Blossom—Hands-on exercises for computer forensics and security Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/.
An Introduction to XSS (Cross Site Scripting) BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy)
[email protected]
Blossom—Hands-on exercises for computer forensics and security
1. Learning Objectives This lab aims to understand Cross Site Scripting (CSS) 2. Preparation 1) Under Linux environment 2) Some files that you will need from /home/user/BlossomFiles/XSS: 'nonPer.php', 'per.php' 'iframe.php', 'victims.txt'
• •
3) Some documents that you may need to refer to: 'Virtual-MachineGuide.pdf' ‘Linux-Guide.pdf’ ‘BLOSSOM-UserGuide.pdf’
• • • 3. Tasks
Setup & Installation: •
Start a single virtual machine as you have done with previous exercises (see Virtual Machine Guide) # kvm -cdrom /var/tmp/BlossomFiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one
•
Use the following set of commands to set up the php examples: # mkdir /var/www/XSS # cp nonPer.php per.php /var/www/XSS # mkdir /var/www/XSS/attackerCode # cp iframe.php victims.txt /var/www/XSS/attackerCode
Blossom—Hands-on exercises for computer forensics and security Task 1 Persistent XSS 1.1 Cross Site Scripting (XSS) is simply a technique employed to execute malicious code inside the victims’ browser. The techniques employed can be broken into three categories; Framework, Non-Persistent and Persistent. We will be focussing upon the latter two. Persistent XSS is the most dangerous form of XSS, this involves an embedded malicious script located on the server. As the script appears to originate from the website it has full access to session and other types of cookies. This can be used to allow attackers to impersonate other users. The following is an example of Persistent XSS: 1) Dave hosts a guest book as part of his website, users can post items to it and a list of other people's comments are displayed. 2) Nisa doesn't like Dave. She writes a php page on her server that saves cookies to the hard disk. 3) Dave is stupid. He hasn't sanitised the inputs of his comments, so HTML formatting is allowed. 4) Nisa posts a snide comment on Dave's gust book, with an iframe included to her php page. 5) Users come and go and every time Nisa's comment is viewed, the script is executed with the same permissions as Dave's website. Nisa obtains Dave's session cookie, and impersonates him on his website. 1.2 Here is a code example of what a php page with the vulnerability might look like:
Blossom—Hands-on exercises for computer forensics and security Here is a code example of what a php page on the attacker's server might look like:
Here is a code example of the code the attacker might deposit on the server: ... ...
When a user views the code, they will see an iframe containing only "frangus non-flectus". Their session cookie has been stolen. 1.3 Now we will take a look at Persistent XSS in action. Open up a browser and navigate to 'http://localhost/XSS' where we will see various php files and a directory called 'attackerCode'. First of all, we will navigate to the the URL 'http://localhost/XSS/per.php?ID=123&name=321' In this example, we instantly see an alert box appear showing us that we've been subjected to an XSS attack. Check the source code of the page 'per.php' using the following command: # gedit /var/www/XSS/per.php Upon reading through the code, you should notice that there is no reference to an alert box anywhere, so where did that alert come from? Check the source code of the iframe using the following command: # gedit /var/www/XSS/attackerCode/iframe.php We can see from the source code for the iframe that a hidden script has been executed to display the alert box, and because of this, anyone who now enters the website will be confronted with an alert box. Even though this example is only a minor irritation to each user, this should show the potential power of an XSS attack.
Blossom—Hands-on exercises for computer forensics and security Task 2 Non-Persistent XSS 2.1 Non-Persistent XSS involves a technique not dis-similar to SQL injection, but is far less dangerous because it relies on the user's trust of the attacker. An example of Non-Persistent XSS would be as follows: 1) Dave hasn't learnt his lesson, one of his php pages features a reflected input. 2) Steve realising this, creates a malicious script and embeds it in the URL. 3) Steve entices users to visit the malformed URL. 4) Steve's script runs every time someone visits his URL. 2.2 An example of a php page with this vulnerability might look like:
The above page may be addressed as follows: index.php?name=`Nisa'&age=`27'
An example of an attack URL may look like: index.php?name=`Nisaalert(`SPAM!');'&age=`27'
Anyone who is enticed into visiting the above URL will be faced with an alert box. 2.3 Now we will take a look at Non-Persistent XSS in action. View the source file for the website 'http://localhost/XSS/nonPer.php' by using the following command: # gedit /var/www/XSS/nonPer.php Take a look at the code used and note down the vulnerabilities within the code NOTE: The code is very similar to the aforementioned code examples
Blossom—Hands-on exercises for computer forensics and security 2.4 Using the knowledge gained from tasks 2.2 & 2.3, input a URL into a browser that will output an alert box with a message of your choice. HINT: http://localhost/XSS/nonPer.php? is the start of the URL. Summary Questions: 1). What are the three types of XSS? 2). Which is the most dangerous XSS technique and why? 3). In both cases, how can administrators protect against XSS?