Preventing XSS attacks

Discussion in 'other security issues & news' started by Rmus, May 12, 2007.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    In this thread elio discusses various scenarios that can carry out an XSS attack, and he posts code to demonstrate this.

    I would like to consider just one scenario: your login page on a secure site has been compromised.
    As soon as you enter your user ID and password, this information is sent to the hacker.

    The weakness in this attack is at the point when the information is sent out via the browser.
    Here lies one method of prevention.

    It requires that you have three browser rules in your firewall ruleset:
    • 1) HTTP Port 80 any address: this is your normal surfing rule - all traffic permitted

    • 2) HTTP Port 80 custom addresses: here, you enter any HTTP address that your transaction sites use

    • 3) HTTPS Port 443 custom addresses: same as rule 2) but HTTPS
    Here is my rule set:

    http://www.urs2.net/rsj/computing/imgs/xss_ruleset.gif

    The second two rules have created a White List (custom addresses) of permitted IPs.
    You would enter all of the URLs for your secure sites into the Custom Addresses.

    Then, before going to your secure site, you disable the first browser rule, which then passes
    the check down to the next rules and nothing can connect out that is not on this White List (Custom Addresses).

    Here is the demo script, modified to attempt to connect out to send the information.
    The wikipedia link substitutes for a hackers IP.

    http://www.urs2.net/rsj/computing/imgs/xss_script.gif

    In addition, you can see that his demo script loads a test page to indicate that the attack
    would have been successful.

    However my test shows that it can be blocked: since the wikipedia link is not on the White List,
    the request to connect out is not successful:

    http://www.urs2.net/rsj/computing/imgs/xss_kerio-2.gif
    ____________________________________________________________________

    At this point, an alert user would know that something is amiss.

    Several mentioned that this method is cumbersome, so I'm hoping that others
    can suggest ways of preventing this type of attack.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Rmus, May 12, 2007
    #1
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Subscribed to this thread :thumb:
     
    lucas1985, May 12, 2007
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...