Exploiting Clients Using XSS and CSRF Flaws

  • Over the years,the cross-scripting attack has been using JavaScript to perform mailcious activities such as malvertising,port scanning and key logging.(The XSS attack can also be used to inject VBScript,ActiveX,or Flash into a vulnerable web page.)
  • Some of the ways in which JavaScript used in HTML code are shown here:
1
2
3

Script tag:<script> alert ("XSSed"); </script>
Body tag:<body onload=alert("XSSed")>
Image tag:<img src="javascript:alert('XSS');">

  • When JavaScript is loaded in the browser,it can access the cookies assigned to the user session and access the URL history.Cookies are often used as session identifiers.If the attacker can steal them,they can gain control over the session.Also,Javascript has access to the entire DOM of the web page and can modify the HTML page.

  • DOM is logical structure that defines the attributes and the ways in which the objects(text,images,headers,or links)in a web page are represented. It also defines rules to manipulate them.

  • The alert method is often used for demonstration purpose and to test if the application is vulnerable.

  • major categories of XSS:

    • Persistent XSS(sored XSS)
    • Reflected XSS(nonpersistent XSS)
    • DOM XSS

  • Defence against DOM-based XSS:

    • One og the key defence methods is to avoid building the HTML page using client-side data.

    • Avoid using risky HTML and JavaScript methods:

      • document.write(): document.write('City name='+userinput);
      • element.innerHTML: element.innerHTML='<div>'+userinput+'</div>';
      • eval; var UserInpu"'Mumbai';alert(x);"; eval("document.forms[0]."+"Cityname="+txtUserInput);

    • Can encode the user input before using it in the client side code.Using string delimiters and wrapping the user data into a custom function.

  • XSS combinate JavaScript

    • Account hijacking
    • Altering contents
    • Defacing complete website
    • Running a port scan from the victim’s machine
    • Log key strokes
    • Stealing browsr information

  • If the HttpOnly flag is set ,which is an optional cookie flag,JavaScript won’t be able to access the cookie.

  • Scanning for XSS flaws

    • OWASP Zed Attack proxy
    • XSSer
    • W3Af

  • Cross-site request forgery

    • Changing user details such as e-mail address and date of birth in a web application.

    • Making fraudulent banking transactions

    • Fraudulent upvoting and downvoting on websites

    • Adding items in the cart without the user’s knowledge on an e-commerce website

    • Attack dependencies:

      • the victim must have an active authenticated session against the target web application.The application should also allow transactions within a session without asking for reauthentication.
      • CSRF is a blind attack and the response from the target web application is not sent to the attacker but the victim.The attacker must have knowledge about the parameters on the website that would trigger the intended action.
      • The attacker needs to find a way to trick the user to click on a preconstructed URL or to visit an attacker controlled website if the target application is using the POST method .

    • Attack methodology

      • Image tag
      • script tag
      • using the POSt method

    • The best way to analyze the application for CSRF flaw is to first gain complete understanding on the functionality of the web application.Fire up a proxy such as Burp or ZAP,and capture traffic to analyze the request and the response.