How to Detect Cross-Site Scripting (XSS)

Cross Site Scripting (XSS) Attacks

Cross Site Scripting Attacks (XSS) are a types of injection attack in which malicious codes are injected into website. These websites, otherwise, looks benign and trusted. Hackers have discovered numerous and ingenious methods for injecting malicious code into websites via Common Gateway Interface (CGI) scripts, web server software vulnerabilities, SQL injection attacks, frame exploitation, DNS redirects, cookie hijacks, and many other forms of attack.

In XSS attacks, an attacker sends a malicious code using a web application to an unsuspecting user, generally in the form of specially crafted links. Crafted code will get executed when the user visit the link, and then harm is done. Change in behavior or appearance of the website, action performed on behalf of the user, or stealing personal information are simple examples of successful XSS attack.

XSS can, thus, be thought of as a security bug or flaw that affects websites. A flaw that can occur anywhere a web application accepts input from a user and generates output without proper validation.

A successful XSS attack can result in identity theft, credential theft, data theft, financial losses, or the planting of remote-control software on visiting clients.

Thus, 

• XSS attacks enable an attacker to inject their malicious code (in client-side scripting languages, such as JavaScript) into vulnerable web pages. 
• When an unsuspecting user visits the infected page, the malicious code executes on the victim’s browser and may lead to stolen cookies, hijacked sessions, malware execution, or bypassed access control, or aid in exploiting browser vulnerabilities. 

There are three different XSS vulnerabilities:

1. Nonpersistent (reflected) XSS vulnerabilities: Attacker tricks the victim into processing a URL programmed with a rogue script to steal the victim’s sensitive information (cookie, session ID, etc.). The principle behind this attack lies in exploiting the lack of proper input or output validation on dynamic websites.
2. Persistent (stored or second-order) XSS vulnerabilities: It is targeted at websites that allow users to input data that is stored in a database or any other such location, e.g., forums, message boards, guest books, etc. The attacker posts some text that contains some malicious JavaScript, and when other users later view the posts, their browsers render the page and execute the attacker’s JavaScript.
3. DOM (Document Object Model or local XSS)–based XSS vulnerabilities: DOM is the standard structure layout to represent HTML and XML documents in the browser. In such attacks the document components such as form fields and cookies can be referenced through JavaScript. The attacker uses the DOM environment to modify the original client-side JavaScript. This causes the victim’s browser to execute the resulting abusive JavaScript code.

Where should you collect logs from?

Web Server, Web Application Firewall, IDS/IPS logs

How to detect using SIEM?

There are certain common code that needs to be injected for the attack to be successful.  <script>  tag is present in log whenever XSS attack is seen in URL field.

URL can be have any of value in this list 

[*<script>*, *%3c%73%63%72%69%70%74%3e*, *%3cscript%3e*]

How to defend against XSS?

As an administrator you can do following

• maintain a patched web server, 
• use web application firewalls, 
• operate a host-based intrusion detection system (HIDS), 
• audit for suspicious activity, and, 
• most important, performing server-side input validation for length, malicious content, and metacharacter filtering. 

As a web user you can do following

• keep your system patched, 
• run antivirus software, and 
• avoid non-mainstream websites. 

There are add-ons for some web browsers, such as NoScript for Firefox and uBlock Origin for Chrome, that allow only scripts of your choosing to be executed.

 

For web application and penetration testing, there are different vendors out there that provide such services. Security for Everyone (S4E) is one such vendor which provide various professional services.

CYBER501x Cybersecurity Fundamentals Quiz 1

UNIT 1: Question 1
True or False: Information Security is a subset of cybersecurity.

• True
• False

UNIT 1: Question 2

Indicate the color of "hat" worn by each type of hacker by typing the appropriate letter next to the definition.

W = White, G = Gray, B = Black

Hacks into systems with malicious intent

Hacks into systems, without permission, and requests payment to fix vulnerabilities

Hacks into systems, with permission, to uncover vulnerabilities so they can be fixed




UNIT 1: Question 3

What is always going to be the weakest link of any cybersecurity system?

• Firewalls
• Malware
• Humans
• Encryption

Which type of hacking does not involve any technology?

