subject: vulnerability types [print this page] Author: neodean dean Author: neodean dean
Types of Cross Site Scripting vulnerabilities
Non-Persistent XSS Vulnerability
Persistent XSS vulnerabilities DOM based XSS Vulnerabilities
The attack lies based on principle in exploiting lack of proper output and input validation on dynamic websites. When a certain input string (HTML characters) is regenerated or printed on screen without any filtering (or encoding) by the server side scripts, an attacker is able to inject her own code into the dynamic webpage. The attacker can then use the trusted server to forward the code to the victim's browser, which executes it is from a trusted server as it assuming. Let's look at an example with a link that has an embedded JavaScript code.The target website searchengine.com? has a vulnerable variable vul? on the s.php? page, which does not employ any sort of input validation. This vulnerability can be exploited by embedding the alert ([removed])? JavaScript function, which displays the current cookie in a dialog box: ">http://searchengine.com/s.php?vul=">
Persistent Cross Site Scripting vulnerabilities
Persistent XSS vulnerabilitiesalso known as savedor second order vulnerabilities, are generally targeted at websites that allow users to input permanent data, such as forums, message boards, guest books, etc. Suppose we h'v an message board online allowing users to post in the form of HTML formatted messages.
When unsuspecting users visit the page with the code mentioned above, instead of getting an image on their screens, they are redirected to the attacker's web site(badguy.com), where the page is setup to retrieve the victims' cookie by the name as cookiecatcher.php . The greatest adversity in a persistent XSS attack is the large number of victims that can be targeted in one shot.
Document Object Model based XSS Vulnerabilities
The DOMis the standard structure layout to represent HTML and XMLdocuments in the browser. The DOM based vulnerability is also known as local vulnerability since it occurs due to active content on the client side script of a webpage. Document components such as forms , fields, and cookies can be referenced through JavaScript in a DOM. In a DOM based attack, the attacker uses the DOM environment to modify the original client side JavaScript. This causes the victim's browser to execute the resulting abusive JavaScript code. Let uslook at following script: Choose your Country: This script can be used in any HTML page and to select 'US' as a country, following link is used: http://www.victim.site/vul.html?country=US But, if the given link is injected with the following JS code: http://www.victim.site/vul.html?country= When a victim visits this link, a DOM object is created by the browser in which the document.location? object contains the cross site scripting string. As the original script on the page does not anticipate this command it simply reflects the JavaScript into the DOM environment.The browser executes the JavaScript function alert()? and creates the resulting page .