DOC PREVIEW
SJSU CS 265 - Cross Site Scripting XSS

This preview shows page 1-2 out of 5 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Cross Site Scripting XSS Athmanathan Panneerselvam, Venkatachalam Computer Science Department San Jose State University San Jose, CA 95192 [email protected], [email protected] 1. Abstract Internet is used by vast number of people. Security is the most important factor in almost all applications which run over the internet. Though high security is enforced in the operating systems, servers, firewalls, and in client browsers there are some vulnerabilities that do exist in web based applications. Cross site scripting is a kind of security vulnerability in these applications. This is often caused by injecting venomous code into the web pages. This paper shows the types of cross site scripting, possible ways of injection, and how to extenuate these attacks. The attacks are illustrated with appropriate scenarios for better understanding. It is true that these attacks are hard to eliminate completely but can be mitigated to higher extent. 2. Introduction Cross site scripting often called as XSS is a web attack that happens at application layer. Web pages are classified as static and dynamic. Static web pages do not suffer by this attack as there is no user session involved in it. Whereas, in dynamic web pages the server customizes the screen for each user and this customization is tracked through sessions. This session can be stolen by the attacker and the attacker can impersonate as the authenticated user. The code which is capable of running in the client side is injected to the web page and it is usually in the form of HTML or JavaScript. The attacker may be a malicious user or robot. HTML forms act as an entry point for this attack, the malicious code entered through the form is stored in the server and cause problems when this information is taken back from the server and displayed to the users. When the page is loaded along with the malicious script, it may send important information like cookies and form values of the user to the attacker or malicious website. Cross Site Scripting had its acronym as CSS, this usage has not continued as it is confusing with Cascading Style Sheet. Apart from Javascript and HTML, technologies like ActiveX, VBScript, ActionScript, and Jscript are used to create XSS attacks. In many cases this attack gets in to effect through hyperlink, hyperlink will have all the data collected from user’s page and encodes the malicious content in the link. When the user clicks this link, all the information gathered will be sent to the attacker. Since the attacker has your session, he or she can claim as you. XSS exploits the trust a user has for a website. 3. Threats Involved • Ignorant user may execute the malicious scripts on viewing the pages which are dynamically generated by the attacker • Attacker can use the user session before it gets expired. • Attacker can redirect the user to malicious web site or server • If the user clicks the link provided by the attacker, he/she gains the rights of the user. For the rest of the connection period, he/she can execute commands with the user privileges that accessed the URL. 4. Characters Trudy is the attacker Alice is the normal user Assume my.sjsu.edu is vulnerable to XSS5. Attack Initialization Trudy first checks a particular website whether it is vulnerable to cross site scripting or not. If the website is vulnerable then Trudy would employ a way to attack. There are many ways that she can perform an attack, few of the methods are described below. In all the techniques she would use any of the ECMAScript to be executed in Alice’s system with the Alice’s privilege. Hereafter, anything from stealing cookies, corrupting or changing user settings, hijacking user account is possible. 6. Scenarios The following scenarios illustrates the various attacks of Cross site scripting 6.1 Malicious Link Attack Trudy forms a spiteful link by embedding malicious script in the link. She sends this link to Alice either through email or instant messages Figure 1 or she can put inside vulnerable XSS website which Alice often visits. We will look how to insert new fields and links in XSS vulnerable websites in the following sections. The link may look like <AHREF=http://my.sjsu.edu/registration.cgi?clientprofile= <SCRIPT>malicious code</SCRIPT>> Click here to see your status</A> Alice who is studying at SJSU in some department (not computer science) might click the link, thinking she can look at her status. When the SJSU server sends back the response which include the value of the user profile along with some important information, the malicious code will start to execute once the response reaches the client browser. 6.2 Cookie Theft Trudy knows that my.sjsu.edu is vulnerable to XSS. If she finds the usage of cookies in the website, she formulates an attack which can steal those cookies. In this attack Trudy first register a page with malicious script. When the page is displayed on the browser, the malicious script would come in effect and process the required information as told by Trudy. Finally, gathers all the cookie information and redirect the request to Trudy’s server. Trudy takes this request and sends that to my.sjsu.edu and masquerades as Alice. Since my.sjsu.edu only relies on the cookie information, it authenticates the request without knowing that the request was made by Trudy and not Alice. Trudy now can do anything what Alice can do in my.sjsu.edu Figure 2 Collecting these kinds of sensitive information from other website is called Phishing. Let’s look in detail how Trudy can embed malicious script in a page.For example consider the help page of my.sjsu.edu and there is text box to search items and an action button called “Search” to perform search. Figure 3.1 Trudy can frame javscript to include username and password like Login to get privileged access<br/> Username: <input type=”text” name=”username”/><br/> Password: <input type=”password” name=”password” /> <input type=”button” value=”SingIn”


View Full Document

SJSU CS 265 - Cross Site Scripting XSS

Documents in this Course
Stem

Stem

9 pages

WinZip

WinZip

6 pages

Rsync

Rsync

7 pages

Hunter

Hunter

11 pages

SSH

SSH

16 pages

RSA

RSA

7 pages

Akenti

Akenti

17 pages

Blunders

Blunders

51 pages

Captcha

Captcha

6 pages

Radius

Radius

8 pages

Firewall

Firewall

10 pages

SAP

SAP

6 pages

SECURITY

SECURITY

19 pages

Rsync

Rsync

18 pages

MDSD

MDSD

9 pages

honeypots

honeypots

15 pages

VPN

VPN

6 pages

Wang

Wang

18 pages

TKIP

TKIP

6 pages

ESP

ESP

6 pages

Dai

Dai

5 pages

Load more
Download Cross Site Scripting XSS
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Cross Site Scripting XSS and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Cross Site Scripting XSS 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?