Cross site scripting / XSS - How to find & fix it with a web scanner

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm

HOME (http://www.acunetix.com/index.htm) WEB VULNERABILITY SCANNER (http://www.acunetix.com/vulnerability-scanner/) DOWNLOAD TRIAL (http://www.acunetix.com/vulnerability-scanner/download.htm) FREE EDITION (http://www.acunetix.com/cross-site-scripting/scanner.htm) Testimonials (../vulnerability-scanner/customer_testimonials.htm) WEB APPLICATION SECURITY BLOG (http://www.acunetix.com/blog/) ORDERING (http://www.acunetix.com/ordering/index.php)

1 of 6

3/22/2011 12:18 AM

Cross site scripting / XSS - How to find & fix it with a web scanner

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm

Cross Site Scripting Attack

What is Cross Site Scripting? Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records. Cross Site Scripting (also known as XSS (xss.htm) or CSS) is generally believed to be one of the most common application layer hacking techniques. In the pie-chart below, created by the Web Hacking Incident Database for 2011 (WHID) clearly shows that whilst many different attack methods exist, SQL injection and XSS are the most popular. To add to this, many other attack methods, such as Information Disclosures, Content Spoofing and Stolen Credentials could all be side-effects of an XSS attack. In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim. Today, websites rely heavily on complex web applications to deliver different output or content to a wide variety of users according to set preferences and specific needs. This arms organizations with the ability to provide better value to their customers and prospects. However, dynamic websites suffer from serious vulnerabilities rendering organizations helpless and prone to cross site scripting attacks on their data. "A web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions." (CERT Coordination Center). Cross Site Scripting allows an attacker to embed malicious JavaScript (javascript.htm) , VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet. As a hacking tool, the attacker can formulate and distribute a custom-crafted CSS URL just by using a browser to test the dynamic website response. The attacker also needs to know some HTML, JavaScript and a dynamic language, to produce a URL which is not too suspiciouslooking, in order to attack a XSS vulnerable website. Any web page which passes parameters to a database can be vulnerable to this hacking technique. Usually these are present in Login forms, Forgot Password forms, etc N.B. Often people refer to Cross Site Scripting as CSS or XSS, which is can be confused with Cascading Style Sheets (CSS). The Theory of XSS In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executed. There are many slight variations to this theme, however all XSS attacks follow this pattern, which is depicted in the diagram below. As a web developer you are putting measures in place to secure the first step of the attack. You want to prevent the hacker from infecting your innocent web page with his malicious script. There are various ways to do that, and this article goes into some technical detail on the most important techniques that you must use to disable this sort of attack against your users. XSS Attack Vectors So how does a hacker infect your web page in the first place? You might think, that for an

2 of 6

3/22/2011 12:18 AM

Cross site scripting / XSS - How to find & fix it with a web scanner

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm

attacker to make changes to your web page he must first break the security of the web server and be able to upload and modify files on that server. Unfortunately for you an XSS attack is much easier than that. Internet applications today are not static HTML pages. They are dynamic and filled with ever changing content. Modern web pages pull data from many different sources. This data is amalgamated with your own web page and can contain simple text, or images, and can also contain HTML tags such as <p> for paragraph, <img> for image and <script> for scripts. Many times the hacker will use the comments feature of your web page to insert a comment that contains a script. Every user who views that comment will download the script which will execute on his browser, causing undesirable behaviour. Something as simple as a Facebook post on your wall can contain a malicious script, which if not filtered by the Facebook servers will be injected into your Wall and execute on the browser of every person who visits your Facebook profile. By now you should be aware that any sort of data that can land on your web page from an external source has the potential of being infected with a malicious script, but in what form does the data come? <SCRIPT> The <SCRIPT> tag is the most popular way and sometimes easiest to detect. It can arrive to your page in the following forms: External script:

Embedded script:

<BODY> The <BODY> tag can contain an embedded script by using the ONLOAD event, as shown below:

The BACKGROUND attribute can be similarly exploited:

<IMG> Some browsers will execute a script when found in the <IMG> tag as shown here:

There are some variations of this that work in some browsers:

<IFRAME> The <IFRAME> tag allows you to import HTML into a page. This important HTML can contain a script.