• DDoS
• Penetration Testing
• Social Engineering
• White Hat Hacking

UNIT 1: Question 5
How do the growth rates of attack sophistication and intruder technical knowledge compare?

• Attack sophistication is growing more quickly
• Intruder technical knowledge is growing more quickly
• They are growing at the same rate
• They are both declining

UNIT 1: Question 6

Why is the MySpace hack still relevant today?

• Existing pages will be defaced
• People reuse passwords
• Credit card information might still be the same

UNIT 1: Question 7

True or False: Cybersecurity involves protecting data while it is in transit, while it is being processed, and when it is at rest.

• True
• False

UNIT 1: Question 8


Which two breaches started when a third-party’s credentials were compromised? (Select two)

• Home Depot
• Chase
• Target
• Houston Astros

UNIT 1: Question 9

The first hack of the Ukraine Power Grid started when an employee:

• Clicked on a link from PayPal
• Opened a Microsoft Word document correct
• Responded to spam
• Got fooled by a phone call and gave out confidential information verbally

UNIT 1: Question 10

If integrity hacks become prevalent, a direct result could be an increase in:

• The amount of malware
• The amount of Internet of Things devices affected
• The amount of time hackers can lurk on a network undetected correct
• The number of ransomware attacks incorrect

If you would like to learn more about the cybersecurity fundamentals and gain more insights than Security for Everyone (S4E) provides excellent services on different areas. With S4E: Education you get to understand different scenarios with quizzes and real-world attack situation.

Hacker101 CTF: Micro-CMS v2 - Part 3

I didn't know what to do here. So, looked a hint which was

Credentials are secret, flags are secret. Coincidence?

I have no idea what it is but my guess is that secret credentials needs to be obtain to get this last flag. What options do I have? SQL injection to dump the database. The thing that we know by now is, there is a table called admins. I did a hit and trial with multiple cases

Trial 1
username: admin' OR '1' = '1
password: random
result: invalid password

Trial 2
username: user
password: random
result: invalid user

Conclusion at this point: There is a table admins with username and password column. Also, admin is one of the user in that username.

Trial 3
username: admin' OR 1=1--
password: random
result:

Traceback (most recent call last):
  File "./main.py", line 145, in do_login
    if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 255, in execute
    self.errorhandler(self, exc, value)
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 50, in defaulterrorhandler
    raise errorvalue
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1")

Hacker101 CTF: A little something to get you started

Hacker101 is one of the best when it comes to bug bounty. With the intent to brush up my skills to become a good bug bounty hunter, I have started Capture the Flag (CTF) from Hacker101. In its learning path, the very first challenge we get is

• A little something to get you started

When you click Go, you get to the following page

At first, it feels like there is nothing to do here. Trust me. I felt the same. No any buttons to click and no any things to do. Just the text "Welcome to level 0. Enjoy your stay."

So, I began to play around, honestly! I started with manipulating given URL: http://35.190.155.168/bf06d4167c

i.e. changing bf06d4167c values to random number. And then adding some stuff to this URL bf06d4167c/abc etc. I know this was not a smart move. Just gave it a try. 

Since, nothing seemed to work, then, I clicked on Developer Tool.

Even here nothing will be obvious in the first look. Again some play around. I saw background-image mentioned in the body section, but nothing can be seen there. So, i searched for background.png in the url itself as: http://35.190.155.168/bf06d4167c/background.png

Voila! there is the flag.

Hacker101 CTF: Micro-CMS v1 Part 2

Now moving on to the next challenge.

Here we have something to click on :D. First what I did was clicked on all


Testing had some static text, while Markdown Test included one button but nothing was working there. Next, in create page there was some form we can fill up. This looks exciting, because form means we can inject some XSS script. But this needs to be tested, so what I did was, created a page with title "Just for Fun" and description "This text is written just for fun." and the effect was? My text was stored there and home page had indexed my title as well.


This indicates that store-XSS could be possible. So let's create a new page and include XSS thing in the title.

XSS Test<script>alert(1);</script>

The page will be created. Now if you go to your home page Voila! there is a flag.

To get the flag you can also edit the page you created last time to include script like above.