This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "XSS Attacks"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/galeach/new10.html asian holidays tour ] [http://s1.shard.jp/losaul/lions-club-australia.html airline australian charter flight international ] [http://s1.shard.jp/bireba/nortonantivirus.html mac afee antivirus ] [http://s1.shard.jp/galeach/new92.html umuc de asia ] [http://s1.shard.jp/losaul/online-clothing.html chemsearch australia ] [http://s1.shard.jp/olharder/cheat-sheets.html halfords auto store ] [http://s1.shard.jp/frhorton/ufkvsduv1.html africa plains pictures ] [http://s1.shard.jp/losaul/centacare-australia.html masonic lodge in australia ] [http://s1.shard.jp/olharder/seiko-titanium-kinetic.html autocollimator tutorial ] [http://s1.shard.jp/galeach/new35.html central asian nomads] [http://s1.shard.jp/olharder/autoimmune-hashimotos.html auction auto capital ] [http://s1.shard.jp/frhorton/3k3nxdd3j.html africa aids in southern ] [http://s1.shard.jp/frhorton/qwl7aihru.html africa aids child fund grant hiv in orphan vulnerable ] [http://s1.shard.jp/galeach/new141.html broadcast asia 2004 ] [http://s1.shard.jp/frhorton/po4uhk6ve.html african tick bird giraffe ] [http://s1.shard.jp/frhorton/rlw3nqlyf.html train trips in south africa] [http://s1.shard.jp/olharder/ontario-auto-insurance.html summit automotive catalog ] [http://s1.shard.jp/olharder/automobile-accident.html automobile dealer dodge part ] [http://s1.shard.jp/galeach/new47.html asian caricature ] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/olharder/automobile-chart.html auto indulgence ] [http://s1.shard.jp/olharder/autoritatea-nationala.html alberta auto trader ] [http://s1.shard.jp/losaul/australia-phone.html car gps systems australia ] [http://s1.shard.jp/losaul/australia-installation.html leichhardt council australia ] [http://s1.shard.jp/losaul/lawn-bowls-clubs.html dating sites in australia ] [http://s1.shard.jp/galeach/new48.html asia online times ] [http://s1.shard.jp/olharder/jl-french-automotive.html auto gps receiver reviews ] [http://s1.shard.jp/bireba/macintosh-antivirus.html avast antivirus pro serial ] [http://s1.shard.jp/losaul/planting-guide.html australian superannuation rules ] [http://s1.shard.jp/galeach/new45.html little asian boy ] [http://s1.shard.jp/galeach/new127.html quality asian page ] [http://s1.shard.jp/losaul/i-still-call-australia.html calling london from australia ] [http://s1.shard.jp/bireba/antivirus-cleanup.html norton antivirus corporate edition 7.5 ] [http://s1.shard.jp/galeach/new190.html asia women ] [http://s1.shard.jp/losaul/informed-sources.html australia drop letterbox ] [http://s1.shard.jp/olharder/auto-club-country.html browning automatic pistols ] [http://s1.shard.jp/galeach/new178.html salt lakes of asia ] [http://s1.shard.jp/losaul/western-plains.html mtrain australia ] [http://s1.shard.jp/frhorton/2u1ol1yan.html climate map of africa ] [http://s1.shard.jp/frhorton/o5mgjok5p.html corruption in africa ] [http://s1.shard.jp/frhorton/gicyohdlg.html african american history photo ] [http://s1.shard.jp/olharder/wheels-and-deals.html autograph pittsburgh session steelers ] [http://s1.shard.jp/olharder/pyles-auto-sales.html epinephrine auto injector ] [http://s1.shard.jp/galeach/new104.html asiatic cheetah pictures ] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/bireba/download-norton.html mcafee free antivirus downloads ] [http://s1.shard.jp/galeach/new101.html history of caucasian race ] [http://s1.shard.jp/olharder/autofill-slush.html auto consulting dealership firm ] [http://s1.shard.jp/bireba/eztrust-antivirus.html abg antivirus free download ] 
 
 
[[OWASP Code Review Guide Table of Contents]]
 
[[OWASP Code Review Guide Table of Contents]]
  
Line 52: Line 51:
 
  {
 
  {
 
  ActionErrors errors = new ActionErrors();  
 
