Transcript slides

XSS (Client-side)
CSCE 548 Building Secure Software(07/20/2016)
RAMA KRISHNA CHAITANYA SOMAVAJHALA
What is Cross-Site Scripting? (CSS/XSS)

An attacker is able to inject his own JavaScript code into a web application, in
such a way that the code is executed within a victim’s browser in the context
of application.

Types:


Persistent XSS (Stored XSS)

Reflected XSS (Non-Persistent XSS)

DOM-based XSS (Local XSS)
Players Include:

An Attacker

Web Application

Client
Server side
Client side
The Sin Explained

DOM XSS is a bug that allows an attacker to manipulate the DOM through
untrusted input.

var lists = document.body.all.tags('A');
for( var i =0; i< lists.length;i++) {
lists[i].href="http://www.example.com";
}

Code walks through the DOM for current web page or gadget and changes
every anchor tag <a> to point to http://www.example.com.

Studies have shown that one in ten websites are vulnerable to XSS attack
Cross-Site Scripting: Problem statement

Main problem: attacker‘s content ends in document and is not properly
filtered/encoded

Flow of data: from attacker-controllable source to security-sensitive sink

Sources: e.g. the URL

Sinks: e.g. document.write

XMLHttpRequest object, often used in gadgets and AJAX applications, can
read from files, not just make HTTP requests.
Examples of XSS Vulnerabilities
<script> alert(“Hacked..!!”) </script>
<img src=x
onerror="alert('Pop-up
window via stored XSS');“
DOM XSS will appear when a source that can be
controlled by the user is used in a dangerous sink.
Popular Sources

document.URL

document.documentURI

location.href

location.search

location.*

window.name

document.referrer
Popular Sinks


HTML Modification sinks

document.write

(element).innerHTML
HTML modification to behavior change


(element).src (in certain elements)
Execution Related sinks

eval

setTimout / setInterval

execScript
Spotting the Sin during Code Review


At a minimum, you should look for the following constructs.

document.url

document.location

Web.Network.createRequest

XMLHttpRequest
Testing Techniques

Use a proxy that injects random XSS snippets into the incoming data stream and
see if the results are rendered by the gadget.
Redemption Techniques- Don’t trust the
input
var MAX_TICKER_LEN = 6;
var MAX_RESPONSE_LEN = 64; ...
function getStockInfo(ticker) {
if (ticker.length > MAX_TICKER_LEN)
return "Invalid";
xhr = new XMLHttpRequest();
xhr.open("GET", "http://download.finance.yahoo.com/d/?s="+ticker+"&f=sl1", false); xhr.send();
if (xhr.readyState == 4) {
if (xhr.statusText == "OK") {
var response = xhr.responseText;
if (response.length <= MAX_RESPONSE_LEN) {
return response;
}
}
}
return "Invalid!";
}

Consider using a regular expression to validate the data before displaying it.
function isValidStockInfo(stock) {
var re = /^[A-Z0-9\.\,\"\s]{1,18}$/ig;
return re.test(stock);
}

Using SSL/TLS correctly for your network requests (as by using HTTPS rather
than HTTP) can mitigate man-in-the-middle attacks.

Replace Insecure Constructs with More Secure Construct

Use innerHTML but use innerText instead, which is much safer.
Conclusion

Do validate all external network data.

Do validate all external URL-based data

Do not trust any data coming into your web page or gadget.

Do not use eval() unless there is no other way to write your application.

Consider using SSL/TLS for web server connections.
References

R Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies and Martin
Johns, From Facepalm to Brain Bender: Exploring Client-Side Cross-Site
Scripting, in 22th ACM Conference on Computer and Communications Security
(ACM CCS'15), October 2015

M. Howard, D. LeBlanc, and J. Viega, 24 deadly sins of software security:
programming flaws and how to fix them. New York: McGraw-Hill, 2010.