El Blog de Seguridad
A place to keep a record of my journey through IT security
  • Home
  • About Me
  • Security Tools

XSS: Cross Site Scripting

OWASP Top 10 Add comments

To better understand what scanning tools are looking for I’ve been doing some research on Cross Site Scripting (XSS) and Injection exploits (SQL and Command to be covered in a future post). The types of XSS I’ve run across are reflected and stored – with numerous variations of each.

Reflected XSS

According to OWASP.org:

Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web server. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server.

Stored XSS

From the same article, OWASP.org:

Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Countermeasures

One of the most important countermeasures for XSS and many other vulnerabilities is data validation.  If you let users enter whatever they want to in your web app, they will, and you and your users will be adversely affected by it.  I won’t copy down all the countermeasures, but here are some sites with useful info:

  • OWASP XSS Prevention Cheat Sheet

Hands-on Practice

I used IronGeek’s Mutillidae and OWASP’s WebGoat to gain a better understanding of what XSS is and how to safeguard against it.  Mutillidae is a lot simpler and straight forward (though you’ll need something like XAMPP to get it started), I’d suggest using it first and then WebGoat (downloads with Tomcat and Java – all you have to do is launch a .bat file) won’t be as perplexing.

RSnake provides a quite comprehensive list of the numerous ways XSS can be executed in his XSS Cheat Sheet (all examples use the generic alert(XSS!); example, but you can easily exercise your imagination a little bit).

Tags: owasp, web application security, XSS


November 10th, 2009 |

Tags: owasp, web application security, XSS


Leave a Reply

CAPTCHA Image CAPTCHA Audio
Refresh Image

  • Recent Posts

    • Opening Ports in Windows 7 Firewall
    • Setting up Netbook to Dual Boot to Backtrack 4
    • XSS: Cross Site Scripting
    • nessusrc
    • Installing Nessus 2.2.11

  • Security Blogs

    • Craig Security
    • DarkNet.org
    • DarkReading.com
    • GNU Citizen
    • Iron Geek
    • Matasano
    • RootSecure.net

  • RSS Security Articles

    • March 2010 Patch Tuesday Security Briefing March 10, 2010 Paul Henry
    • A day of IDS (Snort) event data March 10, 2010 paulh
    • Moving Again (Visible Risk) March 10, 2010 rocky@decurity.com
    • HM Revenue & Customs Refund Portal - Ten Phish in One March 10, 2010 UAB's Director of Research in Computer Forensics
    • Log review Checklist for Security Incidents March 10, 2010 spinman
    • Monoprice.com Shuttered After Fraud Complaints March 10, 2010 spinman
    • SDL的故事: IE8和Office 2007 March 10, 2010 secway
    • Cryptanalysis of the Sasfis Registry Key March 10, 2010 DMacDonald
    • The converse of the Nagell-Lutz theorem March 10, 2010 Luther Martin
    • Is your social media message in-tune? March 10, 2010 SecBarbie

  • Categories

    • linux
    • Nessus
    • network
    • OWASP Top 10
    • Security Tools
    • Tutorial
    • Uncategorized
    • Windows Command Line

  • Archives

    • March 2010
    • January 2010
    • November 2009
    • January 2009
    • November 2008
    • October 2008
Copyright © 2010 El Blog de Seguridad All Rights Reserved
RSS XHTML CSS Log in
Wp Theme by n Graphic Design
Powered by Wordpress