Mumbai University > Information Technology > Sem6 > System and Web Security

Marks: 10M

Year: May 2015

XSS stands for Cross Site Scripting.

• XSS is very similar to SQL-Injection. In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs.
• In XSS, we inject code (basically client side scripting) to the remote server.
• Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.
• XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
• Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
• An attacker can use XSS to send a malicious script to an unsuspecting user.
• The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
• These scripts can even rewrite the content of the HTML page.

Types of Cross Site Scripting XSS attacks are broadly classified into following types:

Reflective XSS

• There are many ways in which an attacker can entice a victim into initiating a reflective XSS request.

• For example, the attacker could send the victim a misleading email with a link containing malicious JavaScript. If the victim clicks on the link, the HTTP request is initiated from the victim's browser and sent to the vulnerable web application.

• The malicious JavaScript is then reflected back to the victim's browser, where it is executed in the context of the victim user's session.

Persistent XSS

• Consider a web application that allows users to enter a username that is displayed on each user’s profile page.

• The application stores each username in a local database. A malicious user notices that the web application fails to sanitize the username field and inputs malicious JavaScript code as part of their username.

• When other users view the attacker’s profile page, the malicious code automatically executes in the context of their session.

Impact of Cross-Site Scripting

• When attackers succeed in exploiting XSS vulnerabilities, they can gain access to account credentials. They can also spread web worms or access the user’s computer and view the user’s browser history or control the browser remotely.
• After gaining control to the victim’s system, attackers can also analyze and use other intranet applications.

• By exploiting XSS vulnerabilities, an attacker can perform malicious actions, such as:

  • Hijack an account.
  • Spread web worms.
  • Access browser history and clipboard contents.
  • Control the browser remotely.
  • Scan and exploit intranet appliances and applications

XSS vulnerabilities may occur if:

• Input coming into web applications is not validated
• Output to the browser is not HTML encoded

SQL Injection

• SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS).
• Since an SQL injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.
• By leveraging SQL injection vulnerability, given the right circumstances, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database.
• SQL injection can also be used to add, modify and delete records in a database, affecting data integrity.
• To such an extent, SQL injection can provide an attacker with unauthorized access to sensitive data including, customer data, personally identifiable information (PII), trade secrets, intellectual property and other sensitive information.

How does SQL Injection works?

• In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query.
• In order for an SQL injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement.
• An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.

• The following server-side pseudo-code is used to authenticate users to the web application.

    # Define POST variables
    uname = request.POST['username']
    passwd = request.POST['password']
  
    # SQL query vulnerable to SQLi
    sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”
  
    # Execute the SQL statement
    database.execute(sql)
  

• The above script is a simple example of authenticating a user with a username and a password against a database with a table named users, and a username and password column.

• The above script is vulnerable to SQL injection because an attacker could submit malicious input in such a way that would alter the SQL statement being executed by the database server.
• A simple example of an SQL injection payload could be something as simple as setting the password field to password’ OR 1=1.
• This would result in the following SQL query being run against the database server. SELECT id FROM users WHERE username=’username’ AND password=’password’