Blossom—Hands-­on  exercises  for  computer  forensics  and  security     Copyright:  The  development  of  this  document  is  funded  by  Higher  Education  of  Academy.  Permission  is  granted   to  copy,  distribute  and  /or  modify  this  document  under  a  license  compliant  with  the  Creative  Commons   Attribution-­NonCommercial-­ShareAlike  3.0  Unported  License.  To  view  a  copy  of  this  license,  visit   http://creativecommons.org/licenses/by-­nc-­sa/3.0/.    

An Introduction to XSS (Cross Site Scripting) BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) [email protected]  

Blossom—Hands-­on  exercises  for  computer  forensics  and  security  

   

1. Learning Objectives This lab aims to understand Cross Site Scripting (CSS) 2. Preparation 1) Under Linux environment 2) Some files that you will need from /home/user/BlossomFiles/XSS: 'nonPer.php', 'per.php' 'iframe.php', 'victims.txt'

• •

3) Some documents that you may need to refer to: 'Virtual-MachineGuide.pdf' ‘Linux-Guide.pdf’ ‘BLOSSOM-UserGuide.pdf’

• • • 3. Tasks

Setup & Installation: •

Start a single virtual machine as you have done with previous exercises (see Virtual Machine Guide) # kvm -cdrom /var/tmp/BlossomFiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one

•

Use the following set of commands to set up the php examples: # mkdir /var/www/XSS # cp nonPer.php per.php /var/www/XSS # mkdir /var/www/XSS/attackerCode # cp iframe.php victims.txt /var/www/XSS/attackerCode

Blossom—Hands-­on  exercises  for  computer  forensics  and  security   Task 1 Persistent XSS 1.1 Cross Site Scripting (XSS) is simply a technique employed to execute malicious code inside the victims’ browser. The techniques employed can be broken into three categories; Framework, Non-Persistent and Persistent. We will be focussing upon the latter two. Persistent XSS is the most dangerous form of XSS, this involves an embedded malicious script located on the server. As the script appears to originate from the website it has full access to session and other types of cookies. This can be used to allow attackers to impersonate other users. The following is an example of Persistent XSS: 1) Dave hosts a guest book as part of his website, users can post items to it and a list of other people's comments are displayed. 2) Nisa doesn't like Dave. She writes a php page on her server that saves cookies to the hard disk. 3) Dave is stupid. He hasn't sanitised the inputs of his comments, so HTML formatting is allowed. 4) Nisa posts a snide comment on Dave's gust book, with an iframe included to her php page. 5) Users come and go and every time Nisa's comment is viewed, the script is executed with the same permissions as Dave's website. Nisa obtains Dave's session cookie, and impersonates him on his website. 1.2 Here is a code example of what a php page with the vulnerability might look like:              

Blossom—Hands-­on  exercises  for  computer  forensics  and  security   Here is a code example of what a php page on the attacker's server might look like:    

Here is a code example of the code the attacker might deposit on the server: ...     ...    

When a user views the code, they will see an iframe containing only "frangus non-flectus". Their session cookie has been stolen. 1.3 Now we will take a look at Persistent XSS in action. Open up a browser and navigate to 'http://localhost/XSS' where we will see various php files and a directory called 'attackerCode'. First of all, we will navigate to the the URL 'http://localhost/XSS/per.php?ID=123&name=321' In this example, we instantly see an alert box appear showing us that we've been subjected to an XSS attack. Check the source code of the page 'per.php' using the following command: # gedit /var/www/XSS/per.php Upon reading through the code, you should notice that there is no reference to an alert box anywhere, so where did that alert come from? Check the source code of the iframe using the following command: # gedit /var/www/XSS/attackerCode/iframe.php We can see from the source code for the iframe that a hidden script has been executed to display the alert box, and because of this, anyone who now enters the website will be confronted with an alert box. Even though this example is only a minor irritation to each user, this should show the potential power of an XSS attack.

Blossom—Hands-­on  exercises  for  computer  forensics  and  security   Task 2 Non-Persistent XSS 2.1 Non-Persistent XSS involves a technique not dis-similar to SQL injection, but is far less dangerous because it relies on the user's trust of the attacker. An example of Non-Persistent XSS would be as follows: 1) Dave hasn't learnt his lesson, one of his php pages features a reflected input. 2) Steve realising this, creates a malicious script and embeds it in the URL. 3) Steve entices users to visit the malformed URL. 4) Steve's script runs every time someone visits his URL. 2.2 An example of a php page with this vulnerability might look like:

The above page may be addressed as follows: index.php?name=`Nisa'&age=`27'    

An example of an attack URL may look like: index.php?name=`Nisaalert(`SPAM!');'&age=`27'    

Anyone who is enticed into visiting the above URL will be faced with an alert box. 2.3 Now we will take a look at Non-Persistent XSS in action. View the source file for the website 'http://localhost/XSS/nonPer.php' by using the following command: # gedit /var/www/XSS/nonPer.php Take a look at the code used and note down the vulnerabilities within the code NOTE: The code is very similar to the aforementioned code examples

Blossom—Hands-­on  exercises  for  computer  forensics  and  security   2.4 Using the knowledge gained from tasks 2.2 & 2.3, input a URL into a browser that will output an alert box with a message of your choice. HINT: http://localhost/XSS/nonPer.php? is the start of the URL. Summary Questions: 1). What are the three types of XSS? 2). Which is the most dangerous XSS technique and why? 3). In both cases, how can administrators protect against XSS?