OWASP Top 10 Threats and Mitigations Exam - Single Select - OWASP
Cross-site scripting (XSS) is a code injection attack that allows an This means that it is treated like any other script from that website: it has. In other words, cross-site scripting is a huge threat. The exploit didn't even require a click—simply a mouseover—to redirect users to a pornographic website . should be supplemented with additional safeguards like validation. If input fails to meet the criteria of a whitelist or blacklist, it is simply not. Cross-site scripting Correct; Cross-site request forgery; Insecure direct To increase security in this scenario, an authentication token should meet which of logins to a well-known location instead of automatic redirection.
Keylogging The attacker can register a keyboard event listener using addEventListener and then send all of the user's keystrokes to his own server, potentially recording sensitive information such as passwords and credit card numbers. Phishing The attacker can insert a fake login form into the page using DOM manipulation, set the form's action attribute to target his own server, and then trick the user into submitting sensitive information.
This indicates that the mere presence of a script injected by the attacker is the problem, regardless of which specific code the script actually executes. In general, an XSS attack involves three actors: The website serves HTML pages to users who request them. In our examples, it is located at http: The website's database is a database that stores some of the user input included in the website's pages.
The victim is a normal user of the website who requests pages from it using his browser. The attacker is a malicious user of the website who intends to launch an attack on the victim by exploiting an XSS vulnerability in the website. The attacker's server is a web server controlled by the attacker for the sole purpose of stealing the victim's sensitive information. An example attack scenario In this example, we will assume that the attacker's ultimate goal is to steal the victim's cookies by exploiting an XSS vulnerability in the website.
This can be done by having the victim's browser parse the following HTML code: The URL includes the victim's cookies as a query parameter, which the attacker can extract from the request when it arrives to his server. Once the attacker has acquired the cookies, he can use them to impersonate the victim and launch further attacks. Injection Insecure direct object reference Correct Cross-site request forgery 36 Which of the following objects is most susceptible to an insecure direct object reference attack?
Executing commands on the server. Impersonating any user on the system.
Cross-site scripting attacks: A cheat sheet - TechRepublic
Modifying SQL data pointed to by the query. Accessing a resource without authorization. Correct 38 Which of the following is the best way to mitigate the threat of an insecure direct object reference attack? Use a regular expression. Send successful logins to a well-known location instead of automatic redirection. True Correct False 40 Your Web application stores information about many accounts. We are motivated by the application of fuzzy logic for detection of web security issues by Mankad [ 17 ] and phishing website detection by Alberto et al.
They applied the fuzzy inference system to assess risks due to code injection vulnerabilities based on a set of linguistic terms for vulnerability and severity levels. The work of Mankad [ 21 ] develops a rule-based security assurance system. It relies on extracting the exploitation paths of an application, and then, it represents the path as a finite-state automata FSA that can be used as rule-based signatures to detect exploitations.
The work of Abbass and Nasser [ 28 ] proposes a fuzzy logic-based approach for detecting buffer overflow vulnerability in C programs. The work done by Hossain and Hisham [ 11 ] was a fuzzy logic-based system to assess risks due to different types of code injection vulnerabilities.
They proposed code-level metrics that were used to establish the linguistic terms to relate the subjective magnitude and the corresponding impact due to the actual exploitation of the vulnerability. The fuzzy system developed obtained information about webpages using web services. The information obtained is used to determine the fuzzy input, for which they attached a rating which has a value between one and three. Also, to assess vulnerability risks in web applications, Hossain and Hisham [ 30 ] developed a fuzzy logic-based system FLS framework to assess code injection vulnerabilities present in an application.
They also developed a set of rule bases to assess the risk level. The FLS could be a useful tool to aid application developers and industry practitioners to assess the risk and plan ahead by employing necessary mitigation approaches. The authors evaluated their proposed approach using three real-world web applications implemented in PHP.Basic XSS Guide #1 - Alert() - Redirection - Cookie Stealing
The initial results indicate that the proposed FLS approach can effectively discover vulnerabilities in high-risk applications. In a paper presented by Alakeel [ 31 ], a novel software testing metric technique for assertion-based software testing based on fuzzy logic technology was discussed. The main goal of the proposed approach was to enhance the performance of assertion-based software testing in the presence of a large number of assertions. The results of this experiment are very encouraging, where applying the proposed approach has enhanced the performance of assertion-based testing as shown by the increase in the number of assertions violated in the programs considered in the experiment.
Kanchan and Harmanpreet [ 7 ] proposed a learning algorithm that can select a set of attributes from a given data set based on weight by the SVM technique and then classify into fuzzy rules based on the processing of the Apriori algorithm and application of the fuzzy inference engine to detect the anomalies in the software development process.
It selects the relevant attributes by outlier analysis and computes the association rules based on the Apriori algorithm. Thereafter, it generates the fuzzy association rules based on min-max derivation. The inputs are analysed with the Mamdani fuzzy inference system. This paper is motivated by the observation that XSS vulnerability detection can be modeled in the form of the fuzzy inference system.
Also, other approaches in the literature do not have the capability to estimate the overall risk due to diverse severity levels for a given vulnerability as also corroborated by Mankad et al. Thus, a suitable framework to detect XSS by introducing the decision-making inference system is hereby introduced. Proposed Approach XSS is one of the most exploited weaknesses in web application and one of the most studied ones. Full protection is not possible, as any full protection against any programming errors or bugs might be difficult to achieve.
