White Paper
Web Application Security
Managing Cross-Site Scripting, The Number One Item on OWASP’s
Top Ten List
Introduction: What is OWASP?
The Open Web Application Security Project (OWASP) is, by its own definition, “a worldwide free and open community focused on improving the security of application software. Its mission is to make application security ‘visible,’ so that people and organizations can make informed decisions about application security risks.”1
The global OWASP community includes corporations, educational institutions, and individuals. The project is not affiliated with any technology company, although it supports the informed use of security technology. Anyone may participate, and all materials are available under a free and open software license.
The OWASP Top Ten List
One of OWASP’s key projects is its Top Ten List, compiled by network security experts from around the world. The list, currently available in English, French, Japanese, Korean, and Turkish, catalogs what this group views as the Top Ten Most Critical Web Application Vulnerabilities. It is described by OWASP as a “powerful awareness document for web application security … that represents a broad consensus about what the most critical web application security flaws are.”2 OWASP’s goal is to urge all companies to adopt this list and begin the process of ensuring that their web
applications do not contain these vulnerabilities.
The top item on the OWASP list is Cross-Site Scripting, or XSS. Cross-Site Scripting is a type of computer security vulnerability typically found in web applications that allow code injection by malicious users into the web pages viewed by other users. Examples of vulnerable pages include those containing HTML code and/or client-side scripts.
The Danger of XSS
XSS works in the following way. The attacker inserts code or scripts into a web page, thereby altering its function. This can happen to any page that requests any type of information or input from the user, even through script code embedded in a URL within an email or a blog posting in a place unrelated to the altered web page. This means, of course, that there are many potential avenues for an XSS attack, and a key concern in the network security community is that XSS is becoming increasingly prevalent as trends in website design move toward greater interactivity for the user.
As of 2007, XSS attacks, which can bypass access controls, constituted about 80 percent of all documented security vulnerabilities. During such attacks, the end user, who typically notices nothing unusual, may be subject to
unauthorized access, theft of sensitive data, and/or financial loss.
Symantec Corporation, whose anti-spam and antivirus protection products offer security for inbound and outbound computer messaging, issues periodic Internet Security Threat Reports to help organizations implement effective security measures so as to better protect and manage their information. One recent Threat Report noted that there were 11,253 XSS vulnerabilities during the second half of 2007, as opposed to only 2,134 non-XSS vulnerabilities. The vast majority of these XSS vulnerabilities were site-specific, in that they were custom built for a particular target. CVE® (Common Vulnerabilities and Exposures) is a dictionary of publicly known information, security vulnerabilities, and exposures. CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services. The CVE Initiative’s May 2007 Report on Vulnerability Type Distributions listed XSS Number One overall, findings that were endorsed by OWASP in their Top Ten 2007 list.
Some very large websites that have been hit by XSS include Google, Yahoo, MySpace, Facebook, PayPal, SourceForge, and Microsoft. In his December 20, 2008 article in The Register, reporter Dan Goodin described two recent XSS attacks against financial giant American Express. “The website for American Express has once again been bitten by security bugs that could expose its considerable base of customers to attacks that steal their login credentials,” he wrote. “The notice comes days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem. An Amex spokesman later said the hole had been plugged.”
Goodin continued, “It turns out that’s not the case. The XSS error that makes it trivial for attackers to steal www. americanexpress.com users’ authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.”3
Joshua Abraham, Rapid7 Security Consultant, commented on Amex’s attempted fix. “They did not address the problem,” he said. “They addressed an instance of the problem. You want to look at the whole application and say, ‘Where could similar issues exist?’”4
The XSS threat has become so widespread that there is now a website – www.xssed.com – dedicated to providing the latest information on XSS vulnerabilities. It includes news articles and tutorials, as well as an archive of known XSS vulnerable websites.
Reflective and Persistent Cross-Site Scripting Attacks
There are three main types of XSS: Reflective, Persistent, and DOM-based. The primary difference between the first two is whether or not the altered page is viewable by anyone other than the attacker. If the intrusion is made through a login screen or a search box, the result is visible only to the user, so that, in order to complete the attack, the hacker must trick other people into visiting the altered page. This is Reflective XSS.
Persistent XSS is similar to Reflective XSS, but its effects are far more pervasive in that the altered page may be viewed by many people with no further effort on the hacker’s part. A common example of Reflective XSS is a
bulletin board system or a forum where many people can chat and/or post messages. If the forum software does not properly escape when a message is posted, then a hacker can easily slip an XSS tag into that message. Anyone who subsequently views the posted message will be affected by the XSS tag, which is like a worm that can propagate itself and affect anyone who views the infected object.
