as-is to the user then the XSS string will be inserted into the page. Similarly, if users can modify any part of URLs associated with links displayed on the site an attacker may be able to exploit this.Attribute-based XSS
In attribute-based XSS attacks, the vulnerable user input occurs within a HTML tag. If the website’s defences prevent an attacker from breaking out of the HTML tag, the attacker can still perform a useful XSS attack by inserting additional attribute tags. An example is inserting JavaScript to be executed on a key press. Related to this is an issue relating to the precedence of repeated attributes in which an attribute always added by the site (e.g. allowScriptAccess='never') can be overridden by a later, XSS-injected, attribute.XSS Worms
Worms traditionally spread from computer to computer. XSS introduces another possibility, XSS worms, which spread from webpage to browser to webpage. The attacker can place the worm code on an XSS vulnerable site. When a user views the page, the code is executed by the user’s browser and tries to submit itself to another page. Every user who views an infected page can potentially spread the infection to many other pages. The Samy MySpace worm demonstrated the potential for damage. The worm code was placed on a user’s profile page using an XSS vulnerability. Everyone who viewed that page while logged into MySpace had the code added to their profile page. The popularity of MySpace caused the worm to spread with exceptional speed, affecting over a million users in the first 24 hours. The worm had potential control over 100 times more resources than used in the famous distributed denial of service attacks on Amazon, Yahoo! and Schwab in 2000. It is not just MySpace that was vulnerable to XSS worms, as an attack against GoLoco.org showed.Impact of the attack
Through XSS an attacker can insert a variety of content, including text, HTML, JavaScript, ActiveX, Flash and VBScript, into web pages served to users. While this does not directly break the website, it does enable a number of undesirable outcomes. The attacker could make it appear to users that the site has been hacked, supports particular views, etc. The attacker can capture user login or session details via cookie stealing, keystroke logging or fake login boxes and access user’s account on the site. The attacker can even capture autocompleted usernames and passwords for a site as soon as the user visits the exploited page. This puts user data at risk and potentially gives the attacker access he did not previously have (making further attacks a possibility). XSS also enables ad-jacking in which an attacker places ads on your site (possibly replacing your own) and profits from your work. To maximise profit, the attacker may widely distribute links to the compromised pages. As a rare benefit of XSS attacks, if your site does fall victim to such a strategy, then you may benefit from the additional links when you close vulnerability and redirect the links to uncompromised pages. A particularly prevalent XSS vulnerability is Universal XSS, which affects most of the estimated 300 million sites offering .pdf files for download. It is not just standard websites which are vulnerable to XSS. For instance, they can be used to exploit IP-based video cameras. The fact that most XSS attack links begin with the domain name of the vulnerable site increases the likelihood that a user will trust and follow those links. Sometimes the user is not even required to open a link, as the attacker can, for instance, cause the code to load in a HTML email received by the user through manipulation of image and iframe tags.XSS can also be used to launch attacks against your users’ browsers and computers. Heap spraying attacks can allow the attacker to execute arbitrary code on users’ computers. XSS can be used to turn your website into malware distribution centres, with the compromised pages downloading and installing spyware, Trojans, etc. onto the user’s system (Google identified ½ million web pages already compromised in this way). DNS rebinding attacks let the attacker access / attack systems located behind the same network firewall as the user. Via AJAX-style communications, the attacker can add the user’s browser as a temporary node in a botnet. To extend the lifetime of attacks against your users, the attacker can conduct exponential XSS attacks in which links the attacker may follow are rewritten to further exploit the target pages (on your site or elsewhere). While such attacks against the user do not directly affect the vulnerable website, sites enabling these attacks are likely to be viewed badly.