El Blog de Seguridad
A place to keep a record of my journey through IT security
  • Home
  • About Me
  • Security Tools

Posts Tagged ‘web application security’

XSS: Cross Site Scripting

OWASP Top 10 No Comments »

To better understand what scanning tools are looking for I’ve been doing some research on Cross Site Scripting (XSS) and Injection exploits (SQL and Command to be covered in a future post). The types of XSS I’ve run across are reflected and stored – with numerous variations of each.

Reflected XSS

According to OWASP.org:

Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web server. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server.

Stored XSS

From the same article, OWASP.org:

Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Countermeasures

One of the most important countermeasures for XSS and many other vulnerabilities is data validation.  If you let users enter whatever they want to in your web app, they will, and you and your users will be adversely affected by it.  I won’t copy down all the countermeasures, but here are some sites with useful info:

  • OWASP XSS Prevention Cheat Sheet

Hands-on Practice

I used IronGeek’s Mutillidae and OWASP’s WebGoat to gain a better understanding of what XSS is and how to safeguard against it.  Mutillidae is a lot simpler and straight forward (though you’ll need something like XAMPP to get it started), I’d suggest using it first and then WebGoat (downloads with Tomcat and Java – all you have to do is launch a .bat file) won’t be as perplexing.

RSnake provides a quite comprehensive list of the numerous ways XSS can be executed in his XSS Cheat Sheet (all examples use the generic alert(XSS!); example, but you can easily exercise your imagination a little bit).


November 10th, 2009 |

Tags: owasp, web application security, XSS




  • Recent Posts

    • Opening Ports in Windows 7 Firewall
    • Setting up Netbook to Dual Boot to Backtrack 4
    • XSS: Cross Site Scripting
    • nessusrc
    • Installing Nessus 2.2.11

  • Security Blogs

    • Craig Security
    • DarkNet.org
    • DarkReading.com
    • GNU Citizen
    • Iron Geek
    • Matasano
    • RootSecure.net

  • RSS Security Articles

    • Wikibooks Cryptography Textbook March 11, 2010 schneier
    • Good bye securityfocus March 11, 2010 http://sucuri.net
    • Steve Kelly: Prius March 11, 2010 Marc Handelman
    • Astounding: Ford ’s Sync Collects In-Vehicle Utterances… March 11, 2010 Marc Handelman
    • 2010 MTIA March 11, 2010 Jennifer Rudrow, ICSA Labs
    • Information Security D-List Interview: Jackie Arlen March 11, 2010 Andrew Hay
    • Security Comes in All Different Shapes and Sizes March 11, 2010 dlandoll
    • InterOp March 11, 2010 Jennifer Rudrow, ICSA Labs
    • Infosecurity Europe 2010 March 11, 2010 Jennifer Rudrow, ICSA Labs
    • Voice Con 2010 March 11, 2010 Jennifer Rudrow, ICSA Labs

  • Categories

    • linux
    • Nessus
    • network
    • OWASP Top 10
    • Security Tools
    • Tutorial
    • Uncategorized
    • Windows Command Line

  • Archives

    • March 2010
    • January 2010
    • November 2009
    • January 2009
    • November 2008
    • October 2008
Copyright © 2010 El Blog de Seguridad All Rights Reserved
RSS XHTML CSS Log in
Wp Theme by n Graphic Design
Powered by Wordpress