Web applications attacks/Cross site scripting

From aldeid
Jump to navigation Jump to search

Description

Openquotes.gif
Closedquotes.gif
Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. It's pretty much inevitable when you combine the stateless nature of HTTP, the mixture of data and script in HTML, lots of data passing between web sites, diverse encoding schemes, and feature-rich web browsers. If you're not careful, attackers can inject Javascript or other browser-executable content into a web page that your application generates. Your web page is then accessed by other users, whose browsers execute that malicious script as if it came from you (because, after all, it *did* come from you). Suddenly, your web site is serving code that you didn't write. The attacker can use a variety of techniques to get the input directly into your server, or use an unwitting victim as the middle man in a technical version of the "why do you keep hitting yourself?" game.

XSS attacks consists of modifying the normal behavior of a web application by injecting malicious code in it. Most of the time, it consists of JavaScript code that leads to transparent redirections, session theft, ...

Non-persistent XSS

An XSS attack will be considered as non persistent if it is not saved in the application (e.g. a mail containing a malicious script is sent).

Persistent XSS

As opposed to non-persistent attacks, attacks that are saved in the application (e.g. in the database, in files) are considered as persistent. Indeed, a user who connects to the application is likely to be impacted by the attack by displaying pages of the applications. An example of a persistent attack could be a message in a forum, containing an image which source is a remote malicious script.

Examples

Non persistent attacks

Persistent attacks

Protection

  • Never trust data in the database. Data must be purified before being processed by the scripts.
  • Never directly use data provided by the browser ($_GET, $_POST). Always purfiy these data before processing them.

Tools

Comments

Talk:Web applications attacks/Cross site scripting