Friday, March 2, 2012

Web application attack: XSS


1.     Introduction:
The web has grown exponentially in last few years catering as the foremost platform for e-commerce, Social networking, Banking, Online shopping, Entertainment and much more. Web servers and web applications are being deployed to provide services and carry out operations where the medium World Wide Web is involved. Naturally web application security issues have surfaced, which have become a major cause of concern for organizations which depend on www for their functioning. The field of web application security has increased at great pace with new vulnerabilities and security flaws coming into picture. There will be hardly anyone reading this article, who has not heard of news related to website compromise, user account hacking or ethical hacking. The OWASP lists top 10 web application security risks. OWASP stands for open web application security project. It is a worldwide charitable organization focused on improving security of application software. XSS is a common vulnerability found in web applications which ranks 2nd out of OWASP’s top 10. Nearly 39% of web application security flaws are related to XSS. In this article, I will try to explain how XSS works, its dangers and how these attacks can be prevented.

2.     What is XSS:
XSS stands for Cross site scripting. (Do not confuse XSS with CSS which stand for ‘Cascading Style Sheets’ and are nowhere related). XSS is basically, injecting malicious scripts into webpages or webapplications through an HTTP request which tampers with the expected output from web application. In this, the malicious scripts (precisely, Javascript) exploits the interpretation of scripts in web browser. The browser is fooled into executing scripts that appear to come from trusted website. These XSS attacks occur when web applications send user-supplied input to the browser without proper sanitization. The idea of XSS will get clearer when we discuss the first example in section ‘Finding XSS vulnerabilities’.

3.     Risks of XSS flaws:
Okay, so, what’s the deal when my web browser executes some strange scripts? What all damage it can possibly have? Well, if the website you’re accessing has XSS vulnerability, an attacker with good knowledge can hijack your session with server, steal cookies from your PC, deface webpages, redirect you to unintended webpages and introduce malware scripts into your browser. XSS also aids phishing-a common way of hacking social networking and bank accounts. XSS vulnerabilities are classified as very widespread and most prevalent web application security vulnerability by OWASP. Impacts of XSS are classified as ‘moderate’. Risks arising from XSS range from constantly popping annoying pop-ups to total user account compromise, installing malware, virus on victim’s PC.

4.     Types of XSS:
Reading theory about security stuff like this is always boring. I promise I’ll quickly introduce you to the 3 types of XSS and then we’ll move on to next topics which I hope, you’ll find interesting. Anyways, the 3 types of XSS attacks are called - stored, reflected and DOM based.
1)     Stored:
Stored XSS attacks are those when the malicious script permanently gets stored on the webpages, databases of victim website. Think of it like this- there is this news website which allows you to enter comments on their news articles. The comments stay on the page forever. Now instead of putting comment, you entered a javascript and sent it. Now this javascript will stay there forever and execute every time page is accessed. Here you just performed stored XSS attack. It is found in chatrooms, shoutboxes, bulletin boards, blogs etc.
2)     Reflected:
According to me, reflected XSS vulnerabilities are the most common of all vulnerabilities. For example, consider a situation where a website asks you to enter your name and then greets you by name. Like, “Good Morning !”. Now instead of putting your name, if you put a javascript, it will be echoed back from server and your browser will execute the script. Here we performed reflected XSS attack. It is called ‘reflected’ because the name entered by you doesn’t get stored on website. Error messages, search results, or any other response from server that includes atleast some of the user-supplied data maybe vulnerable to reflected XSS.
3)     DOM based:
Very rare. DOM based XSS are quite similar to the reflected XSS except that script doesn’t need to be echoed from server. Script is injected into the browser’s own DOM environment. The malicious code is passed as a parameter to the script residing on a webpage which unknowingly executes it.

5.     Finding XSS vulnerabilities:
In this section, we’re actually going to find a XSS vulnerability. XSS is basically injection of scripts into webpages. Consider the following simple PHP code which is vulnerable to XSS.



$query = $_POST['query'];
if (isset($_POST['query']))
{
echo "You searched for " . $query . "!";
}

echo "
Please type your search query below:

";
?>
If you have a web server installed, try running this PHP file. It asks you to enter a search query and simply prints “You searched for ”. Suppose if you type ‘PICT’, it will print, “You searched for PICT!”. The URL in this case will be:
http://www.example.com/search.php?query=PICT
Now, what if we replace “PICT” with following snippet of code?
URL will become:
http://www.example.com/search.php?query=
Here, the page will print upto “You searched for “ and then it will actually parse as any other HTML tag and execute the javascript code in between. The alert function is just used for demonstration and it can be replaced with any other javascript code-as we explore in next section. This is a reflected type of XSS attack.  Detection of XSS vulnerability is very easy by testing the input fields or manual analysis of web application code. If a webpage stores user supplied input as an attribute of an HTML tag, putting “> before the script tag will terminate the previous tag and hence browser will interpret script smoothly. Not only javascript, it is even possible to inject HTML code into XSS vulnerable webpage as follows:
http://www.example.com/search.php?query=

Great website!