Another type of Persistent XSS attack is accomplished through sequel injection. In these cases, the hacker creates a massive program that can sweep the entire Internet and insert script tags randomly, with the intent of actually modifying the data within a database. When these script tags are served up, anyone accessing the affected page runs the script, which in turn tries to exploit a local browser vulnerability in the client. There are three levels in this type of attack: (1) the initial sequel injection attack against the server and the database, (2) the XSS attack based on the first attack having stored the script tags somewhere within a table, and (3) the attack against the unsuspecting user visiting the site in the attempt to do something such as Internet shopping.
With both Reflective and Persistent XSS, attacks are generally limited in scope to the open browser session. However, they still enable the hacker to steal cookies, session IDs, and account information.
3 American Express bitten by XSS bugs (again), by Dan Goodin, The Register, 20th December 2008.
DOM-Based Cross-Site Scripting Attacks
DOM-based attacks use pages written with the Document Object Model, a popular coding technique. Many websites include not only HTML code and images, but also a lot of Javascript code. In fact, the functionality in many Web 2.0 sites is driven by thousands or even tens of thousands of lines of highly architected Javascript code.
NetFlix is a good example. On this website, there are many thumbnails that enable the user to zoom in and out, to hover, or to give a film a star rating. This is all possible through Javascript code, which can write directly into the contents of the web page. A hacker can use Javascript code to dynamically modify the tags that one’s browser is interpreting so as to produce an XSS vulnerability with many of the same effects as the others. The difference is that this type of attack is much harder to detect. One must model the Javascript code and the flow of data through that code in order to understand how everything works and ties together, a method call Static Code Analysis.
The Difficulty of Preventing XSS
As has been mentioned, the vast majority of XSS attacks are targeted at specific sites and specific vulnerabilities, unlike the attacks of previous viruses that were designed once and then released to hit any possible targets. Because there are so many possible ways for XSS attacks to break into a system, it is nearly impossible to anticipate and thereby prevent them. Even Google, with one of the world’s best teams of web engineers, has caught multiple XSS vulnerabilities only in its post-production websites. In these cases, Google’s white-hat hackers, along with their own QA teams, identified the vulnerabilities, fixed them, and then announced the already-patched hole.
Because of the difficulty of preventing XSS attacks, OWASP has issued a series of Best Practice recommendations. Their overarching suggestion is that organizations adopt an architectural approach to coding that is predicated on a secure development life cycle. This approach demands extensive forethought and planning before any actual coding is done on a particular page.
Rapid7 Nexpose – The only Product That Addresses ALL Types of Cross-Site Scripting
Attacks
Rapid7 Nexpose software utilizes the synergy between two of its proprietary technologies in order to locate XSS vulnerabilities in both pre- and post-production web applications.
With its Browser Emulation Scanning Technology (BEST), Rapid7 Nexpose runs the code in an emulated browser. In this way, all tests are taken from the perspective of the hacker, and, in XSS cases, the target.
By attempting to exploit found vulnerabilities, the Rapid7 Nexpose Expert System, licensed from Sandia National Laboratories, uses rules-based procedures to integrate a lot of information about a particular web application. The Expert System essentially reverse engineers the application, determines how it was constructed, how it
communicates with a database, how it sits on top of its stack – the web server, the operating system server, and the database server – and uses all that information to determine how a hacker might try to penetrate the application. The Rapid7 Nexpose vulnerability library is the industry leader, and the Rapid7 vulnerability development team maintains it on a weekly basis to keep it current regarding any newly discovered vulnerabilities. This continual monitoring goes a long way to address the huge volume of new and different XSS vulnerabilities.
Next Steps
As the owner or manager of a website, you need to determine whether or not that site is currently vulnerable to XSS attacks. Rapid7 allows potential customers to download the trial version of Rapid7 Nexpose from www.rapid7.com
and try the product for 20 days at no cost. A Rapid7 product specialist will even help to configure the software so that you can identify any potential vulnerabilities in your web applications.
There are also many security shops, including Rapid7’s Professional Services Organization (PSO), that offer manual penetration testing and web application auditing to help find other OWASP vulnerabilities and to perform services such as pen tests.
Of course, the most important next step is to employ secure OWASP-approved development practices for all future web applications.
About Rapid7
Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and
penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com.