<INPUT> If the TYPE attribute of the <INPUT> tag is set to IMAGE, it can be manipulated to embed a script:

<LINK> The <LINK> tag, which is often used to link to external style sheets could contain a script:

<TABLE> The BACKGROUND attribute of the TABLE tag can be exploited to refer to a script instead of an image:

The same applies to the <TD> tag, used to separate cells inside a table:

<DIV>

3 of 6

3/22/2011 12:18 AM

Cross site scripting / XSS - How to find & fix it with a web scanner

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm

The <DIV> tag, similar to the <TABLE> and <TD> tags can also specify a background and therefore embed a script:

The <DIV> STYLE attribute can also be manipulated in the following way:

<OBJECT> The <OBJECT> tag can be used to pull in a script from an external site in the following way:

<EMBED> If the hacker places a malicious script inside a flash file, it can be injected in the following way:

Is your site vulnerable to Cross Site Scripting? Our experience leads us to conclude that the cross-site scripting vulnerability is one of the most highly widespread flaw on the Internet and will occur anywhere a web application uses input from a user in the output it generates without validating it. Our own research shows that over a third of the organizations applying for our free audit service are vulnerable to Cross Site Scripting. And the trend is upward. Example of a Cross Site Scripting Attack As a simple example, imagine a search engine site which is open to an XSS attack. The query screen of the search engine is a simple single field form with a submit button. Whereas the results page, displays both the matched results and the text you are looking for. Search Results for "XSS Vulnerability" To be able to bookmark pages, search engines generally leave the entered variables in the URL address. In this case the URL would look like: http://test.searchengine.com/search.php?q=XSS%20 Vulnerability Next we try to send the following query to the search engine: <script type="text/javascript"> alert ('This is an XSS Vulnerability') </script> By submitting the query to search.php, it is encoded and the resulting URL would be something like: http://test.searchengine.com/search.php?q=%3Cscript%3 Ealert%28%91This%20is%20an%20XSS%20Vulnerability%92%2 9%3C%2Fscript%3E Upon loading the results page, the test search engine would probably display no results for the search but it will display a JavaScript alert which was injected into the page by using the XSS vulnerability. How to Check for Cross Site Scripting Vulnerabilities To check for Cross site scripting vulnerabilities, use a Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for Cross Site Scripting vulnerabilities. It will indicate which URLs/scripts are vulnerable to these attacks so that you can fix the vulnerability easily. Besides Cross site scripting vulnerabilities a web application scanner will also check for SQL injection (sql-injection.htm) & other web vulnerabilities. Acunetix Web Vulnerability Scanner (http://www.acunetix.com/vulnerability-scanner/) scans for SQL injection (sql-injection.htm) , Cross site scripting, Google hacking (google-hacking.htm) and many more vulnerabilities. Preventing Cross Site Scripting Attacks The purpose of this article is define Cross Site Scripting attacks and give some practical examples. Preventing XSS attacks requires diligence from the part of the programmers and the necessary security testing. You have already begun your journey to prevention by reading this article and understanding how XSS works and what mechanisms it uses. Now might be a good time to learn how to stop these threats. Scanning for XSS Vulnerabilities with Acunetix Web Vulnerability Scanner Free Edition! To check whether your website has cross site scripting vulnerabilities, download the Free Edition from http://www.acunetix.com/crosssite-scripting/scanner.htm (http://www.acunetix.com/cross-site-scripting/scanner.htm) . This version will scan any website / web application for XSS (xss.htm) vulnerabilities and it will also reveal all the essential information related to it, such as the vulnerability location and remediation techniques. Scanning for XSS is normally a quick exercise (depending on the size of the web-site). Web Application Security Blog (http://feeds.acunetix.com/acunetixwebapplicationsecurityblog)

4 of 6

3/22/2011 12:18 AM

Cross site scripting / XSS - How to find & fix it with a web scanner

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm

15 Mar 11 Cross Site Scripting Attacks (http://www.acunetix.com/blog/web-security-zone/articles/cross-site-scripting-attacks/) 10 Mar 11 You cant change what you tolerate (http://www.acunetix.com/blog/web-security-zone/articles/cant-change-what-youtolerate/)

16 Feb 11 Testing for weak passwords: a common oversight without a great solution (http://www.acunetix.com/blog/websecurity-zone/articles/testing-weak-passwords/)

03 Feb 11 I wouldnt want to be a developer these days (http://www.acunetix.com/blog/web-security-zone/articles/want-developer/) 19 Jan 11 How often should you test your web applications? (http://www.acunetix.com/blog/web-security-zone/articles/testweb-applications/)

04 Jan 11 How to choose a web vulnerability scanner (http://www.acunetix.com/blog/docs/how-to-choose-web-vulnerability-scanner/) 29 Dec 10 10 great ways to get hacked in the New Year (http://www.acunetix.com/blog/web-security-zone/articles/greatways-hacked-new-year/)

14 Dec 10 A complete guide to securing a website (http://www.acunetix.com/blog/web-security-zone/whitepapers/complete-guidesecuring-website/)

13 Dec 10 Which scan policy should you use to find everything that matters? (http://www.acunetix.com/blog/web-securityzone/articles/scan-policy/)

