In this era of Web 2.0, more organizations are developing rich online applications. These applications are designed for e-commerce business, banking transactions, stock trading, storing medical records, and more. To provide rich user experience, the application interacts with the user and also stores the sensitive personal information of those using the application. From a security perspective, the developers of these applications need to take necessary measures to secure the application and maintain the integrity of the sensitive data.
The major concern when an application relies on user input is that it cannot trust the end user to provide non-malicious data. The user may use a script in place of a username and it is the responsibility of the application to decide the legitimate data input for that parameter. When it fails to sanitize the input, the attacker can exploit this condition and execute a scripting attack.
In this chapter, we are going to discuss cross-site scripting attack and cross-site request forgery attack. When exploiting both the flaws, the attackers do not target the end user directly; instead they exploit vulnerability on the website that the victim visits. Once the website is injected with the malicious script, the website inadvertently infects all the users visiting that website.
We will cover the following topics in this chapter:
- The origin of cross-site scripting
- An overview of the cross-site scripting attack
- Types of cross-site scripting
- XSS and JavaScript
- Tools for XSS
- Cross-site request forgery
You would often hear the terms cross-site scripting and JavaScript used simultaneously. JavaScript is a client-side scripting language introduced by Netscape in 1995. The main purpose of JavaScript was to make the web browser perform some tasks at the client side. Although JavaScript can be used for other purposes too, it is most commonly used in web browsers to implement client-side scripts that can be used to alter the web page displayed on the browser, for example, displaying a popup error message dialog box when a wrong value is entered by the user or showing ads on the web page.
Some hackers soon found out that using JavaScript, they could read data from web pages loaded in adjacent windows or frames. Thus, a malicious website could cross the boundary and interact with contents loaded on an entirely different web page that is not related to its domain. This trick was named as cross-site scripting attack. To block this attack, Netscape introduced the same origin policy under which the web browser permits JavaScript loaded in one web page to only access other web pages if they are from the same domain. In other words, a malicious user could not use JavaScript to read data from any arbitrary web page.
In early 2000, the cross-site scripting attack become more famous for making the web page load malicious scripts in the web browser rather than reading contents from web pages loaded in adjacent frames. Although the aim of cross-site scripting attack has changed over the years, the name remains the same and therefore some people get confused as to why it is called cross-site scripting. Over the years, the cross-scripting attack has been using JavaScript to perform malicious activities such as malvertising, port scanning, and key logging.
The XSS attack can also be used to inject VBScript, ActiveX, or Flash into a vulnerable web page. Since JavaScript is so widely used, we would also use only JavaScript to demonstrate examples in this chapter.
To make things clear upfront, JavaScript is different from the Java programming language. Netscape named it JavaScript purely for marketing reasons, as the Java programming language was gaining popularity during that time. In dynamic web applications, JavaScript is used for a wide variety of tasks and can be embedded in the HTML pages to retrieve data from several sources to build the web page. A simple example would be a social networking website using JavaScript to build a profile page by loading the profile image, user details, and old posts from several locations. Some of the ways in which JavaScript is used in HTML code are shown here:
- Script tag: JavaScript can be embedded directly in the web page using the <
script>tag. The command is as follows:<script> alert("XSSed"); </script> - Body tag: The script can also be embedded using the onload event in the
<body>tag. The command is as follows:<body onload=alert("XSSed")> - Image tag: This tag can be used to execute a JavaScript, which is often used for malicious purposes. The command is as follows:
<img src="javascript:alert('XSS'),">
Other tags such as <iframe>, <div>, and <link> are also used to embed scripts in the HTML page.
JavaScript can be used to not only retrieve information from the server, but also to perform Document Object Model (DOM) scripting, and has access to web browser data and operating system properties. JavaScript was designed to run in a very restricted environment with limited access to the underlying operating system, but even with limited access a JavaScript loaded in the web browser can be used do some nasty stuffs.
When JavaScript is loaded in the browser, it can access the cookies assigned to the user session and access the URL history. Cookies are often used as session identifiers. If the attacker can steal them, they can gain control over the session. Also, JavaScript has access to the entire DOM of the web page and can modify the HTML page, which can lead to defacing of the web page. With obfuscated JavaScript, it becomes even more difficult for a casual viewer to understand what exactly the JavaScript is up to.