As you can guess, this will print “You searched for “ and then ‘Great website’ in bigger font size. Similarly, all other HTML tags can be used here. Some mechanisms to thwart XSS attempts like magic quotes can be bypassed with String.fromCharCode() javascript function,  URL obfuscation, hex encoding etc but that is out of scope of this article.

6.     Exploiting XSS flaws:
1)     Injecting phishing page:
Phishing is basically, making the victim log in to a fake login page where the credentials entered by him are recorded by attacker. Their username and password is recorded in some database and they’re redirected back to original website. This is very very common hack these days and lots of people are attempting to ‘phish’ each other’s facebook accounts! If a webpage has XSS vulnerability, the contents of entire webpage can be modified to make it look like a login page where user can enter his credentials. The following example URL will demonstrate this:
http://www.example.com/search.php?query=
Username:
Password:

The above code is self-explanatory where write.php is a PHP file which records username and password sent to it through HTTP GET request.
2)     Iframe phishing:
This is similar to previous one. Instead of putting long html tags like
, etc, the attacker injects iframe in the target webpage as follows:
http://www.example.com/search.php?query=
notice that the 100% height and 100% width occupies the whole size of window and the victim won’t notice the difference if they’re foolish enough!
3)     Redirect phishing:
The injected javascript could be coded to redirect the user to another webpage where the attacker’s phishing page is hosted.
http://www.example.com/search.php?query=
where fakepage.htm is the page attacker wants victim to visit.
4)     Cookie stealing:
A user’s session with server can be hijacked once the attacker gets his cookie. The website should have XSS vulnerability for successful execution of this attack. The attacker can craft his link as follows:
http://www.example.com/search.php?query=
When the user opens such kind of link, the cookie stored by current session (i.e. by example.com) is passed as ‘cookie’ parameter to ‘write.php’ which is a PHP file hosted by attacker on his own domain. This php file records the cookie into database.
5)     Website defacement:
A website is prone to defacement if it has stored XSS vulnerability on it. The attacker can inject a script which can entirely modify the way a webpage looks. The injected script can make any changes to the page relying upon the power of Javascript. I’m sure you must have seen websites which say that they’re ‘hacked’ alongwith some message from hackers!
6)     Javascript events:
Javascript event triggers can be wisely used to perform XSS on websites which allow HTML tags but ban the usage of
When the error page is loaded, browser will parse

Hacking FAQ


Hello all, I’m writing this post with no background research. I am simply jumping off into this because I’ve been planning to write about this since long time but my heavy schedule has never permitted me to do it. So, being a hacker, I come across lot of people and friends who are interested to know what this hacking stuff is all about. Many times it turns out that whatever I explain to them is a total bouncer. They don’t really seem to understand the terms and jargon. Its even that I feel I’m terrible at explaining stuff. Here in this post I’ll try to magnify over answers to the questions that people generally ask about hacking. This post is meant for a complete layman in non-technical background and I’ll try to keep things as simple as possible just for the purpose of understanding.
So, what is exactly Hacking?
Probably you’ve heard of this term as analogous to robbery or taking over controls of something. That’s not wrong at all. According to me, Hacking –u can say- is:
Breaking into or gaining access to computers, networks, systems or accounts which allows the hacker to perform something he’s not supposed to do, or gain access to sensitive information he’s not supposed to have.
One more important thing, hacking is NOT magic. Actual hacking is much more complicated, it needs research about your target and exactly your purpose behind hacking. If you think you can just write some C++, Java program, run some software and can hack anybody’s facebook or email account within minutes, I’m afraid you’re terribly wrong.
This was all in a nutshell.
Isn’t this illegal to do so?
Yes, it is illegal to break into someone’s computer, web server or steal their passwords. There are two sides of the coin. There is malicious hacking, where a person illegally gains access to somebody’s PC, bank accounts, transfers money, steals passwords and does anything else which can land him in jail. On the other hand, there is something called as, Ethical hacking. Ethical hacking follows the same techniques and attacks as malicious hacking does, what makes the difference is the intent of doing it. Ethical hacking is hacking for gaining knowledge. Learning ethical hacking allows you to get into the shoes of hackers and perform hacking, but in such a way that it does not break the law. Ethical hacking is performed in lab environment or your own computers. Here you have permission from the owner whose systems or computers you are trying to hack. So, ethical hacking all about gaining knowledge and skills on hacking, and utilizing it for good purposes, like, improving security of an organization.
Can hackers be called as criminals?
No, no. This is a big misunderstanding in public, courtesy to media and movies. Hackers are not at all, like the way they’re depicted in movies. Hackers are actually good people, who are curious about working of technology. They enjoy exploring into software and hardware to understand the nitty gritty details of security and operation, and see if they could fix it or a better alternative could be employed. This leads us to the discussion of types of hackers.
There are broadly three types of hackers.
1.      Black hat hackers – Black hat hackers or crackers are the actual criminal guys you see in movies. They do malicious hacking for fun, profit, challenge or whatever. They try to break into web servers, computers in what we call illegal way. They generally misuse the sensitive information obtained from hacks. Sometime in their life, they may get arrested for doing wrong things and tried in court.
2.      White hat hackers – These are the good guys. They’re ethical hackers. They perform hacking with permission from owner. This ethical hacking is performed to test the security of computer networks. Ethical hackers need to be updated with latest threats and security flaws that hit the web. Ethical Hacker is actually a job role in IT sector. Ethical hackers are paid to carry out penetration testing and vulnerability assessment on computer networks and servers. They need to be aware of latest technologies emerging out as crackers may quickly employ them to target their organization. With the knowledge of methodology and principles used by crackers, these people can improve the security and mitigate the risk of hacking and stealing of sensitive data.
3.      Gray hat hackers – This is a fine line between white hat and black hat. Gray hat hackers have something from both the worlds. They maybe sharply skilled black hats who may help a company to analyze and mitigate security threats or they may help a government agency to track down a criminal black hat. Also gray hat may include some good white hat fellows who may have taken wrong path sometime and did some sort of malicious hacking he was not supposed to do.

What is the difference between legal hacking and illegal hacking?
The difference is all about the intent of doing it. If someone allows you to break into their computers sheer for you to gain knowledge and acquire skills, it is legal. If an organization hires you to perform penetration testing (it is basically finding security flaws and risks within an organization and fixing it), it is legal as well. If you happen to hack into web servers of some reputed e-commerce website and stole all their usernames, passwords and credit card numbers and start using it with bad intentions, it is illegal hacking. Hope you get my point.
What do I need to have to be a hacker?
One thing I’d like to clarify here. The way hacking is depicted in movies and media, is totally false.  There is this hacker guy, who opens up his laptop, types in some strange looking commands, his screen shows some ‘connecting target’ dialogue box and poof! Within minutes, a damn government agency is under his control! :P
Hacking is never like that. Hacking is never that simple. There is no single software which can do all kinds of hacking automatically for you. You see, there are lot of different techniques, tools and methods used in hacking. It is a vast field and it is expanding every day. The tools and techniques vary depending upon your target and exactly what is your purpose of hacking. There are different methods of hacking a social network account, a web server, a company’s internal network, a website, hacking a windows password, linux, viruses, Trojans and this list goes on… There are numerous different tools and exploits available depending upon the platform or OS your target is running, as well as softwares running over it.
To start off in hacking, you need to be fluent in atleast a couple of programming languages. C, C++, Java, Python, Ruby and many of them are out there. I’d recommend at least you should be able to program in C and Python if not any other language. Also HTML and JavaScript is a must-know. Although its not mandatory, learning a server side scripting language like PHP is always beneficial. Then, you should have a good understanding of networking, OSI layers and TCP/IP. Without the knowledge of these, you won’t really have the fun of understanding what goes on inside during a hack.
Last but not the least, your interest, patience, and ability to deal with challenges is what matters the most. If you’re really not curious to know hacking, but just want to learn it to hack someone’s facebook account or impress your girlfriend, better back off right now otherwise you’ll end up rounding the circle or will get scammed. If hacking fascinates you and you’re really eager to learn these things with enthusiasm, the world of hacking is waiting for you! Second most important thing to have is patience. It takes lot of time to get to know your target from a hacker’s perspective, analyzing its software, its services, identifying its weaknesses, figuring out how the exploitation can be done, how to gain more and deeper access to the systems and covering your tracks.
How do I learn hacking?
The internet is indeed a rich source of information. You can learn almost anything on internet for free. Lots of hacking and security ebooks are available on the net. One google search might reveal them. There are many different hacking forums where hackers from different parts of world interact. You should definitely join few of them and keep visiting and posting on them often. Many hard copy books are written on hacking and security. You can purchase them from amazon or ebay if not from your local bookstore. The internet is full of resources, the more you dig in, the more you get. If, at any point, you get a question about how to learn hacking, you can always use google. Google is always there to help you out in any situation you come across. Also you can post on any hacking forums. Spend some time in learning different tools. That practice helps a lot when you come across real world scenarios. If you’re ready to take up hacking and security as your profession, there are certifications like Certified Ethical Hacker you can take up. One last thing, don’t expect everything to be spoon fed and don’t give up early.

Comments and suggestions are welcomed!