Defensive Java Programming Notes (02 of 11) Cross Site Scripting

  • strict warning: Non-static method view::load() should not be called statically in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/views.module on line 906.
  • strict warning: Declaration of views_handler_argument::init() should be compatible with views_handler::init(&$view, $options) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 744.
  • strict warning: Declaration of views_handler_filter::options_validate() should be compatible with views_handler::options_validate($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 607.
  • strict warning: Declaration of views_handler_filter::options_submit() should be compatible with views_handler::options_submit($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 607.
  • strict warning: Declaration of views_handler_filter_boolean_operator::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 159.
Leeland's picture

Cross Site Scripting vulnerability started with Sammy on MySpace. Before that XSS vulnerability was known but not really considered a big deal.

Using XSS an attacker can:

  • Hijack your account
  • Spread web worms
  • Access your browser history and clipboard contents
  • Remotely control your browser
  • Scan and exploit you intranet appliances and applications
  • Alter your router's DNS settings and control every webpage you visit thereafter

This attack is where a site's service allows attackers to embed malicious script to be run by an unsuspecting browser. Malicious content can be injected into:

  • JavaScript
  • VB Script
  • ActiveX
  • HTML
  • Flash
  • really anything that gets rendered by a browser

Two different forms Reflective and Persistent

  • Reflective is where some malicious content is sent as part of an HTTP request and is immediately returned to the browser (like in an error message). Works on others if an attacker can trick a victim into initiating the HTTP request examples are:
    • Post link on a forum
    • Send the victim a link in an email
    • Have link indexed by a search engine
  • Persistent is similar to reflective except here the content is stored and later displayed back unsanitized when ever the results page is viewed. Naturally this is a LOT worse then reflective (which is bad enough).

Problem lays mostly in needing to validate / scrub all inputs before storage and again before display. Essentially if some input is not sanitized before being output back to the user, or worse, saved to be viewed by other users later, there will be a XSS vulnerability.

The most common test is to try to get the javascript <script>alert("xss")</script> to display. For example:


It is harder then you think to stop this. The above script will be executed by the browsers just as easily if encoded to hex. Here it is in legal hex that might slip past a validation / sanitization pass:


(Can't tell you how happy I am that my own site is not actually executing the above elements!! Not that I am 100% trusting of my own site yet, still this is heartening.)

If you see a GET posting to a web site try replacing one of the elements with the script <script>alert("xss")</script>. For example take:


and change it to


If you get a dialog..oh oh.

Blacklisting / Whitelisting are the two basic methods. Problem with blacklisting is that you have to really understand all the various ways you need to cross check. For example say you want to prevent script tags. So you blacklist <SCRIPT> tags. But, what if someone does this <SC<Script>ript>. If you filter on a blacklist with one pass stripping bad elements then you kill in inner script tag but then you are left with a script tag still in play. Repeating is not really solid as malicious users will simply figure out how many times you do this and then you are compromised.

For video on how bad this can be see:

To test for this you use a local proxy like Paros, Burp Suite or WebScarab These will catch the traffic and allow you edit the content before going to server, as it comes back etc. FoxyProxy plug in for Firefox will let you switch it on or off.

An amazing list of ways to avoid blacklisting for XSS

Thread Slivers eBook at Amazon