User: Password:
Subscribe / Log in / New account


Cross-site scripting attacks

April 12, 2006

This article was contributed by Jake Edge.

Two weeks ago, this page examined SQL injection attacks on web applications. Another well-known attack is cross-site scripting, often abbreviated as "XSS." Cross-site scripting is, perhaps, a more subtle way of breaking web applications, but its effects can be just as damaging as SQL Injection.

The basic vector for XSS is user input into a website that is not filtered to remove dangerous content. One of the more obvious ways this can occur is with sites that allow users to add comments to stories, without removing or altering HTML tags that they enter. For example, if one adds a comment that contains:

and someone else, when looking at that comment, gets the alert, the site is vulnerable to XSS. Obviously, a javascript popup is not particularly dangerous and would be a clear sign that something odd is going on. This kind of 'attack' is only used as a proof of concept. The key thing to note is that one user can run javascript in the context of another user's browser, with all of the information and privileges of the targeted user (or, at least, the subset granted to javascript).

There are other mechanisms to inject this kind of malicious content, either as HTML links or by causing error messages that display the content. Essentially any place that a web application displays user input can be exploited if the input or output is not filtered correctly. When XSS attacks appear in links, they are often encoded in hex using the '%xx' or '&#xx;' so that it is not immediately apparent that the link contains malicious content.

A wide variety of actions can be triggered by an XSS exploit, including cookie theft, account hijacking, and denial of service. A clever attacker could make a page that looks exactly like the login page of a popular website (Google for example) and an unwary user could be fooled into entering their username and password into this page after following a link. By exploiting an XSS hole recently reported and discussed on the Bugtraq mailing list, the link would not obviously be malicious and could start with

Another common attack is to hijack a session by using an XSS exploit to capture a cookie value that stores a session ID. An attacker can then use that session ID to take over a currently logged-in session at the web site and for all intents and purposes, become that user. This attack is especially nasty if that user happens to be an administrative user - or is logged into, say, a financial site.

Avoiding XSS in a web application requires diligence in filtering user input (a common theme in nearly all web application vulnerabilities). Any user input that is sent back to browser for any reason needs to have certain characters converted to strings that will display properly, but not be interpreted as HTML by the browser. An XSS FAQ recommends replacing the following characters: < > ( ) & and # with &lt;, &gt;, &#40, etc.

XSS vulnerabilities are one of the most commonly reported security issues with web applications today. New XSS techniques are discovered regularly that find new ways to evade various security measures implemented by the browser scripting languages and new ways to fool users into falling into an XSS trap. Any technique that allows attackers to run code in your browser with your permissions is obviously cause for worry. Website users can only take some fairly drastic measures to avoid XSS (turning off javascript, not following links, etc.). This is clearly something that website owners must handle to protect their users.

Comments (9 posted)

Brief items

Anti-virus to protect against anti-virus vulnerabilities

Users of the ClamAV free anti-virus system should be aware of the recent vulnerabilities in that package. No need to fear, however: SonicWALL has announced that its (proprietary) anti-virus system is now equipped to shield your network from attempts to exploit one of those vulnerabilities. So ClamAV users need not actually apply the update - just layer another anti-virus package on top of it instead.

Comments (35 posted)

New vulnerabilities

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CVE-2006-1614 CVE-2006-1615 CVE-2006-1630
Created:April 6, 2006 Updated:April 12, 2006
Description: The ClamAV anti-virus toolkit has three vulnerabilities. the PE header parser has an integer overflow problem, the logging code has format string vulnerabilities that may lead to the execution of arbitrary code, and the cli_bitset_set() function can be used to create a denial of service.
SuSE SUSE-SA:2006:020 clamav 2006-04-11
Mandriva MDKSA-2006:067 clamav 2006-04-07
Gentoo 200604-06 clamav 2006-04-07
Trustix TSLSA-2006-0020 multi 2006-04-07
Debian DSA-1024-1 clamav 2006-04-05

Comments (1 posted)

doomsday: format string vulnerability

Package(s):doomsday CVE #(s):CVE-2006-1618
Created:April 6, 2006 Updated:April 12, 2006
Description: The doomsday gaming engine has a format string vulnerability that may be utilized by a remote attacker for the execution of arbitrary code.
Gentoo 200604-05 doomsday 2006-04-06

Comments (none posted)

libimager-perl: denial of service

Package(s):libimager-perl CVE #(s):CVE-2006-0053
Created:April 10, 2006 Updated:April 12, 2006
Description: The libimager-perl Perl extension has a vulnerability in which maliciously created 4-channel JPEG images can cause a segmentation fault and cause a denial of service.
Debian DSA-1028-1 libimager-perl 2006-03-07

Comments (none posted)

mplayer: integer overflows

Package(s):mplayer CVE #(s):CVE-2006-1502
Created:April 10, 2006 Updated:May 1, 2006
Description: MPlayer 1.0pre7try2 has multiple integer overflow vulnerabilities. Remote attackers can maliciously craft an ASF file or an AVI file in order to cause a denial of service.
Gentoo 200605-01 mplayer 2006-05-01
Mandriva MDKSA-2006:068 mplayer 2006-04-07

Comments (none posted)

openvpn: arbitrary code execution

Package(s):openvpn CVE #(s):CVE-2006-1629
Created:April 11, 2006 Updated:April 27, 2006
Description: OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable.
Debian DSA-1045-1 openvpn 2006-04-27
Mandriva MDKSA-2006:069 openvpn 2006-04-10

Comments (none posted)

plone: unauthorized access

Package(s):plone CVE #(s):CVE-2006-1711
Created:April 12, 2006 Updated:April 12, 2006
Description: From the Debian advisory: "It was discovered that the Plone content management system lacks security declarations for three internal classes. This allows manipulation of user portraits by unprivileged users."
Debian DSA-1032-1 zope-cmfplone 2006-04-12

Comments (none posted)

xscreensaver: possible password exposure

Package(s):xscreensaver CVE #(s):CVE-2004-2655
Created:April 11, 2006 Updated:May 24, 2006
Description: In some cases, xscreensaver did not properly grab the keyboard when reading the password for unlocking the screen, so that the password was typed into the currently active application window. The only known vulnerable case was when xscreensaver activated while an rdesktop session was currently active.
Red Hat RHSA-2006:0498-01 xscreensaver 2006-05-23
Ubuntu USN-269-1 xscreensaver 2006-04-11

Comments (none posted)


Slides: open standards and security

David A. Wheeler has posted the slides from his "open standards and security" talk [PDF]. When viewing, skip immediately to the middle, where you can find a second set of slides with added commentary. "In contrast, open standards make security possible. They enable continuous competition between suppliers, so you can now choose the supplier who provides adequate security. Suppliers now compete on security, so they will have to improve. The key is using open standards appropriately to enable competition."

Comments (2 posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds