XSS is really quite simple. XSS occurs when dynamically created pages reflect back things such as input submitted by the user (forms, bbs, etc) without the proper validation occuring in the application. Meaning, if you have a search field and you type in "Apple"....the application takes the data, does not properly validate that data and echos the phrase "Apple" back out to you in the page. The problem allows for users to be able to submit data such as scripting languages (HTML, JavaScript and VBScript) into the application and that code is then executed by the browser. In addition to the improper validation of the data, the outbound response data to the browser is not properly HTMLEncoded.
How to apply this attack
Now ... it would be reinventing the wheel to try and place all types of sample code on the page so i'll direct you to a nice list for your review. If you are interested in seeing a bit of code, I recommend the XSS Cheat Sheet.... a very nice list from RSnake. Typically, these attacks come in the following locations:
- Search forms
- Bulletin Boards
- Error Messages
- Forms
With XSS, we can look at a couple of simple attack scenarios that might be utilized against a site.
- Simple Script Tag
What I refer to as a simple script tag is basically the "hello world" of XSS. In some component of the application, perhaps a form field input area, a parameter in the URL, an error code in the URL (for example, mypage.aspx?error=xss_script_here) may all be points for injection. A sample would be:
/index.aspx?error=<>alert("XSS")< /script>
Additionally, we might also discuss what is referred to as Appended URL XSS which would look like:
index.aspx?a=1&b=<>alert("XSS")< /script>
- Remote Script Call
Calling a remote script is also a nice option with XSS. The opportunity to create your own script and place it on some server and then perform the injection is also very effective. If we were to have created a script and placed it on server "x.com", we might inject the following:
< src="x.com/xss.js">
- JS Events
JS Events are often overlooked when discussing points of attack for XSS, but do provide a very nice injection point. Javascript provides numerous events for the language ... one might include:
< onload="“javascript:malicious">
Keep in mind that there are numerous other attack vectors ... I am only listing a couple here.
Remediation
Fortunately, (as with most things in this world) the fix is not terribly difficult. There are two things that we need to be concerned about:
- Input Validation
- Outbound Encoding
So let's tackle the Input Validation issue first. With any type of input validation discussion, we can quickly get off on the subject of "White vs. Black" lists and here is my thought -- USE WHITE LISTS. If you're not familiar with White vs. Black lists, the answer is simple. White lists tell your application what you will accept and Black lists tell your application what to look for and to not accept. If I were going to have a party at my house and wanted to invite my friends over -- I would much rather give the door-man a list of my friends and who could come in rather than handing him a list of everyone else in the world (minus my friends) to look for and deny. Not terribly difficult.
So once we have figured out what data we are going to let in to my application, we want to make sure that we HTMLencode data before it is returned to the user. Now....there are a number of ways to use HTMLEncode (each language handles this in their own way; however, here I will show you a nice, clean example in C#.
public string HtmlEncode(
string s
);
+++++EOF+++++