XSS and XSRF

(OBJ 2.3 & 2.4)

Cross-Site Scripting (XSS)

• Injects a malicious script into a trusted site to compromise the site’s visitors

• Goal

  • Have visitors run a malicious script so your system will process it, bypassing the normal security mechanisms

• Powerful exploit that relies on your website not conducting proper input validation.

• XSS breaks the browser's security and trust model

  • Browsers assume scripts received from trusted sites are safe to run

• Mitigate the threat with proper input validation

• Four steps to an XSS attack

  1. The attacker identifies an input validation vulnerability within a trusted website
     • Example: Username and password fields
  2. The attacker crafts a URL to perform a code injection against the trusted website
     • Example:
       • Post it to a trusted website
       • Embed it in an email message using a phishing campaign
       • Post it to an online forum.
     • Goal: Someone clicks on this encoded URL
  3. The trusted site will return a page containing the malicious code injected
     • They believe is trusted because it came from the trusted website they visited
  4. The malicious code runs in the client’s browser with permission level as the trusted site
     • System believes the trusted site sent that code

• Functions of a XSS Attack

  • Defacing the trusted website
    • Injecting extra HTML code into it.
  • Stealing the user’s data
    • Stealing protected cookies from that user.
  • Intercepting data or communications
  • Installing malware on client's system

• XSS URL example

  https://www.maccgenics.com/search?q=<script%20type='application/javascript'>alert('xss')</script>
  

  • Using a trusted website: maccgenics.com
  • The search?q= would normally be used for a website to conduct a search for anything found after the q=, that is my query
    • Search database for any pages containing that query
  • We then replace the query with a script that we want to insert, in this case a javascript code.
  • If you want to try you can check out the cross-site scripting games set up by Google at https://xss-game.appspot.com/

• Types of XSS Attacks

  • Non-Persistent XSS
    • A XSS attack that only occurs when it is launched and only happens once, then it stops
    • Server executes the attack (Server-side scripting attack)
  • Persistent XSS
    • Allows an attacker to insert code into a backend database used by that trusted website
    • Server executes the attack (Server-side scripting attack)
  • Document Object Model (DOM) XSS
    • Exploits the client’s web browser using client-side scripts to modify the content and layout of the web page
      • Changes how things are displayed in the browser
    • Client’s device executes the attack (Client-side scripting attack)
    • Can be used to change the DOM environment
    • Runs using the logged in user’s privileges on the local system
    • URL example

https://www.maccgenics.com/index.html#default<script>alert(document.cookie)</script>

• Note the document.cookie file, this is typical of a DOM XSS attack

Session Management

• Enables web applications to uniquely identify a user across several different actions and requests

• Fundamental security component in modern web applications

• Cookie Tracking

  • Cookie
    • Text file used to store information about a user when they visit a website
    • Created when the server first sends the HTTP response header with that cookie over to the client. Then any subsequent request headers that are sent by the client to the server should include that cookie with the most updated information.
    • Non-persistent cookies
      • Also known as a session cookie
      • Resides in memory and are used for a very short time period
      • Deleted at the end of the session
    • Persistent cookies
      • Stored in the browser cache until either deleted by a user or expire
      • Example:
        • Cookies to track your movements expiring after 7 days
        • Cookie remembers where you were and brings that progress back
      • Need to be secure because could contain sensitive information in them

• Session Hijacking

  • Type of spoofing attack where the attacker disconnects a host and then replaces it with his or her own machine by spoofing the original host IP
  • Session Prediction
    • Type of spoofing attack where the attacker attempts to predict the session token in order to hijack the session
    • Prevent these attacks by using a non-predictable algorithm to generate session tokens
      • Truly randomize session tokens
      • Session tokens should not revel any information about the session's client, instead session tokens should be a one-time use ticket for the duration of a given session.

Cross-Site Request Forgery (XSRF)

• Malicious script is used to exploit a session started on another site within the same web browser

• Attacker needs to convince the victim to start a session with the targeted website. Once that occurs, the attacker can then pass an HTTP request to the victim's browser and spoof this as an action on the target site.

  • Example: Changing a user's password

• Can be disguised

  • Can use tags, images, and other HTML code

• Doesn’t need victim to click on a link

• For a cross-site request forgery to work, the website must have a feature that could lead to unauthorized access like a Forgot Password recovery feature.

  Visual Example:
  

• Prevention

  • Use user-specific tokens in all form submissions
  • Add randomness and prompt for additional information whenever a user tries to reset their password
    • Require two-factor authentication
  • Require users to enter their current password when changing their password
    • Will actually stop a lot of XSRF attacks because they usually try to change a user's password without the user knowing it in order for the attacker to take over that account.