XSS

HTTP response splitting and mail headers splitting attacks

There are two similar security issues both taken care of by Suhosin patch and strict escaping/encoding rules. They both relate to injecting new lines into headers of network protocols. They are not very well known and i think its worth mentioning it.

HTTP response splitting is a web based attack where hacker manages to trick the server into injecting new lines into response headers along with arbitrary code. If you use GET/POST parameters in the headers like cookie or location, then someone could provide new lines with XSS attack.

Common example would be server redirecting to new location based on some variable (like url). To do it safely you should always encode/escape/cast strings before passing them into header PHP function.

Security considerations of single signon in context of XSS

when you think of it at first it sounds like a great idea. All you have to do is set a global cookie for the main domain and based on that perform authentication. User will be able to go from subdomain to dubdomain and still remain authenticated.

Unfortunately there is second side to this story : )

Where can an XSS injection occur on your page - different scopes need different escaping

XSS can be caused by inserting pieces of html or javascript in different places of the page (HTML) or CSS / JS files loaded.

To prevent XSS you will have to escape all the strings coming from GET/POST/COOKIES before you output them. You should escape things that come from other sources as well in case there is XSS attack string (for example dont include posts from RSS without escaping them properly).

Why you should not insert variables into your dynamic CSS files

When i say you should not generate CSS files dynamically i mean actually you should not put PHP variables into it.

From my experience it causes all sorts of problems from security to performance and caching. If you do not have to do it just don't. You cant still merge CSS files to have less requests per page and this is fine, but do not generate each file dynamically just join them and make sure its a safe way to do so.

Type of XSS attack where you inject JS into the links on the page

Some websites validate some bits and pieces but fail in other cases assuming that user will not pass anything strange there.

French OS Con website is and example of that XSS security risk.

Locating simpliest XSS vulnerabilities

The simplest way to find XSS security hole is to look for forms and ajax calls that result in printing request parameters on the returned page.

Here is some simple example which took 5 mins to find. Just go to a website you want to verify and look for forms and action urls.

This example shows UCD website XSS vulnerability (possible in 2010).

This is a sample to show how to locate XSS attacks, do not try to hack sites this way

XSS attack within CSS file or injected into page inline style

There is a very little known method of injecting javascript int CSS files. It would not work in all the browsers (works in my latest IE8) but it is important fact to know.

Basics of Cross Site Scripting AKA XSS and XSFR

Cross site scripts lead to a number of security issues. The most important to remember are:

  • Session Hijacking - hacker steals user's session by getting his cookies and gets access to user's account
  • Cross Site Forgery Request - hacker uses users account to perform operation that was not intended at all
Syndicate content

About the author

Artur Ejsmont

Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!

Web Scalability for Startup Engineers

If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.

Follow my RSS