Cross-Site Scripting Attackson Current Web Applications

Shubham

Introduction

An attacker gets control of the user’s browser in order to execute a malicious script within the context of trust of the web application’s site.

As a result, and if the embedded code is successfully executed, the attacker might then be able to access, passively or actively, to any sensitive browser resource associated to the web application (e.g., cookies, session IDs, etc.)

THREATS!!!

Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible.

Steal cookies which can then be used to impersonate customer and have access to their data and privileges. This is also known as Session Hijacking.

Redirect the user to another website of their choosing. Maybe one that may be quite offensive, or one that attempts to install malware onto users computer;

Display alternate content on your own website.

History of Attacks

October 2001, -----Hotmail ---- Remote attacker was allowed to steal .NET Passport identifiers of Hotmail’s users by collecting their cookies.

October 2005, ------ MySpace, utilized by the worm Samy to propagate itself across MySpace’s user profiles.

November 2006,Orkut, was vulnerable to cookie stealing by simply posting the stealing script into the attacker’s profile.

NEXT COULD BE YOU !!!

Non-Persistent XSS Attack

User input is reflected immediately on the page by server-side scripts without proper sanitization.

To exploit, the attacker has to provide the victim with a modified URL, passing the code to be inserted as a parameter.

This attack is done by encoding data in the URL, thus disguising the injected code from the user.

Persistent XSS Attacks

Persistent XSS Attacks

When the data entered by the user are stored on the server for a certain length of time, the attack is called "persistent".

All of the website's users have access to the page where the harmful code was introduced.

Commonly found in: Contact/Feedback pages, Log viewers, Exception handlers, Chat applications/Forums, etc.

BACHAA V !!!

Actual Demonstration

1

2

No Protection

3

Data Validation

Application accepts correct data.

User data must be validated to ensure it is of the corrected type, and discarded if it doesn’t pass the validation process.

Allow a limited set of special characters.

Preg Match

Performs a regular expression match.

Output Escaping

Protects integrity of displayed/output data,

Should escape the data when presenting it to the user.

Prevents the browser from applying any unintended meaning to any special sequence of characters that may be found.

htmlspecialchars

Data Sanitization

Manipulating the data to make sure it is safe.

Removing any unwanted bits from the data and normalizing it to the correct form.

htmlentities 

Converts all applicable characters to HTML entities.

Default value for this argument is ISO-8859-1 in versions of PHP prior to 5.4.0, and UTF-8 from PHP 5.4.0 onwards.

** http://coderstoolbox.net/

Usage of ENT_IGNORE

Available flags constants

ID Description

ENT_COMPAT Will convert double-quotes and leave single-quotes alone.

ENT_QUOTES Will convert both double and single quotes.

ENT_NOQUOTES Will leave both double and single quotes unconverted.

ID Flags Description

FILTER_SANITIZE_EMAIL

Remove all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[].

FILTER_SANITIZE_ENCODED

FILTER_FLAG_STRIP_LOW,FILTER_FLAG_STRIP_HIGH,FILTER_FLAG_ENCODE_LOW,FILTER_FLAG_ENCODE_HIGH

URL-encode string, optionally strip or encode special characters.

FILTER_SANITIZE_MAGIC_QUOTES

Apply addslashes().

FILTER_SANITIZE_NUMBER_FLOAT

FILTER_FLAG_ALLOW_FRACTION,FILTER_FLAG_ALLOW_THOUSAND,FILTER_FLAG_ALLOW_SCIENTIFIC

Remove all characters except digits, +- and optionally .,eE.

ID Flags Description

FILTER_SANITIZE_NUMBER_INT

Remove all characters except digits, plus and minus sign.

FILTER_SANITIZE_SPECIAL_CHARS

FILTER_FLAG_STRIP_LOW,FILTER_FLAG_STRIP_HIGH,FILTER_FLAG_ENCODE_HIGH

HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.

FILTER_SANITIZE_STRING

FILTER_FLAG_NO_ENCODE_QUOTES,FILTER_FLAG_STRIP_LOW,FILTER_FLAG_STRIP_HIGH,FILTER_FLAG_ENCODE_LOW,FILTER_FLAG_ENCODE_HIGH,FILTER_FLAG_ENCODE_AMP

Strip tags, optionally strip or encode special characters.

FILTER_SANITIZE_STRIPPED

Alias of "string" filter.

ID Flags Description

FILTER_SANITIZE_URL

Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.

FILTER_UNSAFE_RAW

FILTER_FLAG_STRIP_LOW,FILTER_FLAG_STRIP_HIGH,FILTER_FLAG_ENCODE_LOW,FILTER_FLAG_ENCODE_HIGH,FILTER_FLAG_ENCODE_AMP

Do nothing, optionally strip or encode special characters.

FILTER_SANITIZE_FULL_SPECIAL_CHARS

FILTER_FLAG_NO_ENCODE_QUOTES,

Equivalent to callinghtmlspecialchars() withENT_QUOTES set. Encoding quotes can be disabled by settingFILTER_FLAG_NO_ENCODE_QUOTES.

Mod Security(Web Application Firewall)

Protects against attacks that target websites.csrf_protectionsession_hijackingcomment_spamauthentication_trackingprotocol_violationssql_injection_attacksxss_attacksbrute_force, and many more

DEFAULT INFORMATION DISCLOSURE

Default Information Disclosure

Original Contact InformationOriginal Code

How to change Contact info

Go to :

• \binaries\apache\error

• Open contact.html.var

Change contact informationModified Code

Disable Apache Signature and/or Apache Banner

ADD in httpd.config of apache to remove apache version disclosure ServerTokens ProductOnly

ServerTokens takes 1 argument, 'Prod', 'Major', 'Minor', 'Min', 'OS', or 'Full'""

Before After

ADD/replace/change in php.ini to remove php version disclosure

expose_php = Off display_errors=Offregister_globals = Off

Disable Version Disclosure

Go to :

• \binaries\apache\error\include

• Open bottom.html

By Default we see this

Original Bottom.html file

Change Bottom.html

My customized error page !!

Stopping Sensitive file disclosure

Turn off automatic indexing.Instruct Apache to reject all requests for files

matching a series of regular expressions given below.

Goto  httpd.conf file to deny access to . htaccess files.

Protecting bakup files

Add in httpd.configTheFilesMatchdirective only looks at the last

part of the full filename

Disable Directory Indexing

Listing of files like see in Windows Explorer as opposed to a web page.

Attacker can gain valuable information about your site.

Files may may include sensitive information, such as backup script files htaccess files, or text files with note.

Can allow access files outside the web root directory, leading to the stealing of system files.

How to Disable Directory Listings in Apache

Navigate to your Apache config file (httpd.conf)

Find – “Options FollowSymLinks Indexes”Replace by – “Options FollowSymLinks”Done

FollowSymLinks makes Apache follow system symbolic links (shortcuts, if you would) in your file system.

Indexes allows access to open folders within your file system.

Disable powerful functions in php

Disable functions that may be useful to an attacker but not necessary to the application.

Disable execution of OS commandsOpen php.ini and search “disable_functions”.Write “shell_exec “ (without comma in front

of disable_functions).

Other functions

exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, pcntl_exec, dl".

If the application needs to execute OS commands, it should use "pcntl_exec", because it provides better abstraction of parameters than the others.

References

http://php.net/manual/en/filter.filters.sanitize.php

http://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/

Thank You !!

Email- shubham.sharma3005@gmail.com

Phone- +91-99300-53215