According to Wikipedia it is: " a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users". There are two types of XSS - persistant and non-peristant.
Persistant XSS is when data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the response.
Non-peristant XSS occurs when data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.
I will examine non-persistant XSS here. For this short demonstration I used Mutillidae which is an open source web vulnerability project that allows you to test and see how some of the most common web vulnerabilities work in a kind of virtual environment (clearly I would not want to inject XSS in someones actual website or blog - that would be illegal)
This is a simple example but shows how dangerous XSS could be. Many websites are still vulnerable to this type of attack and have not corrected thier code to mitigate against them.
In the screenshot above I have added some code to a virtual blog as an anonymous user that displays a dialog box that says "XSS".
The above screenshot shows what happens when that script is run and shows the comments left by the anonymous user.
The interesting thing is that the code does not show up when you list the comments made for all users - including the anonymous users.
This screenshot shows the script being run for a different user. That is the danger of cross site scripting. A malicious script can be loaded into a webpage (or blog) and will run for whomever is logged into the page. The script I used in this example is harmless but scripts could be created that deliver malware to the enduser, deletes files or any number of other malicious things.
How to defend against XSS ? Disabling scripts from running in your broswer could be one way. Using a browser like chrome that virutalizes the browser environment so scripts do not have access to the system as a whole, but more importantly, the web developer needs to code the web site in such a way as to not allow comment boxes to accept scripts. In the first screenshot the script starts with <script>. The website should coded to look for strings like that and disallow them from being entered.
No comments:
Post a Comment