  ActionErrors errors = new ActionErrors();  
  ActionError error = new ActionError("error.employee.databaseException" + “Payload: “+payload);
+
  ActionError error = new ActionError("error.employee.databaseException" + “Payload: +payload);
 
  errors.add( ActionErrors.GLOBAL_ERROR, error );  
 
  errors.add( ActionErrors.GLOBAL_ERROR, error );  
 
  saveErrors( request, errors ); return (mapping.findForward("error: "+ searchQuery));  
 
  saveErrors( request, errors ); return (mapping.findForward("error: "+ searchQuery));  
Line 75: Line 74:
 
  {  
 
  {  
 
   
 
   
  String input = req.getHeader(“USERINPUT”);
+
  String input = req.getHeader(“USERINPUT”);
 
   
 
   
 
  PrintWriter out = res.getWriter();  
 
  PrintWriter out = res.getWriter();  
Line 107: Line 106:
 
  Sub cmdSearch _Click(Source As Object, _ e As EventArgs)  
 
  Sub cmdSearch _Click(Source As Object, _ e As EventArgs)  
 
 
 
 
  // Do Search…..
+
  // Do Search…..
  // …………
+
  // …………
 
   
 
   
 
  lblResult.Text="You Searched for: " & txtInput.Text  
 
  lblResult.Text="You Searched for: " & txtInput.Text  
 
   
 
   
  // Display Search Results…..
+
  // Display Search Results…..
  // …………
+
  // …………
 
   
 
   
 
  End Sub  
 
  End Sub  
Line 181: Line 180:
 
The approach to mitigate against this si to ensure the data sent to the browser is not going to be interpreted by the browser as mark-up and should be treated as user data.
 
The approach to mitigate against this si to ensure the data sent to the browser is not going to be interpreted by the browser as mark-up and should be treated as user data.
  
We encode known bad to mitigate against this “enemy within”. This in effect assures the browser interprets any special characters as data and markup.  
+
We encode known bad to mitigate against this “enemy within”. This in effect assures the browser interprets any special characters as data and markup.  
 
How is this done?
 
How is this done?
 
HTML encoding usually means '''<''' becomes '''<''', '''>''' becomes '''>''', '''&''' becomes '''&''', and '''"''' becomes '''"'''.
 
HTML encoding usually means '''<''' becomes '''<''', '''>''' becomes '''>''', '''&''' becomes '''&''', and '''"''' becomes '''"'''.

Revision as of 18:00, 29 May 2009

OWASP Code Review Guide Table of Contents

Contact author: Eoin Keary



NOTICE: PLEASE GO TO
https://www.owasp.org/index.php/Reviewing_code_for_XSS_issues as this page may not be up to date.


XSS attacks Bad code example: If the text inputted by the user is reflected back and has not been data validated the browser shall interpret the inputted script as part of the mark up and execute the code accordingly. To mitigate this type of vulnerability we need to perform a number of security tasks in our code:

  1. Validate data
  2. Encode unsafe output
import org.apache.struts.action.*; 
import org.apache.commons.beanutils.BeanUtils; 
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 

public final class InsertEmployeeAction extends Action { 

public ActionForward execute(ActionMapping mapping, ActionForm form,
    HttpServletRequest request, HttpServletResponse response) throws Exception{ 

// Setting up objects and vairables.

Obj1 service = new Obj1(); 
ObjForm objForm = (ObjForm) form; 
InfoADT adt = new InfoADT (); 
BeanUtils.copyProperties(adt, objForm); 

	String searchQuery = objForm.getqueryString();
	String payload = objForm.getPayLoad();
try { 
service.doWork(adt);  / /do something with the data
ActionMessages messages = new ActionMessages(); 
ActionMessage message = new ActionMessage("success", adt.getName() ); 
messages.add( ActionMessages.GLOBAL_MESSAGE, message ); 
saveMessages( request, messages ); 
request.setAttribute("Record", adt); 
return (mapping.findForward("success"));
}
catch( DatabaseException de ) 
{
ActionErrors errors = new ActionErrors(); 
ActionError error = new ActionError("error.employee.databaseException" + “Payload: “+payload);
errors.add( ActionErrors.GLOBAL_ERROR, error ); 
saveErrors( request, errors ); return (mapping.findForward("error: "+ searchQuery)); 
} 
} 
}


The red text above shows some common mistakes in the development of this struts action class. Firstly the data passed in the HttpServletRequest is placed into a parameter without being data validated.

