Cross Site Scripting as a method of Phishing

  • CERT Admin
  • Fri Oct 14 2016
  • Cyber Guardian Blog

VOLUME 63 


Cross site scripting (XSS) 

Cross site scripting is regarded as one of the most dangerous types of cyber-attacks in the current world. Some important things that can be done via a cross site scripting including session hijacking, Escalating the user credentials (Username, Password), Site redirection or anything which is possible with a client side execution code (JavaScript).

Here the attacker uses basic vulnerabilities of the system with his knowledge on client side scripting (JavaScript) in order to build a Link, which on click (By victim) escalates data from the victim. Then the escalated data is redirected to the victim’s server. These escalated data are then used by the attacker in order to masquerade and log in to the victim’s system. 

There are 3 types of XSS attacks,
   1. Stored XSS
   2. Reflected XSS
   3. DOM based XSS 


Stored XSS 

The link is usually attached to the web pages via comment boxes or via a server side injection. Storing the script within a database is also considered under this category. 



Reflected XSS 

Immediate return of a web page after an error message can be considered under Reflected XSS. 


DOM based XSS 

DOM Based XSS is a form of XSS where the entire tainted data flow from source to sink takes place in the browser. 

Most of the sites in the web maintain their stateless http to a stately one with the use of cookies or sessions. Using these sessions,          the state of a user at a given period of time is maintained. Sessions or cookies are used to keep records on the things that they are done over a past period of time. By using these they maintain a certain amount of private data belonging into their user profile over a given amount of time. Using a session hijacking attempt this session id is used with the necessary privileges.

Through XSS, cookies can be hijacked too. The same scenario as sessions escalation is used in this attempt. But rather than sessions, cookies do carry raw data as a whole, unless they are separately encrypted. Therefore, there is a possibility that raw data such as username, privileged level can be extracted from them as well. Therefore, by using them with another method of attacking such as a brute force attempt the passwords can be retrieved as well.

Therefore, XSS scripting can be more than harmful once these sensitive data are extracted.  

Except for session and cookie hijacking, XSS is used for the purposes of redirecting the users to phishing sites or other links. Most phishing sites appear as identical sites to some popular sites, however they can be usually identified by examining its URL in the address bar. 


Therefore, XSS scripting can be more than harmful once these sensitive data are extracted.
           

Except for session and cookie hijacking, XSS is used for the purposes of redirecting the users to phishing sites or other links. Most phishing sites appear as identical sites to some popular sites, however they can be usually identified by examining its URL in the address bar.  


Rather than blaming the user’s unawareness, XSS are faults of developers. Proper validation checks should be done on both the client side and the server side such that even application of XSS JavaScript code through interception can be prohibited. These validations should be done in order to prevent insertion of JavaScript code. Validation has to be on client’s side as well as from the database side, such that it can prevent improper manipulation of code. 


However as regular users it’d be better for anyone if verification of the links can be done before clicking anything, otherwise you may lose control of details from your personal life to bank account details.


Pasan Chamikara

Pasan is an undergraduate of Sri Lanka Institute of Information Technology following Bachelor of Science specializing in Cyber Security and currently working as Intern - Information Security at Sri Lanka CERT|CC
          

Last updated: Fri Oct 14 2016