Manish Pansiniya's Blog

.NET, C#, Javascript, ASP.NET and lots more…:)

Cross-site scripting

leave a comment »

Cross side scripting , short form XSS is type of security hole which can be exploited using web application by injecting code into webpage. This can be used to take personal information which is known as phishing or may be to harm the users machine. for more information goto http://en.wikipedia.org/wiki/Cross-site_scripting

Anti-Cross Site Scripting Library V1.5   The Microsoft Anti-Cross Site Scripting Library V1.5 is an encoding library, provided by the ASP.NET and Application Consulting & Engineering (ACE) teams at Microsoft, designed to help developers protect their Web-based applications from XSS attacks. This library differs from most encoding libraries in that it uses the principle-of-inclusions technique to provide protection against XSS attacks. This approach works by defining a valid or allowable set of characters, and encoding anything outside this set (invalid characters or potential attacks). It offers several advantages over other encoding schemes.

You can download the Microsoft Anti-Cross Site Scripting Library V1.5 at http://www.microsoft.com/downloads/details.aspx?FamilyId=EFB9C819-53FF-4F82-BFAF-E11625130C25&displaylang=en

Exploit scenarios

Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. (The names below come from the cast of characters commonly used in computer security.)

Type-0 attack

  1. Mallory sends a URL to Alice (via email or another mechanism) of a maliciously constructed web page.
  2. Alice clicks on the link.
  3. The malicious web page’s JavaScript opens a vulnerable HTML page installed locally on Alice’s computer.
  4. The vulnerable HTML page contains JavaScript which executes in Alice’s computer’s local zone.
  5. Mallory’s malicious script now may run commands with the privileges Alice holds on her own computer.

Type-1 attack

  1. Alice often visits a particular website, which is hosted by Bob. Bob’s website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.
  2. Mallory observes that Bob’s website contains a reflected XSS vulnerability.
  3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob (ie. the email is spoofed).
  4. Alice visits the URL provided by Mallory while logged into Bob’s website.
  5. The malicious script embedded in the URL executes in Alice’s browser, as if it came directly from Bob’s server. The script steals sensitive information (authentication credentials, billing info, etc) and sends this to Mallory’s web server without Alice’s knowledge.

Type-2 attack

  1. Bob hosts a web site which allows users to post messages and other content to the site for later viewing by other members.
  2. Mallory notices that Bob’s website is vulnerable to a type 2 XSS attack.
  3. Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it.
  4. Upon merely viewing the posted message, site users’ session cookies or other credentials could be taken and sent to Mallory’s webserver without their knowledge.
  5. Later, Mallory logs in as other site users and posts messages on their behalf….

Please note, the preceding examples are merely a representation of common methods of exploit and are not meant to encompass all vectors of attack

Advertisements

Written by Manish

August 27, 2007 at 3:36 am

Posted in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: