Understanding Cross-Site Scripting (XSS)
This article is Part 1 in a 11-Part series about the Owasp Top 10.
- Part 1 - This Article
- Part 2 - Injection Flaws
- Part 3 - Malicious File Execution
- Part 4 - Insecure Direct Object Reference
- Part 5 - Cross Site Request Forgery (CSRF)
- Part 6 - Information Leakage and Improper Error Handling
- Part 7 - Broken Authentication and Session Management
- Part 8 - Insecure Cryptographic Storage
- Part 9 - Insecure Communications
- Part 10 - OWASP 2007 Top 10 Presentation
- Part 11 - Failure to Restrict URL Access
If it hasn’t already, Cross-Site Scripting (XSS) will soon be replacing SQL injection as the new buzzword in the security sector. XSS will continually be a topic on this blog as well as others 1, 2, 3.
Due to this fact, I think a primer would be a good idea for those who don’t know or understand this problem.
Many articles have been written about Cross-Site Scripting and if you want to have a better understanding of the problem, I suggest you read those documents (Links at the bottom of the post).
Basically, There are 3 types of Cross-Site Scripting:
- Stored/Non-Reflective/Persistent Cross Site Scripting (User visits the XSS’ed page)
- Non-Stored/Reflective/Reflected Cross Sited Scripting (User clicks a link that embeds the script into the loaded page)
- DOM Based Cross Site Scripting
All of these names make it confusing for a first timer to understand XSS. There really should be a better web application security standards organization. Here is a breakdown of Persistent XSS and Reflective XSS. These are the big two that most people talk about when they are referring to Cross Site Scripting. If you understand these well, you will be able to participate in 90% of XSS conversations.
Persistent Cross-Site Scripting
Persistent XSS is arguably more dangerous than reflective XSS. This attack embeds the malicious script permanently into the web application. The script will then wait until people access the page it is located on.
Here is an attack using Persistent Cross-Site Scripting:
- The victim visits a website they trust, amazon.com.
- A script has been inserted by an attacker on a page they happen to visit while on amazon.com.
- The script executes in the context of amazon.com.
- The victim is then compromised.
Note: Obviously, someone can increase the chances of the victim visiting this page (step 2) through social engineering, phishing, etc.
Reflective Cross-Site Scripting
These are the ones the media usually reports on. In this attack, some type of social engineering is involved for the attack to be successful.
Here is an attack, using Reflective Cross-Site Scripting:
- The victim gets an email/Instant Message that contains a link.
- The victim clicks the link. (Requires User Intervention)
- A script has been inserted by an attacker on the page they then visit.
- The script executes in the context of that site.
- The victim is then compromised.
Note: I want to reiterate that this attack requires some type of user intervention (step 2).
Why is Cross-Site Scripting Bad?
Cross-Site Scripting can lead to all sorts of different exploits, including system compromise. For an attacker to do this, they need to break out of the browser’s context. We have seen examples that breaking out of the browser is not that hard to do.
In addition, an attacker can also establish a bi-directional channel using iframes. This creates a man-in-the-middle attack. The attacker can then intercept key strokes, use the victim as an intranet port scanner, and even stealing credentials. The attacker is only limited by their knowledge of scripting.
Hopefully, this gives you a better understanding of Cross-Site Scripting. Feel free to leave comments if you don’t understand something and I will address it in the article.