Cross-Site Scripting (XSS)
The incidence of Web application vulnerability attacks and exploitation are steadily rising. As organizations secure their networks and operating systems, hackers are looking for alternative methods of executing malicious and criminal attacks.
Cross-Site Scripting (XSS) vulnerabilities are client-based attacks that rely on vulnerable CGI programs. A CGI program that does not adequately filter its dynamic output allows a malicious user to abuse another user's trust in your Web server by injecting script tags.
The Danger of Cross-Site Scripting
XSS works in the following way. An attacker inserts code or scripts into a web page, thereby altering its function. This can happen to any page that requests any type of information or input from the user, even through script code embedded in a URL within an email or a blog posting in a place unrelated to the altered web page. This means, of course, that there are many potential avenues for an XSS attack, and a key concern in the network security community is that XSS is becoming increasingly prevalent as trends in Web site design move toward greater interactivity for the user.
According to the Open Web Application Security Project (OWASP), as of 2007, XSS attacks, which can bypass access controls, constituted a significant percentage of all documented security vulnerabilities. During such attacks, the end user, who typically notices nothing unusual, may be subject to unauthorized access, theft of sensitive data, and/or financial loss. A recent Threat Report noted that there were 11,253 XSS vulnerabilities during the second half of 2007, as opposed to only 2,134 non-XSS vulnerabilities. The vast majority of these XSS vulnerabilities were site-specific, in that they were custom built for a particular target.
CVE® (Common Vulnerabilities and Exposures) is a dictionary of publicly known information, security vulnerabilities, and exposures. CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services. The CVE Initiative’s May 2007 Report on Vulnerability Type Distributions listed XSS Number One overall, findings that were endorsed by OWASP in their Top Ten 2007 list.
What are the implications of Cross-Site Scripting?
An exploit can be made to:
- Access other sites inside another client's private intranet;
- Steal another client's cookie(s);
- Modify another client's cookie(s);
- Steal another client's submitted form data;
- Modify another client's submitted form data before it reaches the server.
Note that SSL connectivity does not protect against cross-site scripting.
Finding and Remediating Cross-Site Scripting Vulnerabilities with Rapid7 Nexpose
Rapid7 Nexpose software utilizes the synergy between two of its proprietary technologies in order to locate cross-site scripting vulnerabilities in both pre- and post-production web applications.
With its Browser Emulation Scanning Technology (BEST), Rapid7 Nexpose runs the code in an emulated browser. In this way, all tests are taken from the perspective of the hacker, and, in XSS cases, the target.
By attempting to exploit found vulnerabilities, the Rapid7 Nexpose Expert System, licensed from Sandia National Laboratories, uses rules-based procedures to integrate a lot of information about a particular web application. The Expert System essentially reverse engineers the application, determines how it was constructed, how it communicates with a database, how it sits on top of its stack – the web server, the operating system server, and the database server – and uses all that information to determine how a hacker might try to penetrate the application.
The Rapid7 Nexpose vulnerability library is the industry leader, and the Rapid7 vulnerability development team maintains it on a weekly basis to keep it current regarding any newly discovered vulnerabilities. This continual monitoring goes a long way to address the huge volume of new and different XSS vulnerabilities.
As the owner or manager of a Web site, you need to determine whether or not that site is currently vulnerable to XSS attacks. Rapid7 enables potential customers to download the trial version of Rapid7 Nexpose and try the product for 14 days at no cost. A Rapid7 product specialist will even help to configure the software so that you can identify any potential vulnerabilities in your web applications. Rapid7’s Professional Services Organization (PSO) can also provide manual penetration testing and web application auditing to help find other OWASP vulnerabilities and to perform services such as pen tests.
- Whitepaper Managing Cross-Site Scripting (XSS) Free Whitepaper Download
