Of all the vulnerability, the most widespread and harmful Web application security vulnerability is Cross Site Scripting attacks (XSS).
Example of malicious code
- Modification of the Document Object Model - DOM (change some links, add some buttons)
- DOM injection
- The easiest exploit.
- A page will reflect user supplied data directly back to the user
So when the user types:
He receives an alert in his browserDanger
- If the URL (containing GET parameters) is delivered by a third to the victim
- The Victim will access a modified page
- SSL certificate and security warning are OK!
Hostile Data is taken and stored
- In a file
- In a Database
- In any other backend system
Then Data is sent back to any visitor of the web site Risk when large number of users can see unfiltered content
- Very dangerous for Content Management Systems (CMS)
DOM Based XSS
- Document Object Model
- The document is represented using a tree
- The tree is rooted with the document node
- Each tag and text is part of the tree
- XSS Modifies the Document Object Model (DOM)
- It can create new nodes,
- Remove existing nodes
- Change the content of some nodes
Reducing the threat
- Encoding/escaping of string input
- Safely validating untrusted HTML inputs.
- Cookie Security.
- Disabling Scripts
- Defensive Technologies. (Mozilla Content Security Technologies, JS Sandbox tools, Auto Escaping tools etc)
Recent XSS Attacks:
GoDaddy recently went down with DOS attack by Anonymous Hacker. After GoDaddy CEO declined any such hacks by anonymous, they again penetrated with XSS hacks.