July 16, 2008
The What, Who, When, Where, Why and How of XSS – By Brian Monthie
Irvine, CA – July 16, 2008 – Tevora Security Consultant, Brian Monthie, contributed the following article to NETWORKWORLD, a premier provider of information, intelligence and insight for Network and IT Executives. This article can also be viewed by clicking here.
In 2005, a MySpace user named Samy discovered a unique way to expand his buddy list. Within 24 hours, the number of friends on his page grew from 73 to more than 1 million. He achieved this instant popularity by creating the first self-propagating cross-site scripting (XSS) worm and by exploiting the lax security in many Web browsers.
Most Web sites today use MySpace-like dynamic content features to connect communities of users, enhance users’ site experiences and extract detailed user information. However, the applications that generate dynamic content are vulnerable to infiltration by XSS, which can be employed for far more nefarious aims than instant popularity. A better understanding of this threat is critical to detection and prevention.
• Stored or Persistent XSS attacks are the easiest to carry out and most expansive. Similar to an e-mail worm, Stored XSS gets created once and is then injected into a vulnerable site where it is stored in files, databases or forums to be executed by any unsuspecting visitor. When visitors log into a Web page that has been infected their authentication information is duplicated and routed to the attacker’s credential collection server. After that the attacker can use the collected information on that Web site and possibly on other sites where the victim has used the same credentials.
• Reflected or Non-Persistent XSS attacks are similar to phishing scams. Reflected XSS uses the skeleton of a trusted Web site — the same look, feel and information passes back and forth from the visitor to the site — only the attacker has created a tunnel to a different site to capture the traffic.
An XSS attack is successful if an attacker can get site visitors to divulge login credentials and hijack their accounts, steal or manipulate a victim’s cookies, read a history of sites the victim visited, or even grab the local IP address from the victim’s computer. The attacker develops a profile on visitors much like a trusted Web site would, only for malicious purposes.
Many Web sites remain unprotected against XSS, which means these sites have either unwisely chosen to ignore the risks or, like many users on the Web, are simply unaware of XSS’ destructive capabilities.
Internet Explorer, Mozilla and Safari all have XSS-associated vulnerabilities. Mozilla hopes to eliminate XSS vulnerabilities in version 3, while IE6.1 SP1 has included the HTTP-Only cookies variable to reduce XSS impact. But XSS is becoming a cat and mouse game with attack vectors and payloads outpacing the browser patches.
With the growing popularity of customer-driven content sites such as Youtube, Myspace and Ebay, XSS has gained momentum. In fact, searching for XSS on Youtube.com will return numerous tutorials explaining just how easily and frequently this attack can be executed.
How can XSS be alleviated?
Even though it is proving difficult for vendors to eliminate XSS risk entirely, these steps can help Web site operators reduce the risks for visitors:
1. Reduce the Impact. Decide which Web applications must be safeguarded to ensure business continuity and eliminate other programs that are no longer used. It is very common for companies to have unused applications on their sites, and Google still indexes those applications so they represent unwarranted risks.
3. Work back to the Source. Apply input sanitation and validation checks to site development methodologies. OWASP, an application security community, runs a comprehensive knowledge repository on cross-site scripting rich with information on how to alleviate XSS. One such suggestion from the community is to define alpha and numeric characters that are acceptable in the application input data and filter out everything else that doesn’t fit the schema. Resolving to write cleaner code will not only help simplify development efforts, but will also ensure better secured Web sites.
4. Be Proactive. Take a more active approach to mitigating XSS risk. Although relatively cutting-edge, web application firewalls (WAFs) are designed to specifically handle layer 7 requests and can be effective countermeasures when used in conjunction with other defensive measures for stopping XSS attacks. A company that makes itself accountable for its visitors’ experience can reaffirm its trustworthiness or even gain new trust in the process.
Each company and its associated Web sites will have a different approach to alleviating XSS vulnerabilities because each company values customer information differently. A company interested in generating increased traffic, maintaining its ties with its current customers, and differentiating its security domain from its competitors would do well to consider these XSS mitigation strategies.
Brian Monthie is a security consultant with Tevora Business Solutions, an enterprise solutions provider focused on security and compliance. For more information, please visit www.tevora.com, or contact Brian at firstname.lastname@example.org.
About Tevora Business Solutions Tevora Business Solutions Inc. is an enterprise solutions provider focused on security and compliance. With a distinctive combination of proven products and services, Tevora aids enterprises in protecting their most important assets from external and internal threats. Tevora’s practice is based on the need for clarity, objectivity and expertise in the design, implementation and validation of network security solutions. Headquartered in Irvine, CA, Tevora’s areas of practice include risk management, compliance and business continuity.
For more information, visit: www.tevora.com
of Tevora Business Solutions