Cross-site scripting attacks use known vulnerabilities in web-based applications, their servers, or the plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, to session cookies, and to a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are a case of code injection.
TYPES OF XSS:
There are currently three major categories of cross-site scripting. Others may be discovered in the future, however, so don’t think this sort of misuse of Web page vulnerability is necessarily limited to these three types.
- Non-persistent/Reflected XSS Attack
- Persistent/Stored XSS attack
- DOM based XSS attack
- Impact of XSS attack
4.1 Cookie stealing and account hijacking
4.3 Denial of Service
4.4 Browser exploitation
Next, we describe the methodology for our experiments to detect DOM XSS vulnerabilities on the Internet. In we describe how we crawled websites and which web pages we visited. In we discuss the specifics of the taint-tracking engine we developed. In, we describe how we confirmed vulnerabilities. Finally, we
Detail the methodology for testing static-analysis tools
- Crawling for DOM XSS vulnerabilities
- Dynamic taint analysis
- Attack confirmation
- Static analysis
Method A: injection at end of URL
example.url.com/path?param=test&a=b Generated injection
Method B: injection into parameter Observed URL: example.url.com/path?param=test&a=b
Observed eval-ed string: var a = ‘test’; Observed taint location: The 9th through 13th bytes of the string—starting with the first ‘t’ in test and ending with the last ‘t’ in test. Generated injection URL: example.url.com/path?a=b#¶m=INJECT
We used the taint-tracking and crawling methodology described in to collect a dataset of tainted flows. We visited 44,722 web pages, which had in total 319,481 frames. One would expect that trying to visit five subpages on each domain; we would have visited 60,000 web pages: 10,000 top level pages and 50,000 subpages. However, we skipped loading
1,761 web pages due to robots.txt directives; and we were unable to load 4,094 web pages after three attempts due to timeouts, 462 because Chromium would not load the page (most often due to SSL warnings), and 26 because Chromium
Crashed when rendering them. Some of the pages unable to be loaded were top-level pages; in that case we also did not visit
Other pages on that domain.
We describe how we detected DOM XSS vulnerabilities using our dynamic analyses we use the results from our dynamic analysis to evaluate different static-analysis tools for detecting DOM
XSS vulnerabilities. Final, we describe the
Qualitative trends that we observed from manually analyzing a sample of our dataset.