Of all the vulnerability, the most widespread and harmful Web application security vulnerability is Cross Site Scripting attacks (XSS).
Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank’s Web site.
Example of malicious code
- Modification of the Document Object Model - DOM (change some links, add some buttons)
- Send personal information to thirds (JavaScript can send cookies to other sites)
Three types of Cross Site Scripting
- Reflected
- Stored
- DOM injection
Reflected XSS
- The easiest exploit.
- A page will reflect user supplied data directly back to the user
So when the user types:
He receives an alert in his browserDanger
- If the URL (containing GET parameters) is delivered by a third to the victim
- The Victim will access a modified page
- SSL certificate and security warning are OK!
Stored XSS
Hostile Data is taken and stored
- In a file
- In a Database
- In any other backend system
Then Data is sent back to any visitor of the web site Risk when large number of users can see unfiltered content
- Very dangerous for Content Management Systems (CMS)
- Blogs
- Forums
DOM Based XSS
- Document Object Model
- The document is represented using a tree
- The tree is rooted with the document node
- Each tag and text is part of the tree
- XSS Modifies the Document Object Model (DOM)
- JavaScript can manipulate all the document
- It can create new nodes,
- Remove existing nodes
- Change the content of some nodes
Reducing the threat
- Encoding/escaping of string input
- Safely validating untrusted HTML inputs.
- Cookie Security.
- Disabling Scripts
- Defensive Technologies. (Mozilla Content Security Technologies, JS Sandbox tools, Auto Escaping tools etc)
Recent XSS Attacks:
GoDaddy recently went down with DOS attack by Anonymous Hacker. After GoDaddy CEO declined any such hacks by anonymous, they again penetrated with XSS hacks.