09 Dec 10 Google XSS Flaw in Website Optimizer Scripts explained (http://www.acunetix.com/blog/web-security-zone/articles

/google-xss-website-optimizer-scripts/)

06 Dec 10 DOM based Cross-site Scripting vulnerabilities (http://www.acunetix.com/blog/web-security-zone/articles/dom-xss/) 30 Nov 10 Statistics from a phishers list (http://www.acunetix.com/blog/web-security-zone/articles/statistics-phishing-attacks/) 22 Nov 10 HTTP Post Denial Of Service: more dangerous than initially thought (http://www.acunetix.com/blog/web-securityzone/articles/http-post-denial-service/)

18 Nov 10 Notable changes in PCI DSS 2.0 affecting Web application security (http://www.acunetix.com/blog/news/changespci-dss-2/)

09 Nov 10 Application Security; Dont get caught off guard with dangerous assumptions (http://www.acunetix.com/blog/websecurity-zone/articles/application-security-off-guard-dangerous-assumptions/)

Articles on Web Security Exploiting a cross-site scripting vulnerability on Facebook ( xss-facebook.htm) CRLF Injection attacks and HTTP Response Splitting ( crlf-injection.htm) Apache Web Server Security ( apache-security.htm) IIS Web Server Security ( iis-security.htm) Web Server Security and Database Server Security ( webserver-security.htm) More Articles (../websitesecurity/articles.htm) White Papers on Web Security A complete guide to securing a website (website-auditing-wp.htm) Why File Upload Forms are a major security threat (upload-forms-threat.htm) Finding the right web application scanner; why black box scanning is not enough (rightwvs.htm) The Payment Card Industry Compliance - Securing both Merchant and Customer data. (pci-compliance-wp.htm) Web Services - The Technology and its Security Concerns (web-services-wp.htm) More White Papers (../websitesecurity/whitepapers.htm)

Acunetix Web Application Security Blog

15 Mar | Cross Site Scripting Attacks (http://www.acunetix.com/blog/web-security-zone/articles/cross-site-scripting-attacks/) 10 Mar | You cant change what you tolerate (http://www.acunetix.com/blog/web-security-zone/articles/cant-change-what-you-tolerate/) 08 Mar | Acunetix Web Vulnerability Scanner Version 7 build 20110308 released (http://www.acunetix.com/blog/releases/acunetixweb-vulnerability-scanner-7-2011030/) 01 Mar | Acunetix Web Vulnerability Scanner Version 7 Reviewed by Darknet.org.uk (http://www.acunetix.com/blog/news/web-vulnerability-scanner-7-darknet-review/) 23 Feb | Acunetix WVS voted Windowsecurity.com Readers Choice Award Winner.. (http://www.acunetix.com/blog/news/web-vulnerability-scanner-wins-award/) 16 Feb | Testing for weak passwords: a common oversight without a great solution (http://www.acunetix.com/blog/web-securityzone/articles/testing-weak-passwords/) 09 Feb | Acunetix WVS Version 7 build 20110209 released (http://www.acunetix.com /blog/releases/acunetix-wvs-7-20110209/) 03 Feb | I wouldnt want to be a developer these days (http://www.acunetix.com /blog/web-security-zone/articles/want-developer/) 26 Jan | Acunetix Web Vulnerability Scanner 7 reviewed by Net Security.org
(http://www.acunetix.com/blog/news/wvs7-review-net-security/)

Latest Article
DOM based XSS (http://www.acunetix.com/blog/web-security-zone/articles/dom-xss/) While a traditional XSS vulnerability occurs on the server-side code, DOM based XSS is a type of vulnerability which affects the script code in the clients browser. Continue Reading (http://www.acunetix.com/blog/web-security-zone/articles/dom-xss/) | More Articles (http://www.acunetix.com
/blog/category/web-security-zone/articles/)

5 of 6

3/22/2011 12:18 AM

Cross site scripting / XSS - How to find & fix it with a web scanner

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm

Latest Whitepaper
A complete guide to securing a website (website-auditing-wp.htm) In this whitepaper we explain in detail how to do a complete website security audit and focus on using the right approach and tools in step by step format. Continue Reading (website-auditing-wp.htm) | More White Papers (http://www.acunetix.com/blog/category/web-securityzone/whitepapers/)

Testimonials
" As a Penetration tester, Acunetix Web Vulnerability Scanner makes the most tedious and recurring tasks a breeze, cutting down on time requirement and raising the quality of the test. " Thierry Zoller , TELiNDUS PSF, Luxembourg More Testimonials (../vulnerability-scanner/customer_testimonials.htm)

6 of 6

3/22/2011 12:18 AM