Cross-Site Scripting - CompTIA Security+ SY0-701 - 2.3

Cross Site Scripting

• XSS

• Cascading Style Sheets (CSS)

are something else entirely

• Originally called cross-site

because of browser security flaws

• Information from one site

could be shared with another

• One of the most common

web application development errors

• Takes advantage of the trust a user has for a site

• Complex and varied

• Malware that uses JavaScript

• Do you allow scripts? Me too.

Non-persistent (reflected) XSS attack

Web-site allows scripts to run in user input

- search box is a common source

Attacker emails a link that takes advantage of this vulnerability

- Runs a script that send credentials/session ID's/cookies to the attacker

Script embedded in URL executed in the victims browser

Attacker uses credentials/sessions ID's/cookies to steal victims infomration without their knowledge

Persistent (stored) XSS attack

• Attacker posts a message to a social network

- Includes the malicious payload

• It's now "persistent" - Everyone gets the payload

• No specific target - All viewers to the page

• For social networking, this can spread quickly

- Everyone who views the message can have it

posted to their page

- Where someone else can view it and propagate it further...

Hacking a Subaru

June 2017, Aaron Guzman

- Security researcher

When authenticating with Subaru, users get a token

- This token never expires (bad!)

A valid token allowed any service request

- Even adding your email address to someone

else's account

- Now you have full access to someone else's car

Web front-end included an XSS vulnerability

- A user clicks a malicious link, and you have

their token

Protecting against XSS

- Be careful when clicking untrusted links

- Consider disabling JavaScript, or control with an extension

- Keep your browser and applications updated

- Keep your web server applications updated