Security Issues Revealed..............: Cross Site Scripting Attack Vulnerabiliy

INTRODUCTION

Cross-site scripting attacks are those in which attackers inject malicious code,
usually client-side scripts, into web applications from outside sources. Because
of the number of possible injection locations and techniques, many applications
are vulnerable to this attack method. Scripting attacks differ from other web
application vulnerabilities because they attack an application’s users, not an
application’s infrastructure, but they can still cause a great deal of damage.

WHAT IS XSS ATTACK
Scripting attacks inject code, usually a client-side script, into a web application's output. Although several client-side scripting languages exist, JavaScript is the most common, best known, and best supported.

Hackers can inject JavaScript (a routinely used scripting solution that gets
executed on the user’s web browser) which is normally used for legitimate functionality on websites,

but in the hands of a hacker can be used for malicious purposes. Here are but a few examples:

steal cookies which can then be used to impersonate your customer and have access to their data and privileges. This is also known as Session Hijacking;

redirect the user to another website of their choosing. Maybe one that may be quite offensive, or one that attempts to install malware onto users computer;

display alternate content on your own website;

do a port scan of the customers internal network, which may lead to a full intrusion attempt.

In order to accomplish a Cross-Site Scripting attack they need a Reflection Point. A Reflection Point is
any point where user input is reflected back by the website in any way. There are two primary classes of Reflection Points.

Immediate / Non-Persistent : Input from a customer is displayed immediately on the page
Persistent : When user content is stored and displayed at some later point to themselves and possible to others.

PERSISTENT XSS
A hacker is required to commit a bit effort to perform a successful attack against a Non-Persistent
Reflection Point that is vulnerable to Cross-Site Scripting. It requires them to deliver the attack by way
of a 3rd party such as e-mail (spam or targeted), chat, or a link from another website. It ussually occurs where a 3rd party is asked to comment on particular Product or topic.Hacker puts his comment alongwith malicious code that executes each time when customer visit that page on its browser script is run.

Persistenat Reflection point

On some websites, customer content is stored into a database and then shown to themselves and
possible other customers at a later point. such are known as Persistant Reflection point. The attackers code get saved in database of target site and when customer makes particular query it gets executed again and again. or a sitaution like Once a hacker leaves a comment along with the malicious code, any customer visiting your site, who views the product and the associated comments will get attacked. There is no e-mail needed, no links from any other site, just visiting your site can cause your customers to have their accounts hijacked,
potentially have malware installed on their computers or any of the various possible scenarios a hacker
can come up with. A user has an implicit sense of trust when using a website (as opposed to E-Mails where they at least have a chance to avoid an attack by being cautious about unsolicited E-Mails).
Some persistent XSS attacks will attempt to upload malware to user systems which will often create warning alerts.

DETECTION OF PERSISTANT XSS ATTACK

Testing for persistent cross-site scripting attacks using an automated scanner involves very significant
technical challenges. Testing for non-persistent attacks is fairly simple: you perform an attack and
check the resulting page to see if the malicious code is present and if it will create a popup.

Persistent cross-site scripting is far more difficult to detect because the attack will only appear on a
page where user-generated content appears. Because user-generated content can
appear in a variety of ways, it is very difficult to detect reflection points. Finding the reflection point is
the only way to detect if the attack has succeeded. All other Web Application Scanners are only capable of testing for Non-Persistent and immediate Reflection Points, which means they would entirely miss the most dangerous potential problems on your website.

NTOSpider is the only web application scanner on the market that includes a Pre-Attacking Reflection
Analysis engine capable of properly detecting Persistent Reflection Points.

NON PERSISTENT XSS

The non persistant vulnerability is far most common type. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request.
A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escsape or reject HTML control characters, a cross-site scripting flaw will ensue. Hence this show non persistent reflection point. Any sort of data that can be landed on your webpage from external source has potential of being infected by malicious scripts. A website basically contains two type of pages STATIC and DYNAMIC pages , a mistrusted content can be introduced in dynamic pages .

It is very easy to detect it . Just type a simple java script like (<script>alert(/XSS/)</script>) in website search engine or any user input place and press enter, if it contains non persistent XSS reflection point a alert box will be poped up therby confirming the presence of Non Persistent XSS vulnerability.

When I tested for XSS vulnerability then i could find frequently many well known sites to have such Security vulnerabilities .

Screnshot for certain sites is made available here: