Don’t Let XSS Fake Out your Traffic

and Damage your Good Name

A Cross-Site Scripting (XSS) Overview

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. XSS essentially compromises the trust relationship between a user and the Web site. As of 2007 XSS carried out on web sites was responsible for roughly 80% of all Internet security vulnerabilities as documented by Symantec.

The potential impact of a successful XSS attack may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site’s owner.

Since XSS is merely a tactic, it can be used for a wide variety of malicious purposes, for example it can be used to:

• Steal cookies and hi-jack sessions
• Execute unintended Web site functionality
• Harass users with malicious code
• Alter any portion of the Web page
• Deface or DoS the website
• Violate the same-origin policy
• Aid in phishing scams

XSS is an indirect way for an attacker to fool your Web site visitors into revealing personal information or to exploit a secondary vulnerability on their desktop browser or within your Web site’s server. For example, XSS allows malicious users to hijack your users Web-based e-mail accounts, manipulate the customer settings on your Web site, or steal information sent in cookies, which may include your visitor’s bank account, credit card, or social security number.

The Web Application Security Consortium provides some very good examples of XSS attack types, including a useful classification of them into persistent, and non-persistent, and DOM-based attacks.

Assuming you cannot force your users to turn off client side scripting (and that maybe you would like to continue making use of it yourself), then you need to be aware of the various countermeasures for combating XSS.  Here are the most common ones:

Input Validation

Input validation, also referred to as HTML sanitization, is a standard way of eliminating XSS vulnerabilities.  This involves not trusting any user input until it has been subjected to some sort of test to make sure it does not contain any possible XSS exploits. Requests with undesirable characters in input fields might be rejected completely, or else the offending characters might stripped and/or replaced with alternative representations that cannot result in successful XSS attacks.  Such validation may be done using either a blacklist or whitelist approach, or some combination of both.

A blacklist (or negative security model) refers to a mechanism that allows all imputed characters as valid user input, except for those that are singled out (blacklisted) as being dangerous to the application.  Very simple anti-XSS blacklists often contain a small set of characters thought essential carrying out XSS attacks such as (PROVIDE EXAMPLES).  The blacklist approach has the advantage of being relatively easy to set up and maintain (often one list is used for all input fields).  But by the same token it is also relatively easy to evade with more sophisticated forms of XSS.

The whitelist (or positive security model) approach to input validation takes the opposite tack.  Rather than specifying which characters are not allowed, it allows no characters by default, except those that are known to be safe for the application (whitelisted). An example of this could be that a field in a form meant to receive U.S. social security numbers only allows four numeric characters separated by two dashes.  The benefit of a whitelist approach is that it is far harder to evade than a blacklist.  The trade-off is that implementing and maintaining a strict whitelist is generally far more difficult to do, since the appropriate list of allowed characters tends to vary with the type of field, and matching the correct list to the correct field requires up-to-date knowledge of the application’s details.

Output Escaping / Encoding

“Escaping” is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter’s parser. Escaping is the primary means to make sure that untrusted data can’t be used to convey an injection attack. There is no harm in escaping data properly - it will still render in the browser properly. Escaping simply lets the interpreter know that the data is not intended to be executed, and therefore prevents attacks from working.

Cookie security

Many web applications rely on session cookies for authentication between individual HTTP requests, and because client-side scripts generally have access to these cookies, simple XSS exploits can steal these cookies. To mitigate this particular threat (though not the XSS problem in general), many web applications tie session cookies to the IP address of the user who originally logged in, and only permit that IP to use that cookie. This approach can have serious drawbacks however due to the fact that many IP addresses cycle through an array of variable combinations do to proxy servers and load balancing. Another tactic is to expire unused session cookies.

Software

Web Application Firewalls (WAF) provide a valuable means of supplementing your Web security efforts. Along with well written code and input validation / sanitation, WAFs are another line of defense to ensure that your Web server is not a victim of a malicious attack and that your company can prove its PCI compliance as well.

Port80’s ServerDefender VP Web Application Firewall software blocks XSS attacks often used in conjunction with phishing, social engineering, and other browser exploits, ultimately preventing malicious HTML or client-side scripts from being injected into Web pages viewed by others.

In Conclusion

Protecting your Web site, and subsequently your visitors, against XSS and other Internet based attacks, is important for not only securing your valuable database information, but also for making sure that your organization can be seen as a trusted and responsible player in the Internet market.

/ P80