Good programming practices, intelligence in libraries, and browsers have been developed to protect against XSS. There are also a lot of proposed tools to detect XSS risks. Many approaches have been proposed as detailed in the previous two sections Introduction and Related Works. In this section, we present our approach for detecting XSS in web applications. We also present the fuzzy inference procedure applied in the detection phase. Detecting XSS Attacks We prepare a background to identify any XSS or redirection vulnerabilities that could be initiated by using a maliciously crafted URL to introduce mischievous data into the DOM of inputted webpages both statically and dynamically generated.
If the data or a manipulated form of them are passed to one of the following application programming interfaces APIsthe application may be vulnerable to XSS. As enlisted by Krishnaveni and Sathiyakumari [ 33 ], the seven sources through which XSS vulnerabilities could be introduced to web applications are the following: HTTP Referrer Head The HTTP referrer is a header field that identifies the address of the webpage that is linked to the resource being requested such that the new webpage can see where the request originated.
More generally, a referrer is the URL of a previous item which led to the present request. As a result of the sensitive information the referrer header carries, it can be easily used to violate privacy and introduce vulnerabilities. We created module checks for referrer header injection vulnerabilities by creating tags for all referrer headers to check whether there are altered requests. In this alteration, the module checks if the referrer is subject to XSS payload injection.
Window Location Test This property returns a location object with information about the current location of the document. Although window location is a read-only object, it can be assigned a DOM string. This means that you can work with location as if it were a string in most cases. This introduces some elements of possible manipulation which need to be checked as it can be an entry point for possible malicious code injection.
We trace the relevant data through the code to identify what actions are performed with it. If the data or a manipulated form of them are passed to one of the window location APIs, the application may be vulnerable to XSS.
The Document Referrer This is pointed to the page which is linked to the current page inside the Iframe. If the content contains links, which allow users to navigate through a few pages, then only the first page loaded inside the Iframe will have a parent frame URI as document.
However, many developers do not pay adequate attention to this restriction. Each page loaded by clicking a link inside the Iframe will have the URI of the page containing the link in the document referrer.
The fact that the user controls every aspect of every request, including the HTTP headers, means this control can be easily circumvented by using an intercepting proxy to change the value of the document referrer to the value that the application requires. A part of the DOM testing module is to check the URL of the webpage being visited to return a value of true or false if there is a disabled document referrer object.
Releasing information about sensitive documents that may be contained on a webpage is a good spot for attackers to manipulate unguarded web applications.
Applications frequently transmit data via the client using preset URL parameters. Cookies Cookies are often used in web applications to identify users and their authenticated session. The cookie value string ensures that the strings do not contain any commas, semicolons, or whitespace which are disallowed in cookie values.
Some user agent implementations support cookie prefix signals to the browser, and cookie request should be transmitted over a secure channel. Cookies must be restricted and traced to a secure origin. This prevents the cookie from being sent to other domains.
Headers These are used to provide information about the HTML document in a Meta tag or to gather information about another document. They can be used to describe the size of the data, to check another document that the server should return i.
Headers could easily be redirected, and information they contain could be easily made available to attackers. The headers are considered as possible entry points for input-based attacks. Many important categories of vulnerabilities are triggered by unexpected user inputs and can appear anywhere within the application.
Any XSS or redirection vulnerabilities are identified by the injection module and detected where a crafted URL is to introduce malicious data into the DOM of the relevant page. This is achieved by visiting every node in the webpage. Each node is subjected to the various DOM tests as outlined in the algorithm.
The algorithm returns a vulnerability summary of the content of each node visited. This summary gives an indication of the possibility of XSS in web application. The developed system scans websites recursively, building an internal representation of the site in a tree-like data structure called path state nodes. This is because in addition to analyzing the page content, the crawling engine does several tests on each potential path, trying to determine whether it is a file or a directory.
System Architecture The input to the detection system shall be obtained by extracting suspected malicious features from web application pages. Then, we develop a script code which will connect to the URL entered and output the attributes associated with the elements which are then forwarded to the fuzzy inference system to identify possible vulnerability occurrence. Figure 4 presents the system architecture. The Fuzzy Logic Component This component describes the design strategy for generation of the fuzzy inference procedure.
Cross-site scripting attacks: A cheat sheet
The fuzzy inference system employs the Fuzzy IF-THEN rules which can model the qualitative aspect of human knowledge without employing precise qualitative analysis [ 17 ]. Due to their concise form, Fuzzy IF-THEN rules are often employed to capture the imprecise modes of reasoning that play an essential role in the human ability to make decisions in an environment of uncertainty and imprecision.
Here, each input fuzzy set defined in the fuzzy system includes three membership functions and an output fuzzy set which also contains three membership functions. Each membership function used triangular function for the fuzzification strategy. Defining Linguistic Variables and Terms We consider each of the parameters defined in Figure 3 as crisp inputs for the fuzzy inference system. Each of the crisp inputs is mapped to three different linguistic terms fuzzy variables: Low, Medium, and High.
Table 1 shows the crisp input characteristics X1—X7 and the corresponding linguistic variables Low, Medium, and High. Crisp input and linguistic variables. Assignment of Membership Functions We define membership functions for each of the linguistic variables as follows: Fuzzy sets can have a variety of shapes. However, a triangle-shaped or a trapezoid-shaped membership representation often provides a suitable representation.
To define membership function for each of the linguistic variables, we apply triangular membership function TMF for easy and clear representation. The membership function was obtained by dividing the input space into equal partitions in a triangular format as in Table 2with three rules each High, Low, and Medium. Linguistic variables and membership function.