XSS Attack Techniques

XSS attacks can be perform in two different ways, non-persistent and persistent. Non-persistent attacks require a user to visit a specially crafted link laced with malicious code. Upon visiting the link, the code embedded in the URL will be echoed and executed within the user’s web browser. Persistent attacks occur when the malicious code is submitted to a web site where it’s stored for a period of time. Examples of an attacker’s favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to click on any link, just simply view the web page containing the code.

Here’s how?

Persistent Attack
Most of the web sites host bulletin boards where registered users may post messages. A registered user is commonly tracked using a session ID cookie authorizing them to post. If an attacker were to post a message containing a specially crafted JavaScript, a user reading this message could have their cookies and their account compromised.
Cookie Stealing Code Snippet:

Non-Persistent Attack
Most web portals offer a personalized view of a web site and greet a logged in user with “Welcome, “. Sometimes the data referencing a logged in user are stored within the query string of a URL and echoed to the screen.
Portal URL example:

In the example above we see that the username “Joe” is stored in the URL. The resulting web page displays a “Welcome, Joe” message. If an attacker were to modify the username field in the URL, inserting a cookie-stealing JavaScript, it would possible to gain control of the user’s account.

A large percentage of people will be suspicious if they see JavaScript embedded in a URL, so most of the time an attacker will URL Encode their malicious payload similar to the example below.

URL Encoded example of Cookie Stealing URL:

Decoded example of Cookie Stealing URL:

Virus Malware Trozan

Check Also

Learn to Love your Log files

Yes! Learn to Love your Log file, it tells everything you want to hear. Even …

Leave a Reply

Your email address will not be published.