To understand XSS we first need to understand what is Same Origin Policy.
Same Origin Policy is a web security related guideline,implemented by web browsers(i.e on the client side) that allows scripts running on pages that belong to the same website access each other's DOM but not pages that are a part of other websites. This also means that all scripts that come from the same website will be trusted alike and will be granted the same permissions, in general: access the cookies etc.
So, is it possible that you host a website and when a client is viewing it, certain scripts are running without you knowing about it?
YES, and this is what XSS is. What actually happens is that the attacker causes additional scripts to run on the clients machine in order to access the authorization cookies for that website. The website was not designed keeping in mind url sanitization in mind. Say for example, you have an online account on a website. The website is vulnerable to XSS, so the attacker provides the client malicious urls of the form http://www.mysite.com?q=mysearch<script>//access user cookie for this particular site and mail it to me</script>. This url could be provided in various forms like an advertising mail delivered to your inbox, or the recently popular form, as in facebook, where some people convince to tell you who had visited your profile by pasting some "magical" url in your console.
Now, what happens is the part after the ? is searched for in the website. If the input is not sanitized, i.e you output the input as it is, you are also outputting the script. Now, you see,that you are not violating the same origin policy, because the script has been delivered by www.mysite.com (ultimately). So, the script has the same access as the other scripts. It accesses the authorization cookies and mails it off to the attacker. Now, the attacker imports that cookie to his own browser and so to mysite.com both the client and attacker are the same. This access can lead to undesirable consequences (You could go bankrupt from a millionaire in one day).
This is only one form of an XSS attack. Proper sanitization should be performed before processing inputs to help avoid XSS attacks.
Same Origin Policy is a web security related guideline,implemented by web browsers(i.e on the client side) that allows scripts running on pages that belong to the same website access each other's DOM but not pages that are a part of other websites. This also means that all scripts that come from the same website will be trusted alike and will be granted the same permissions, in general: access the cookies etc.
So, is it possible that you host a website and when a client is viewing it, certain scripts are running without you knowing about it?
YES, and this is what XSS is. What actually happens is that the attacker causes additional scripts to run on the clients machine in order to access the authorization cookies for that website. The website was not designed keeping in mind url sanitization in mind. Say for example, you have an online account on a website. The website is vulnerable to XSS, so the attacker provides the client malicious urls of the form http://www.mysite.com?q=mysearch<script>//access user cookie for this particular site and mail it to me</script>. This url could be provided in various forms like an advertising mail delivered to your inbox, or the recently popular form, as in facebook, where some people convince to tell you who had visited your profile by pasting some "magical" url in your console.
Now, what happens is the part after the ? is searched for in the website. If the input is not sanitized, i.e you output the input as it is, you are also outputting the script. Now, you see,that you are not violating the same origin policy, because the script has been delivered by www.mysite.com (ultimately). So, the script has the same access as the other scripts. It accesses the authorization cookies and mails it off to the attacker. Now, the attacker imports that cookie to his own browser and so to mysite.com both the client and attacker are the same. This access can lead to undesirable consequences (You could go bankrupt from a millionaire in one day).
This is only one form of an XSS attack. Proper sanitization should be performed before processing inputs to help avoid XSS attacks.
No comments:
Post a Comment