Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This lesson covers abbreviated cross site scripting flaws which occur when untrusted data is taken and sent to a web browser without proper validation and then escapes; which then executes script in the browser and causes damage. Cross site scripting is the most prominent web security flaw. This lesson discusses three types of cross site scripting: *Stored *Reflected *DOM (client side) The instructor gives participants sample cross site scripting vulnerable code samples of no input validation and reflective types and also cites the cross site scripting case study known as Samy is My Hero which succeeded in hacking more than one million users online.

Video Transcription

00:04
Hello and welcome to the side. Very secure coding course. My name is Sonny Wear and this is a loss Top 10 for 2013
00:13
a three cross site scripting.
00:15
So first, our definition
00:18
cross eyed scripting which you should know is
00:22
abbreviated as X s s
00:25
X s s flaws occur whenever an application takes untrusted data
00:30
and sends it to a Web browser without proper validation and escaping.
00:37
Now, these twos terms I've highlighted here validation, of course, refers back to our input validation. We spoke a lot about that in regards to injection attacks in a one
00:50
now escaping has to do with something called output in coding. We're gonna spend some time talking about that and
00:58
understanding what that means.
01:00
Cross site scripting allows Attackers to execute scripts in the victim's browser, which can hijack user sessions, deface websites or redirect the user to malicious sites.
01:15
Now, I do want to caveat that this definition tends to be biased towards reflected cross site scripting. And there are other types which we're going to talk about in just a moment
01:26
Now here is the OSS chart. We can see from the attack vectors that the exploit ability is on average,
01:36
the impact is moderate
01:38
but detect ability,
01:41
which is good news as defensive coders, is easy
01:46
now, it says, under the security weakness that cross site scripting is the most prevalent Web application security flaw. Cross site scripting flaws occur when applications include user supply data in a page sent to the browser without properly validating or escaping that content.
02:06
Now here they name two different types stored and reflected.
02:10
I'm actually going to refer to 1/3 type, which is sometimes a part of the attack of the other two types. Let's go ahead and talk about this now, so the times of cross site scripting are reflected, otherwise known as reflective.
02:29
And that basically targets one victim at a time where the actual script is either reflected back
02:38
in the victim's browser so that they can see something. Or it's being executed in the victim's browser and they are unaware
02:49
the next type is stored
02:51
can also be called permanent can also be called persistent. You'll see it described with any of these titles
02:58
now for a stored cross site scripting vulnerability. That means an actual trusted page has been infected,
03:06
and so all of the users that browse to that page
03:10
will be poisoned by that stored. Cross it scripting attack.
03:16
Dom based cross site scripting
03:20
is something that occurs on the client side in the browser.
03:23
However, the DOM, which is a document object model, can be the target of either reflective or stored cross site scripting. And we're gonna talk about that and see that in the demos.
03:37
So first, let's talk about cross site scripting reflected one of the vehicles that can be used to carry a reflected cross site scripting. Attack is a phishing attack,
03:49
and everyone
03:51
is pretty familiar with phishing attacks. Usually they come in the form of an email, and in that email will be some sort of link.
04:00
Now, part of the link may be legitimate or look very legitimate and then upended at the end could be a malicious script.
04:08
When the victim clicks that link, it will be sent to the Web server of the site. However, there's some sort of vulnerability within the Web pages, and so there's no output in coding, which neutralizes the response. And so when that http response
04:27
actually gets sent back to our victim,
04:30
there's an execution of malicious JavaScript that occurs in the victim's browser. It could very well execute without the user's knowledge of it even occurring
04:41
now for stored cross site scripting. This is where we have a trusted website that it's some portion of it has been compromised.
04:49
Generally, it could be the replacement of images. It could be the injecting off eye frames that have malicious JavaScript within them. There was a vulnerability that existed, and so an attacker took advantage of. That could have been a reflected cross site scripting attack or maybe a sequel injection of vulnerability.
05:09
And so the attacker was able to insert their malicious JavaScript code into a database or into a file, and then that gets reflected back and served back up
05:23
to the Web pages.
05:25
And so when the victim visits the site,
05:28
if it's something, for example, like an image than upon loading upon viewing the page, there's an on load where the image or in this case the
05:41
replaced image with a malicious script would get executed.
05:45
And then we have our victim. So everyone that browses to the website would then be affected.
05:50
Now for Dom based cross site scripting, the Dom is an acronym for Document Object Model. And this is something that your browser does behind the scenes for you. It's an actual tree representation of every single HTML page in every single session
06:11
item
06:12
that you may have inside of your browser. I'm showing an example of one on in the screen shot.
06:18
Now
06:19
this gets attacked. It could be it could be the target of either
06:25
the reflected or stored cross site scripting attacks. What is usually of interest is the cookie, which is what I have highlighted there. So the cookie is going toe
06:35
going to contain
06:38
credential information and, of course, by right by capturing the cookie than the attacker could then follow up with subsequent types of attacks, brute force attacks, session fixation, attacks and things that we talked about in a two broken authentication. A session management.
06:59
So the Dom based cross site scripting usually goes hand in hand with one of the other main types. So now let's take a look at some sample cross site scripting, vulnerable code.
07:11
So here we have a simple
07:14
variable called first name, which has gotten out of the request object.
07:19
It's being cast to a string and then it's assigned to a local variable called first name parameter.
07:27
Now the problem with the use of the local variable first named parameter, is that
07:32
there's been no sanitation or no cleansing or no input validation of the value that was placed inside of the first name variable.
07:45
And as we're going to see in the demos, this can cause love problems. It allows an attacker to basically place any value that they like, including jobs group code,
07:58
uh, into that variables value instead.
08:01
And so because the value is immediately stored in a local variable and then used throughout the rest of the program and more than likely probably sent back out to the browser or back out to the Web page without any output encoding. This makes for a cross site scripting vulnerability.
08:20
Now, if we take a look at the way some of these cross site scripting attacks are done, we can see that there's a legitimate U R L. In this example, it's my bank dot com with a submit form,
08:35
but appended to that is usually some sort of location. Redirect that will send the request or send the cookie to the Attackers website
08:50
And, of course, that can lead to the session fixation and other times of the ties that we talked about before now for stored cross site scripting. An example of this attack would be the sample HTML code below,
09:03
where we have an image and the sources image has been replaced. Instead of having the image file named there, we instead have the location of an evil hackers website.
09:16
And, of course, they're grabbing that document Cookie, the cookie that's stored in the Dom.
09:24
Now our case study is on Sammie Kim Car.
09:28
He is famous for writing some Java script code, which he actually inserted into cascading style sheet
09:35
to get friends to like him in my space. What he was able to do is propagate his JavaScript code so that anyone that clicked on his friend's page actually had this same JavaScript code inserted into their page.
09:56
And over a 24 hour period, he was able to have over a 1,000,000 friends like him, and the display that that would occur on everybody's page that was affected is seemly is my hero.
10:09
So this has become a very well known
10:13
um cross site scripting, attack, vulnerability and attack that was done in the past.
10:18
Now we're gonna go ahead and move into the demo section of her module.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor