Monday, July 14, 2008

Cross Site Scripting (XSS) Poses Significant Risk

"In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim." (acunetix.com).

"Websites today are more complex than ever, containing a lot of dynamic content making the experience for the user more enjoyable. Dynamic content is achieved through the use of web applications which can deliver different output to a user depending on their settings and needs. Dynamic websites suffer from a threat that static websites don't, called "Cross Site Scripting" (or XSS dubbed by other security professionals)." (cgisecurity.com)

Cross site scripting holes have been found in many well known websites including FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes.

"A web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions." (CERT Coordination Center).

"Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet. " (acunetix.com).

As a software developer the way to protect against XSS is simple - never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. For example, converting (ignore the brackets - they are just here for formatting purposes) [<] to [&lt] and [>] to [&gt] is suggested when it comes to script output, as is translating [(] to [
&#41] and [)] to [&#41], ["] to [&#34], ['] to [&#39], [#] to [&#35] and [&] to [&#38]. Even after making these sort of changes, it is best to always have an independent third party scan your website for XSS vulnerabilities.

From the user's perspective only follow links from websites you trust. As an example and although somewhat cumbersome, if you visit a website and it links to CNN, instead of clicking on that link, go directly to CNN's main site and use its search engine to find the content. This will probably eliminate ninety percent of the problem.

Another way to protect yourself is to turn off Javascript in your browser settings and in IE adjust your security settings to high to prevent cookie theft. This may impede navigation in some websites, but it will make web surfing safer.

Lastly, don't be fooled by websites that use SSL (https). You are no more protected than websites that are not encrypted, because the web applications work the same way in either case.

Additional reading can be found at:

http://www.sitepoint.com/blogs/2005/07/18/cross-site-scripting-could-make-you-lose-your-cookies/

http://www.cert.org/advisories/CA-2000-02.html

http://msdn.microsoft.com/en-us/library/ms533046.aspx

http://en.wikipedia.org/wiki/Cross-site_scripting

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947

http://www.cgisecurity.com/articles/xss-faq.shtml

No comments: