d

Cross Site Scripting (XSS): The Complete Documentation

• This category contains 52 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

80/20 Rule for Web Application Security (The)

Published on 2005-01-31, by Jeremiah Grossman, ©Web Application Security Consortium..

After performing hundreds of web security assessments you're bound to encounter many frighteningly insecure websites. Websites so badly protected you could literally make off with the credit card numbers in a way reminiscent of the movie Gone in Sixty Seconds. On the other hand there are many websites frustratingly impervious to attack. What I'll describe below are the subtle variations between the security "haves" and "have-nots". Using the age old "80/20 rule", we'll look at a few techniques anyone can use to decrease the risk of their website being hacked. And to make it really easy you won't have to alter a single line of code! But before jumping too far ahead lets first discuss the 80/20 rule.

Anatomy of Cross Site Scripting

Published on November 5, 2003, by Gavin Zuchlinski, ©Gavin Zuchlinski.

Cross site scripting (XSS) flaws are a relatively common issue in web application security, but they are still extremely lethal. They are unique in that, rather than attacking a server directly, they use a vulnerable server as a vector to attack a client. This can lead to extreme difficulty in tracing attackers, especially when requests are not fully logged (such as POST requests). Many documents discuss the actual insertion of HTML into a vulnerable script, but stop short of explaining the full ramifications of what can be done with a successful XSS attack. While this is adequate for prevention, the exact impact of cross site scripting attacks has not been fully appreciated. This paper will explore those possibilities.

Application Security Assessments

Published on 2002, by Gunter Ollmann, ©Gunter Ollmann.

For many organisations, their internal security professionals are adept at finding and responding to information about the latest vulnerabilities and threats to the software employed within business critical systems under their supervision. There are a great many security resources available, online and printed, ready to help explain and address potential vulnerabilities with the most common commercial software products. However, there exist two problems for those responsible for the security and integrity of your systems. Firstly, the "hit or miss" disclosure of vulnerabilities in commercial software, and secondly, how do you identify or address potential vulnerabilities in the custom (in-house developed) application that connects and runs atop the commercial software?

Best practices for input validation with Active Server Pages

Published on , by Jerry Connolly, Jerry Connolly.

A NT based web site can be administrated very well, up to date with security hot fixes, well hardened (see the recent ora book by Stefan Norberg for an good resource on this), on a properly secured network, but your site can still be easily cracked if the asp code does not properly handle input. As a former asp developer and now a "security guy" who does a lot of code reviews, I see many common coding errors over and over which can diminish the security of a site very easily. Unfortunately, these problems are not widely discussed and it is very common for developers to be unaware of them, so I will attempt to cover them here. If anyone has any suggestions, feels I have omitted anything important, or spots any errors, then I would love to hear from you at the address below.

Brief introduction to secure scripting (A)

Published on , by dcode, .

These days there are a lot of people that release scripts and programs on to the Internet which people will then download and use without a second thought that they may contain the simplest of security holes which can allow malicious people to attack their servers. In this paper i intend to address some of the common mistakes that are made by the programmers releasing these programs, and how it should be written properly. The paper will mainly focus on Common Gateway Interface (CGI) scripts with examples written in perl (in my opinion the most common language used to write CGI scripts). The paper is, however, relevant to all languages, not just perl. The main way in which CGI scripts are exploited is by a user presenting it with values that the script does not expect, and therefore does not know how to handle properly.

Browser Identification for web applications

Published on 2005, by Shreeraj Shah, ©Shreeraj Shah.

Browser Identification is not a new concept. With the focus having shifted to desktops from networks and servers, a topic such as remote browser identification needs to be revisited.

Browsers identify themselves to web servers in the USER_AGENT header field that is contained in requests sent to the server. Almost every release of browsers contains sloppy code that allows malicious servers or attackers to compromise user privacy and security.

The header that normally identifies a user's web browser tells such servers exactly which attacks to use. Obfuscating the information contained in the USER_AGENT header field reduces the likelihood of browser-related attacks.

There are other methods of analysis and evaluation that help in accurately identifying browsers. Knowing about these methods is necessary for two reasons:

• Increase awareness of browser-related attacks among desktop users.
• Assist security consultants to factor in browser-related information when working on web application security testing assignments.

This paper outlines techniques that allow users to determine client browser types remotely.

Bypassing content filtering whitepaper

Published on 2004-08-06, by 3APA3A, .

There are common methods allowing to bypass almost any content filtering software (antiviral products, CVP firewalls, mail attachment filters, etc). I believe multiple products are vulnerable.

Bypassing JavaScript Filters — the Flash! Attack

Published on 2002-08-25, by Obscure, ©Obscure.

In this document we will be describing a loophole, with security implications, found in many websites that allow Flash documents to be inserted within HTML, or uploaded to the server. This paper relies on the fact that a huge number of web surfers have installed Macromedia Flash plugin/ActiveX control, for an attacker to launch a Cross-site scripting attack. We will not go into a lot of detail in describing Cross-site scripting attacks in general; However we hope that this paper will explain how Flash documents can be used to inject JavaScript into otherwise well filtered Web Applications.

Comparison between Java and ActiveX Security (A)

Published on 10th October 1997, by David Hopwood, ©David Hopwood.

ActiveX and Java have both been the subject of press reports describing security bugs in their implementations, but there has been less consideration of the security impact of their different designs. This paper asks the questions: Would ActiveX or Java be secure if all implementation bugs were fixed?, and if not, How difficult are the remaining problems to overcome?.

Crawling Ajax-driven Web 2.0 Applications

Published on 2007-01-19, by Shreeraj Shah, ©Shreeraj Shah.

Crawling web applications is one of the key phases of automated web application scanning. The objective of crawling is to collect all possible resources from the server in order to automate vulnerability detection on each of these resources. A resource that is overlooked during this discovery phase can mean a failure to detect some vulnerabilities. The introduction of Ajax throws up new challenges for the crawling engine. New ways of handling the crawling process are required as a result of these challenges. The objective of this paper is to use a practical approach to address this issue using rbNarcissus, Watir and Ruby.

Cross Site Scripting FAQ

Published on May 2002, by , ©cgisecurity.com.

Websites today are more complex than ever, containing a lot of dynamic content making the experience for the user more enjoyable. Dynamic content is achieved through the use of web applications which can deliver different output to a user depending on their settings and needs. Dynamic websites have a threat that static websites don't, called "Cross Site Scripting" (or XSS dubbed by other security professionals). Currently small informational tidbits about Cross Site Scripting holes exist but none really explain them to an average person or administrator. This FAQ was written to provide a better understanding of this emerging threat, and to give guidance on detection and prevention.

CROSS-SITE TRACING (XST)

Published on 2003-01-20, by Jeremiah Grossman, ©Jeremiah Grossman.

October 23 2002, Microsoft issued a press release describing a new browser/server based protective security measure within of internet explorer 6 sp1. is new feature, dubbed httponly , helps guard http cookies against xss (cross-site scripting) attack. WhiteHat Security, heavily focused on web application security research and technology, began to investigate the feature in order to determine what it meant to web security. First of all, anything that attempts to help prevent the xss plague on the web is a good thing. Most of us in the web application security field already know the great pains required to prevent the ever-present existence of xss issues.

Custom HTML Authentication

Published on 2002, by Gunter Ollmann, ©Gunter Ollmann.

Interactive web-based applications now form an important part of the e-business world. There is great pressure on organisations to make available many of their services through the Internet to their end clients, business partners, and own employees. Many of these new online services require end users to positively identify themselves to the application and actively work to ensure the information and level of access is appropriate for the authenticated user. While many methods are available to an organisation seeking to implement an authentication method for their Internet service, the majority have chosen to do so through HTML form submission over HTTP. Although they tend to understand the threats to their hosting environment from attackers, and actively test and patch the hosts against publicly disclosed vulnerabilities, very often the security fails at the implementation of their custom authentication procedure. Organisations must now ensure that adequate secure procedures are implemented within the custom application, particularly the authentication process and the associated management of session state.

Developing Secure Web Applications

Published on June 2002, by Izhar Bar-Gad and Amit Klein, ©Sanctum, Inc..

Web applications are complex entities. Technically speaking, an application is a program designed to perform a specific function directly for the user or for another application program . Web applications include code that resides on the Web servers, application servers, databases, and backend systems of an organization. In short, they are any application that will be accessed in some way, shape, or form through the Web.

Evolution of Cross-Site Scripting Attacks (The)

Published on 2002-05-20, by David Endler, ©iDEFENSE Inc..

It seems today that Cross-Site Scripting (XSS) holes in popular web applications are being discovered and disclosed at an ever-increasing rate. Just glancing at the Bugtraq security mailing list archives at http://online.securityfocus.com/archive/1 over the first half of 2002 shows countless postings of XSS holes in widely used websites and applications.

Extended HTML Form Attack

Published on 2002, by Obscure, ©eyeonsecurity Inc..

This paper will talk about a new way to inject HTML scripts, which makes use of the same method described in the paper by Jochen Topf called "The HTML Form Protocol Attack". This novel method of injecting Active Scripts allows a person, who has knowledge of the services running on a network, to steal cookies, which can possibly mean hijacking of Web Application authentication as well as other sensitive information stored in cookies.

Feed Injection in Web 2.0

Published on 2006-08-13, by Robert Auger, ©SPI Dynamics.

One new feature of "Web 2.0", the movement to build a more responsive Web, is the utilization of XML content feeds which use the RSS and Atom standards. These feeds allow both users and Web sites to obtain content headlines and body text without needing to visit the site in question, basically providing users with a summary of that sites content. Unfortunately, many of the applications that receive this data do not consider the security implications of using content from third parties and unknowingly make themselves and their attached systems susceptible to various forms of attack.

This white paper discusses various forms of attacks based on Web feeds that follow the RSS, Atom and XML standards. This paper does not extensively cover each XML element and its usage within Web-based feeds, nor does it address other vulnerability scenarios such as buffer overflows and other XMLspecific risks. The goal of this paper is to outline the risks of lesser-known threats which are currently emerging on the Web utilizing Cross-Site Scripting.

Frequently Asked Questions on Web Application Security

Published on 2004, by owasp, ©OWASP.

This FAQ answers some of the questions that developers have about Web Application Security. This FAQ is not specific to a particular platform or language. It addresses the common threats to web applications and are applicable to any platform.

Hackproofing MySQL

Published on 2004-07-05, by Chris Anley, ©Next Generation Security Software Ltd..

MySQL claims to be the world's most popular open source database, and with good reason. It is free, runs on a wide variety of platforms, is relatively simple, easy to configure and performs well even under significant load. By comparison to some other popular database management systems, configuring it is quite simple, but there are still a sufficiently wide variety of security-relevant configuration issues to make securing it a challenge.

This document is a brief outline of common attacks on MySQL and the steps that a MySQL administrator can take to defend against them.

Header Based Exploitation: Web Statistical Software Threats

Published on January 2002, by admin, ©Cgisecurity.com.

When people visit your website, certain information is passed from the users web browser to your web server/script. This information contains data such as what browser they are using, the last site visited, the file they requested, and other information. This paper was written to help you understand how an attacker can use these information fields to exploit your web statistics software.

Host Naming & URL Conventions

Published on 2005, by Gunter Ollmann, ©Next Generation Security Software Ltd..

A consideration often neglected by many organisations when rolling out new servers or developing web-based applications that will be accessible by Internet clients and customers is that of host and URL naming conventions. There are a number of simple steps that can be taken to strengthen the security of an environment or application making it more resilient to several popular attack vectors. By understanding how an attacker can abuse poorly thought out naming conventions, and by instigating a few minor changes, it is possible to positively increase the defence-in-depth stature of an environment.

HTML Code Injection and Cross-site scripting

Published on 2003, by Gunter Ollmann, ©Gunter Ollmann.

As web-based applications have become more sophisticated, the types of vulnerabilities are capable of exploiting has rapidly increased. A particular class of attacks commonly referred to as code insertion and often Cross-Site Scripting has become increasingly popular. Unfortunately, the number of applications vulnerable to these attacks is staggering, and the varieties of ways attackers are finding to successfully exploit them is on the increase. Analysis of many sites has indicated that not only are the majority of sites vulnerable, but they are vulnerable to many different methods and much of their content is affected.

HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics

Published on 2004, by Amit Klein, .

description

IIS Security and Programming Countermeasures

Published on , by Yann BerthierYannYann Berthier Berthier, ©Jason Coombs.

This is a book about how to secure Microsoft Internet Information Services for administrators and programmers whose work includes a requirement for information security, a computer industry specialty field commonly referred to as infosec. In this book the terms information security and infosec are used interchangeably with the more friendly term data security. This is not a book about hacking, cracking, and the tools and techniques of the bad guys, the so-called black hat hackers. This book teaches computer professionals and infosec specialists how to build secure solutions using IIS. It is your duty to secure and defend networked information systems for the benefit of the good guys who are your end users, clients, or less technical coworkers.

Improving Web Application Security: Threats and Countermeasures

Published on 2004, by J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan, ©Microsoft Corporation.

This guide helps you build hack-resilient applications. A hack-resilient application is one that reduces the likelihood of a successful attack and mitigates the extent of damage if an attack occurs. A hack-resilient application resides on a secure host (server) in a secure network and is developed using secure design and development guidelines.

Insecure Indexing Vulnerability (The)

Published on 2005-02-28, by Amit Klein, ©Web Application Security Consortium..

This paper describes several techniques (many of them new) for exposing file contents using the site search functionality. It is assumed that a site contains documents which are not visible/accessible to external users. Such documents are typically future PR items, or future security advisories, uploaded to the website beforehand. However, the site is also searchable via an internal search facility, which does have access to those documents, and as such, they are indexed by it not via web crawling, but rather, via direct access to the files (and therein lies the security breach).

Several attack techniques are described, some very simple and quick, while other require an enormous amount of traffic; not all attacks are relevant to a particular site, as they depend on the richness of syntax supported by the site's search engine.

The paper concludes with methods to detect insecure indexing vulnerability and suggested solutions.

Introducing mod_security

Published on 2003-11-26, by Ivan Ristic, ©O’Reilly Media, Inc..

Running public web applications may seem like playing Russian roulette. Although achieving robust security on the Web is possible in theory, there's always a weak link in real life. It only takes one slip of the code to allow attackers unrestricted access to your data. If you have a public web application of modest complexity running, chances are good that is has some kind of security problem.

One-way Web Hacking

Published on date, by Saumil Shah, ©net-square.

One-way web hacking is a technique which relies purely on HTTP traffic to attack and penetrate web servers and application servers. This technique was formulated to demonstrate that having tight firewalls or SSL does not really matter when it comes to web application attacks. The premise of the one-way technique is that only valid HTTP requests are allowed in and only valid HTTP responses are allowed out of the firewall. My research on one-way web hacking began as early as April 2000, when I was faced with the need to upload an arbitrary file on a compromised web server which had a restrictive firewall. Since then, many other techniques developed and the collection of all these techniques resulted into the creation of the one-way web hacking methodology.

OWASP Guide to Building Secure Web Applications and Web Service

Published on , by owasp, ©OWASP.

the original OWASP Guide to Building Secure Web Applications and Web Services has been downloaded over 2 million times over the last year and forms the basis of the web security policy for several Fortune 500 companies. This project is heading for a complete re-write for version 2.0 which will be published by No Starch Press. The re-write is a major undertaking which has no real date for completion (having failed to keep to any we have set in the past).

OWASP Top Ten for 2004

Published on 2004-01-27, by owasp, ©OWASP.

The OWASP Top Ten is modeled in the SANS Top 20 and written for managers as well as technicians. It highlights the most important and most frequently found web application security issues today. It has become recommended reading by the Federal Trade Commission and has received a great deal of publicity.

Preventing Cross-site Scripting Attacks

Published on February 20, 2002, by Paul Lindner, O'Reilly & Associates, Inc..

The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without checking for malicious script tags.

PREVENTION OF THE OWASP TOP 10 IN PERL

Published on , by Daniel Goscomb, .

This paper aims to take the OWASP (The Open Web Application Security Project) Top 10 and discuss these vulnerabilities/flaws in relation to the Perl programming language. From reading this paper people should become more aware of these flaws and also have at least a basic understanding of how they can be prevented from entering their Perl applications. To do this each of the OWASP Top 10 list will be taken and the potential problems applicable to Perl will be discussed, and then a proposed solution to the problem will be given, using examples where appropriate.

Protecting Web-Based Applications

Published on 2002, by META Security Group, ©META Security Group.

Despite the dot bomb stock market debacle, most organizations continue to roll out new webbased business applications at a feverish pace. This phenomenon is not tied to a single vertical market. In fact, the trend toward web-based or true network computing spans both governmental and commercial organizations, and is evident in industries as diverse as insurance, banking, and finance to manufacturing, health care, pharmaceutical, and computers. Unfortunately, while there has been real progress in protecting corporate network infrastructure over the last few years, many organizations web-based applications remain at very high risk.

Real World XSS

Published on 2003-11-04, by David Zimmer, ©David Zimmer.

So what is all the media fuss about XSS? For those of you who don’t know the acronym, XSS stands for Cross-Site Scripting. It is the term that has been given to web pages that can be tricked into displaying web surfer supplied data capable of altering the page for the viewer.

Scanning Ajax for XSS entry points

Published on 2007-02-19, by Shreeraj Shah, ©HNS Consulting LTD.

The continuous adoption of Web 2.0 architecture for web applications is instrumental in Ajax, Web services and Flash, emerging as key components. Ajax is a combination of technologies such as JavaScript with the XMLHttpRequest object, DOM and XML streams. Cross site scripting (XSS) can make browsers vulnerable to critical information hijacking if exploited with malicious intent. XSS is already categorized as persistent, non-persistent and DOM-based. Ajax code loaded in browser can have entry points to XSS and it is the job of the security analyst to identify these entry points. It is difficult to decisively conclude that possible entry points to an application can be exploited. One may need to do a trace or debug to measure the risk of these entry points. This paper introduces you to a quick way to identify XSS entry points in an application.

Search Engines: The Ignored Threat

Published on February 5, 2001, by Paul Heely, Paul Heely.

Search engines simplify the process of locating information in cyberspace. They allow simple queries against massive databases of information, allowing users to find information on any topic. The same mechanism that provides this great searchability also presents a threat to many organizations. This paper will explore how the innocuous search engine can, in fact, be quite dangerous. We begin with a look at the basic operation of a search engine. We then look at how the contents of a search engine's database can be used by a malicious user to locate web sites vulnerable to attack. In addition to sites vulnerable to direct attack, we also look at how sites may be leaking sensitive information to the world through an entry in a search engine's database. We conclude with a discussion of controls that can be deployed to help limit what parts of a site are searched and cataloged by a search engine robot.

Secure Scripting

Published on , by Dan Goscomb, Dan Goscomb.

These days there are a lot of people that release scripts and programs on to the internet which people will then download and use without a second thought that they may contain the simplest of security holes which can allow malicious people to attack their servers. In this paper i intend to address some of the common mistakes that are made by the programmers releasing these programs, and how it should be written properly. The paper will mainly focus on Common Gateway Interface (CGI) scripts with examples written in perl (in my opinion the most common CGI language). The paper is, however, relevant to all languages, not just perl. The main way in which CGI scripts are exploited is by a user presenting it with values that the script does not expect, and therefore does not know how to handle properly.

Securing Apache: Step By Step

Published on 2001, by Ryan C. Barnett, ©SANS.

This document defines security configuration standards for the Apache 1.3.xx versions of web server, since it has the predominant market share over the new Apache 2 platform. There will be a future release of a document which will cover the security benchmarks of the 2.0 versions due to a number of dramatic changes to the overall API structure. At the time of this document, Apache V.1.3.24 is the current stable version. The platform used for the examples in this document is a Solaris 8 operating system with the Apache 1.3.24 version installed.

Securing Apache: Step-by-Step

Published on May 14, 2003, by Artur Maj, ©SecurityFocus.

This article shows in a step-by-step fashion, how to install and configure the Apache 1.3.x Web server in order to mitigate or avoid successful break-in when new vulnerabilities in this software are found.

Securing Web Application Code by Static Analysis and Runtime Protection

Published on 2005, by Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D. T. Lee, Sy-Yen Kuo, ©Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D. T. Lee, Sy-Yen Kuo.

Security remains a major roadblock to universal acceptance of the Web for many kinds of transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities has been attributed to Web application bugs. Many verification tools are discovering previously unknown vulnerabilities in legacy C programs, raising hopes that the same success can be achieved with Web applications. In this paper, we describe a sound and holistic approach to ensuring Web application security. Viewing Web application vulnerabilities as a secure information flow problem, we created a lattice-based static analysis algorithm derived from type systems and typestate, and addressed its soundness. During the analysis, sections of code considered vulnerable are instrumented with runtime guards, thus securing Web applications in the absence of user intervention. With sufficient annotations, runtime overhead can be reduced to zero. We also created a tool named WebSSARI (Web application Security by Static Analysis and Runtime Inspection) to test our algorithm, and used it to verify 230 open-source Web application projects on SourceForge.net, which were selected to represent projects of different maturity, popularity, and scale. 69 contained vulnerabilities and their developers were notified. 38 projects acknowledged our findings and stated their plans to provide patches. Our statistics also show that static analysis reduced potential runtime overhead by 98.4%.

Static Detection of Security Vulnerabilities in Scripting Languages

Published on 2006, by Yichen Xie, Alex Aiken, ©Yichen Xie, Alex Aiken.

We present a static analysis algorithm for detecting security vulnerabilities in PHP, a popular server-side scripting language for building web applications. Our analysis employs a novel three-tier architecture to capture information at decreasing levels of granularity at the intrablock, intraprocedural, and interprocedural level. This architecture enables us to handle dynamic features unique to scripting languages such as dynamic typing and code inclusion, which have not been adequately addressed by previous techniques.

We demonstrate the effectiveness of our approach by running our tool on six popular open source PHP code bases and finding 105 previously unknown security vulnerabilities, most of which we believe are remotely exploitable.

TCP Port 80 - HyperText Transfer Protocol (HTTP) Header Exploitation

Published on September 11, 2002, by William Bellamy Jr., .

This paper will focus on the Transport Control Protocol (TCP) port 80, commonly used by web servers to form the foundation for the World Wide Web. While Web clients do not use a commonly agreed upon port, web servers can be expected to use TCP 80 to provide general public access. The general public thinks of the World Wide Web (WWW or the web>) as somehow being the Internet, when in fact the web is simply one of many ways the Internet is used. The Internet is similar to a phone system. A phone system is a collection of hardware and software that creates an infrastructure that supports several seemingly different activities.

Understanding Malicious Content Mitigation for Web Developers

Published on 2000, by CERT Coordination Center, ©Carnegie Mellon University.

Web pages contain both text and HTML markup that is generated by the server and interpreted by the client browser. Servers that generate static pages have full control over how the client will interpret the pages sent by the server. However, servers that generate dynamic pages do not have complete control over how their output is interpreted by the client. The heart of the issue is that if untrusted content can be introduced into a dynamic page, neither the server nor the client has enough information to recognize that this has happened and take protective actions.

In HTML, to distinguish text from markup, some characters are treated specially. The grammar of HTML determines the significance of "special" characters -- different characters are special at different points in the document. For example, the less-than sign "<" typically indicates the beginning of an HTML tag. Tags can either affect the formatting of the page or introduce a program that the browser executes (e.g., the