Cross-site scripting has been at the top of both the OWASP Top Ten list and the CWE/SANS Top 25 repeatedly. Some reports show cross-site scripting, or XSS, vulnerabilities to be present in 7 out of 10 web sites while others report that up to 90 percent of all web sites are vulnerable to this type of attack. Why are so many sites at risk? Because cross-site scripting attacks are so easy to perform.
Basically, an attacker inputs a malicious script into a web site. This can be in a forum, comment section, or any other input area. When victims visit that web site, they only need to click on that script to start the exploit.
A few facts about cross-site scripting attacks that you should be aware of are:
* Every month roughly 10-25 XSS holes are found in commercial products and advisories are published explaining the threat.
* Websites that use SSL (https) are in no way more protected than websites that are not encrypted. The web applications work the same way as before, except the attack is taking place in an encrypted connection.
* XSS attacks are generally invisible to the victim.
* All Web servers, application servers, and Web application environments are susceptible to cross-site scripting.
Risks Associated with Cross-Site Scripting
Attackers are lured to XSS exploits because how easy they are to perform, but they also know to follow the money. Attacking a web site through a cross-site scripting vulnerability can be quite profitable for the attacker who knows how to harness this type of exploit.
Without proactive Web application security in place to stop XSS attacks, you leave your site vulnerable to:
* User accounts being stolen through session hijacking (stealing cookies) or through the theft of username and password combinations
* The ability for attackers to track your visitors web browsing behavior infringing on their privacy
* Abuse of credentials and trust
* Keystroke logging of your site’s visitors
* Misuse of server and bandwidth resources
* The ability for attackers to exploit your visitor’s browser
* Data theft
* Web site defacement and vandalism
* Link injections
* Content theft
Web sites that have been exploited using XSS attacks have also been used to:
* Probe the rest of the intranet for other vulnerabilities
* Launch Denial of Service attacks
* Launch Brute Force attacks
Preventing Cross-Site Scripting Attacks
With dotDefender web application firewall you can avoid XSS attacks because dotDefender inspects your HTTP traffic and determines if your web site suffers from cross-site scripting vulnerabilities or other attacks to stop web applications from being exploited.
Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against cross-site scripting, SQL Injection attacks, path traversal and many other web attack techniques.
The reasons dotDefender offers such a comprehensive solution to your web application security needs are:
* Easy installation on Apache and IIS servers
* Strong security against known and emerging hacking attacks
* Best-of-breed predefined security rules for instant protection
* Interface and API for managing multiple servers with ease
* Requires no additional hardware, and easily scales with your business
How does an attacker exploit a cross-site scripting vulnerability?
Before a web site can be compromised, an attacker needs to find applications that are vulnerable to XSS vulnerabilities. Unfortunately, most web applications, both Free/Open Source Software and commercial software, are susceptible. Attackers simply perform a Google search for terms that are often found in the software. Using search bots to automate this process means an attacker can find thousands of vulnerable web sites in minutes.
Once a vulnerable web site is discovered, the attacker then examines the HTML to find where the exploit code can be injected.
Coding the exploit
After this has been determined, the attacker then begins to code the exploit. There are three types of attacks that can be used:
1. Stored (persistent) attacks: Injected malicious code is stored on a target server such as a bulletin board, a visitor log, or a comment field. When interacting with the target server, an end-user inadvertently retrieves and executes the malicious code from the server.
2. Reflected attacks: The end-user is tricked into clicking a malicious link or submitting a manipulated form. The injected code is sent to a vulnerable web server that directs the cross-site attack back to the user’s browser. The browser then executes the malicious code, assuming it comes from a trusted server.
3. DOM-based attacks: The attack script is based on the same page's DOM (document object model), enabling it to manipulate and interrogate it. In this type of exploit, remote execution is enabled allowing the attacker to execute malicious code on the victim's computer.
After the code has been written, it is then injected into the target site.
Reap the rewards
Now that the script has been injected into the vulnerable site, the attacker can now begin to reap the rewards. If the intent of the XSS attack was to steal user authentication credentials, usernames and passwords are now collected. For attacks that center around keystroke logging, the attacker will begin to receive the logged results from the victims. If the intent was to inject spam links into a well trusted site, then the attacker will begin to see increased activity on their sites due to higher traffic and higher search engine results.
If the attack was successful, the attacker will often replicate it on other sites to increase the potential reward.
The Need to Avoid Cross-Site Scripting Attacks
Cross-site scripting not only costs businesses in stolen data, but also by harming their reputation. Owners who work hard to build themselves as trusted site to deliver content, services, or products often find themselves hurt when loyal visitors lose trust in them after an attack. Visitors whose data is stolen or find their computers infected as the result of an innocent visit to your web site are hesitant to return even if assurances are made that the site is now clean.
Even if a vulnerable site is fixed, sites that contained malicious code from an XSS exploit are usually flagged by Google and other search engines as a result. Resources spent in time and effort to restore a solid reputation with the search engines is an added cost that most web site owners never figure on.
The threat posed by cross-site scripting attacks is not solitary. Combined with other vulnerabilities like SQL injections, path traversal, denial of service attacks, and buffer overflows the need for web site owners and administrators to be vigilant is not only important but overwhelming.
Protect Yourself from Cross-Site Scripting Attacks
dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.
The Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as SQL Injection and Cross Site Scripting. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate.
What sets dotDefender apart is that it offers comprehensive protection against cross-site scripting and other attacks while being one of the easiest solutions to use.
In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.
Higher Studies Man !!!
1 year ago
No comments:
Post a Comment