A Quick Note on Cross Site Scripting (XSS)

Date Published: 24/05/2009 13:27

Recently I have checked through my server logs and have come across some rather strange requests, originating from a variety of IP addresses. The requests came through with either an innocuous or non existent user agent and had very strange variables in the query string. Immediately I recognised these as an attempt to perform a cross site scripting (XSS) attack on my site. It just so happens that I was well aware of this sort of technique whilst building the site and therefore I have many facilities in place to protect my server, my data and most importantly, my users. Here is just a quick overview of cross site scripting and what you need to be doing to make sure there isn't a successful attack on you.

How do XSS Attacks Work?

Cross site scripting attacks work by making your site or server execute scripts which were added by a malicious user. XSS attacks can vary greatly in both what they target and how they target it. Some attempt to insert Javascript into your site, whilst others attempt to execute their own server side scripts or SQL queries. The problem comes when the script entered during the attack is not caught by validation and therefore makes its way further into the system.

Some time ago a website which was built by my agency years before, became subject to an SQL injection attack. The problem stemmed from two main problems with the setup of the site. Number one was that the web user account used to access the database server had INSERT, UPDATE and DELETE permissions on the database when it only needed SELECT. This combined with poor query string validation in the code itself, meant a hacker was able to add a casted SQL query to the URL which was executed when it reached the database server. The query was written to append a small piece of Javascript onto the end of every data item in the database with a data type varchar. The result was every page inadvertently outputting malicious Javascript which redirected users to an external site prompting them to download a virus.

How Do I Know if I am Being Subjected to XSS Attacks?

The first thing to consider is whether you can detect if XSS attacks are happening to your server. Most apache installations will be logging to an access_log file by default so you may want to start by having a browse through that to see if you can spot anything suspicious. Look for request URLs containing query string values you would not usually expect, which may indicate malicious intent. I find the easiest method of tracking requests is by logging to a database each request which is made. What you put in the database is up to you but including information such as user agent, IP address, script requested, query string and referer can be very useful for future reference. Using a database as opposed to just relying on apache's access log also allows you to quickly search your records for similar incidents.

You should be looking for query string values which either contain large amounts of seemingly nonsensical data or obvious signs of script. A lot of attacks I have seen have attempted to change the "DOCUMENT_ROOT" variable of the server array in PHP, resulting in includes made using this variable being re-routed on that script call to an external server. If someone is trying to do this to you it there will be something like the following in your query string (_SERVER["DOCUMENT_ROOT"]=www.example.com/scripts/hi.txt). Another easily noticeable attempt is where there are script tags containing Javascript in the query string.

How Can I Prevent a Cross Site Scripting Attack?

There are a few measures you can take to ensure these attacks are not a problem for you. Preventing attempts by hackers is very difficult but validating so they are not successful is quite simple. Here is a list of things to consider, if you feel your site may be vulnerable in these areas I look into fixing it right away.

  1. Register Globals OFF (PHP and Apache Only) - One of the easiest ways to prevent a large number of attacks is to ensure globals are switched off. By having them switched on you are giving hackers the easy access to your variables. If you require globals try to change your code so that you don't.
  2. Validate ALL User Input - This may seem an obvious one but people don't realise that user input is NOT only form input. Just because your users never actively change the query string themselves this doesn't mean they won't try. Validate all input pessimistically and don't take it for granted that whats in there is what you are expecting. Cookies are also something that are not often validated. There are ways to change cookie values maliciously so take extra care with these also.
  3. Parameterise Your SQL - Pass data to your database server using parameters and not just plain SQL, this way your queries won't get hi-jacked.
  4. Strip Tags from User Input - If you are passing a value from the user straight into the page, ensure to strip out any HTML tags which could interfere with execution. This could include Javascript allowing hackers to modify cookies from your domain.

Conclusion

You may feel that the likelihood of someone attempting to hack your site is very slim but don't take that for granted. XSS attacks are usually carried out by bots searching the web for potential targets as opposed to a human being. These bots are regularly based on machines infected with a virus so chances are the owner of the computer has no idea what is happening. A bot will not hold back from hacking your site just because it only has a handful of visitors, as it only takes one of those visitors to be infected from the results the hack for it to be worthwhile. As web masters it is our responsibility that we don't expose our visitors to potential viruses so however big or small your site, you should take prevention of these kinds of attacks very seriously.

Comments

Sorry comments are currently disabled for maintenence

5 Most Recent Articles

Manually Triggering Events in ASP.NET from JavaScript

A quick guide for ASP.NET developers on how to manually trigger ASP.NET events from JavaScript.

Advanced Use of MySQL Stored Procedures

An article for users of MySQL databases describing how they can use advanced stored procedures to improve efficiently in their applications.

Using MySQL Stored Procedures and Extending MySQLi in PHP

A guide for LAMP developers to using stored procedures in MySQL and extending the MySQLi class.

Reading and Writing to Excel Spreadsheets in Python

An introduction to using the xlwt and xlrd modules for python to interact with Microsoft Excel spreadsheets.

Interact with the Web Using Python and the HTTP Library

This is an introduction to making HTTP requests from a python script/application using httplib.

Sponsors