SWE210 Software Security Week 5

Script Injection Attacks

• Definition: A type of security vulnerability where an attacker injects malicious code or scripts into a web application.

• Consequences: Can lead to sensitive data theft, user session hijacking, website defacement, or malware distribution.

Static vs. Dynamic Website Architecture

• Static Website:

  • Comprised of pre-created files such as HTML, CSS, and JavaScript.

  • HTTP Request from a web browser results in a static HTTP Response from the web server.

• Dynamic Website:

  • Involves interactive data from databases, utilizing server-side scripting to generate dynamic content.

  • HTTP GET/POST requests manipulate data, which can include user inputs, cookies, etc.

Same-Origin Policy (SOP)

• Definition: A security mechanism that restricts how documents or scripts can interact from different origins.

• Components of an origin:

  1. Protocol: e.g., http:// or https://

  2. Domain: Hostname such as example.com

  3. Port Number: e.g., :80, :443.

• Example: The same-origin policy permits:

  • https://example.com/page1.html

  • https://example.com/page2.html

• Cross-Origin: Any difference in protocol, domain, or port is labeled as Cross-Origin.

Cross-Site Scripting (XSS)

• Definition: A type of script injection attack that allows an attacker to run malicious JavaScript in a user's browser.

• Mechanism: Victims are tricked into visiting a compromised website that delivers the malicious script, disguised as legitimate content.

• Example: User comments section where malicious scripts are injected.

Actors Involved in XSS Attack

1. Website: Serves HTML pages to users.

2. Victim: Unwitting user of the website.

3. Attacker: Malicious user targeting the victim via an XSS vulnerability.

Types of XSS Attacks

1. Reflected XSS:

   • Malicious scripts come from the current HTTP request.

   • The website reflects back the malicious string immediately in the response.

2. Stored XSS:

   • Malicious scripts are stored in the website's database and served to users when they visit the webpage.

3. DOM-based XSS:

   • Vulnerabilities exist in client-side code manipulation. Attacks occur entirely on the client-side.

Reflected XSS Detailed

• Mechanism:

  1. Attacker crafts URL with a malicious string.

  2. Victim is tricked into clicking the URL.

  3. Server includes the malicious string in the response.

  4. The victim’s browser executes it, potentially stealing cookies.

• Impact: Complete user compromise; attacker gains access to the victim's permissions.

Testing for Reflected XSS Vulnerabilities

• Test Every Entry Point: Check input across all user inputs: URL parameters, forms, etc.

• Submit Random Values: Send unique alphanumeric strings and look for reflections in responses.

• Test XSS Payloads: Insert scripts like <script>alert(1)</script>.

Stored XSS Detailed

• Mechanism:

  • Attackers inject JavaScript code through input fields that store data, like review comments.

  • Every visit prompts the injected code to execute, potentially stealing session cookies.

• Danger: Can continuously affect all users visiting the compromised content.

DOM-based XSS

• Definition: A type of Cross-Site Scripting where the attack is executed entirely on the client side, manipulating the Document Object Model (DOM) in the victim's browser.

• Mechanism: Vulnerabilities typically exist in client-side scripts that allow attackers to modify the DOM. The attack occurs when the client-side code processes data from untrusted sources, leading to the execution of malicious scripts.

• Example: An attacker might exploit a vulnerable website that uses URL fragments or query parameters to control DOM elements, allowing them to inject malicious script that the browser then executes.

• Prevention: JavaScript should properly validate and sanitize any data used within the DOM, avoiding internal functions that can allow for code execution unless necessary and secured.

Prevention Strategies Against XSS

• WAF (Web Application Firewall): Uses filtering methods to block malicious attempts.

• Whitelisting: Only allow specific characters or patterns from user inputs.

• Content Security Policy (CSP): Restricts resource execution based on the defined policy, blocking unauthorized scripts.

• DOM-based XSS Mitigation: Validate, sanitize inputs and avoid unsafe manipulation of the DOM.

Cross-Site Request Forgery (CSRF)

• Definition: A vulnerability whereby unauthorized actions are executed on a web app on behalf of an authenticated user via their browser.

• Mechanism: User logs in, receives authentication, then unwittingly executes an attack by visiting a malicious page that sends requests to a legit app.

Mitigation Strategies Against CSRF

• CSRF Tokens: Unique tokens per session to verify request authenticity.

• SameSite Cookies: Prevent cookies from being sent in cross-origin requests.

• Referrer Policy: Limit referrer headers across sites to reduce attacks.

• Validation of Token in Critical Actions: Extra security in sensitive operations such as fund transfers or password changes.