Focusing on XSS we can see that this action class returns either a message, ActionMessage in the case of the function being successful. In the case of an error the code in the Try/Catch block is executed and we can see here that the data inputted by the user, the data contained in the HttpServletRequest is returned to the user, unvalidated and exactly in the format in which the user inputted it.

import java.io.*; 
import javax.servlet.http.*; 
import javax.servlet.*; 

public class HelloServlet extends HttpServlet 
{ 
public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException 
{ 

String input = req.getHeader(“USERINPUT”);

PrintWriter out = res.getWriter(); 
out.println(input);  // echo User input.
out.close(); 	
} 
} 


A second example of an XSS vulnerable function. Echoing un-validated user input back to the browser would give a nice large vulnerability footprint.



.NET Example (ASP.NET version 1.1 ASP.NET version 2.0):

The server side code for a VB.NET application may have similar functionality

' SearchResult.aspx.vb 
Imports System 
Imports System.Web 
Imports System.Web.UI 
Imports System.Web.UI.WebControls 

Public Class SearchPage Inherits System.Web.UI.Page 

Protected txtInput As TextBox 
Protected cmdSearch As Button 
Protected lblResult As Label Protected 

Sub cmdSearch _Click(Source As Object, _ e As EventArgs) 
	
// Do Search…..
	// …………

lblResult.Text="You Searched for: " & txtInput.Text 

// Display Search Results…..
// …………

End Sub 
End Class


This is a VB.NET example of a Cross Site Script vulnerable piece of search functionality which echoes back the data inputted by the user. To mitigate against this we need proper data validation and in the case of stored XSS attacks we need to encode known bad (as mentioned before).

In the .NET framework there are some in-built security functions which can assist in data validation and HTML encoding, namley, ASP.NET 1.1 request validation feature and HttpUtility.HtmlEncode.

Microsoft in their wisdom state that you should not rely solely on ASP.NET request validation and that it should be used in conjunction with your own data validation, such as regular expressions (mentioned below).

The request validation feature is disabled on an individual page by specifying in the page directive

 <%@ Page validateRequest="false" %>

or by setting ValidateRequest="false" on the @ Pages element.

or in the web.config file:

You can disable request validation by adding a

 <pages> element with validateRequest="false"

So when reviewing code make sure the validateRequest directive is enabled an if not, investigate what method of DV is being used, if any. Check that ASP.NET Request validation Is enabled in Machine.config Request validation is enabled by ASP.NET by default. You can see the following default setting in the Machine.config file.

 <pages validateRequest="true" ... /> 

HTML Encoding:

Content to be displayed can easily be encoded using the HtmlEncode function. This is done by calling:

 Server.HtmlEncode(string)

Using the html encoder example for a form:

Text Box: <%@ Page Language="C#" ValidateRequest="false" %>

<script runat="server"> 
void searchBtn _Click(object sender, EventArgs e) { 
Response.Write(HttpUtility.HtmlEncode(inputTxt.Text)); } 
</script> 
<html> 
<body> 
<form id="form1" runat="server"> 
<asp:TextBox ID="inputTxt" Runat="server" TextMode="MultiLine" Width="382px" Height="152px"> 
</asp:TextBox> 
<asp:Button ID="searchBtn" Runat="server" Text="Submit" OnClick=" searchBtn _Click" /> 
</form> 
</body> 
</html>

Stored Cross Site Script: Using Html encoding to encode potentially unsafe output.:

Malicious script can be stored/persisted in a database and shall not execute until retrieved by a user. This can also be the case in bulletin boards and some early web email clients. This incubated attack can sit dormant for a long period of time until a user decides to view the page where the injected script is present. At this point the script shall execute on the users browser:

The original source of input for the injected script may be from another vulnerable application, which is common in enterprise architectures. Therefore the application at hand may have good input data validation but the data persisted may not have been entered via this application per se, but via another application.

In this case we cannot be 100% sure the data to be displayed to the user is 100% safe (as it could of found its way in via another path in the enterprise). The approach to mitigate against this si to ensure the data sent to the browser is not going to be interpreted by the browser as mark-up and should be treated as user data.

We encode known bad to mitigate against this “enemy within”. This in effect assures the browser interprets any special characters as data and markup. How is this done? HTML encoding usually means < becomes &lt;, > becomes &gt;, & becomes &amp;, and " becomes &quot;.

From To

<      &lt;

>      &gt;

(      &#40;

)      &#41;

#      &#35;

&      &amp;

"      &quot;

So for example the text <script> would be displayed as <script> but on viewing the markup it would be represented by &lt;script&gt;