Cross Site Scripting or a XSS attack is an attack commonly used by attackers to execute a malicious script or payload through the use of a website that has legitimate purposes (Kallin and Lobo Valbuena, 2016). Malicious script or malicious payload being defined as the altercation of any code in a part of a software that has the intention to cause a negative effect such as a security breach or to cause damage (DuPaul, 2017). Cross Site Scripting does not directly target an individual, instead it exploits a vulnerability that a website may have. Some of these vulnerabilities become apparent when a web application uses unvalidated or unencoded user input within the output. A XSS attack can be run on VBScript, Flash, ActiveX and JavaScript. As JavaScript is one of the more widely used programs to browse the web, it is targeted the most in a XSS attack (Acunetix, 2018). The general thought of a JavaScript attack may not seem as daunting as JavaScript is used largely as a program to browse the web, but it can easily become malicious when you look at a number of factors that may take place when JavaScript is run and how those factors could be detrimental if a malicious attack were to occur. These factors being: JavaScript has access to cookies, it can send HyperText Transfer Protocol (HTTP) requests by using XMLHttpRequest, can make arbitrary modifications to the HyperText Markup Language (HTML) by using Document Object Model (DOM) manipulation. This report will divided into two sections: one section describing how a Cross Site Scripting attack works and the second investigating the XSS attack ‘Samy’ (or JS.Spacehero) that occurred in 2005 (Francheschi-Bicchierai, 2015).
Part One: How A Cross Site Scripting Attack works (30)
In this report, an example of an attack using JavaScript will be investigated as it is one of the more commonly targeted web browser programs.
Firstly, the attacker needs to find a way or a vulnerability within a website that individuals are known to frequently visit or downloads one of their pages from to inject malicious payload (Acunetix, 2018). This use of a known website will help with finding people to visit the particular webpage that has been tampered with as the more popular it is the more victims the attacker will have. For a website to be vulnerable to a XSS attack it needs to include direct user input. Direct input is an input device that is a part of a computer. These input devices are used to provide data to the computer, such devices being: keyboards, mouse, scanners, cameras and joysticks (Khanal, 2017). Anything that requires an individual to click on something or type something in on the website creates a vulnerability within the website as it uses user input.
(Acunetix, 2013)
The reason in which user input is a vulnerability within a XSS attack is because a string of code can be inserted into the original code by the attacker which will be process as code by the browser. An example in which user input would be used is through the use of a logon.
By logging on to a website, this ensures that an individual is inputting into the web browser and that the code in which they create by logging in can be modified. In the diagram above it illustrates the use of a XSS attack that took place using this method.
Here are some simplified steps as to how this attack took place in this diagram:
1) The attacker injects malicious software script into a vulnerable website, which is the stored or saved into a database.
2) The victim then logs into the vulnerable website.
3) The saved malicious script that the attacker injected then goes from the database to the vulnerable website through downloaded data.
4) The malicious script is then downloaded onto the victim’s computer which then may result in the script getting executed and goes back to the attacker.
These steps are a general idea of what happens when an individual gets targeted by malicious script, in particular a XSS attack. This particular attack being a blind XSS attack which can be defined as an attack that takes place that injects malicious payload onto a number of different vulnerable website and then saves this to a database. The attacker then without knowing what webpages they have targeted or when the payloads will be executed they then wait for the payloads to come out of the database and rendered by a loaded webpage. The blind XSS is an example of a different variation of the XSS attack and this attack varies in the sense that a XSS attack relies on a quick response from the input by the attacker (through webpage or HTTP), whereas blind XSS is injected into the code of the website inserted into the web controls and does not rely on a quick response. (Accunetix, 2013)
Real Life Situations
Samy Worm
There are countless examples of real life situations in which a large scale of people have been effected by the XSS attack, but one case that caused great interest was the “Samy” worm. This worm was deployed on the social networking website MySpace in 2005 and became more large scale then it was ever intended to be. On the 4th of October 2005, a teen by the name of Samy Kamkar created a worm that could be considered to have been one of the most- large scale, fast spreading computer virus in modern history.
Through the use of XSS, Kamkar was able to unintentionally receive millions of friends on the social networking site in the space of a day by programming the worm to automatically send a friend request to his profile of people that had visited his page. This caused the site to be shut down for a couple of hours and Kamkar’s account to be deleted. This particular case did not particularly cause anything damaging, but it did spark the realization of the threat of a XSS attack and the potential that an individual could have if they had negative intensions. This caused the Open Web Application Security project to launch an API for websites that allowed users to use code on their websites without the risk of a XSS attack, this was called the AntiSamy Project. This attack also caused websites to increase their security to help decrease the opportunity for an attack similar to Samy to occur.
Kamkar received a criminal charge for this particular attack and received a 3- year probation order seizing all of his computers, denying him access to the internet and only being able to use a court ordered computer that was monitored that did not access the internet. (Francheschi-Bicchierai, 2015)
Summary
To conclude, a XSS attack is an attack that changes the code within a vulnerable website’s original code to cause a negative impact. An attack is not one that targets an individual, it targets a website that has vulnerabilities and the users of that website. User input is essential to a XSS attack as this helps to change the code within the website’s output. There are a number of different variations of XSS attacks, one being a blind XSS attack. A blind attack does not rely on an immediate response from the attacker and stores the attack on a data base to deploy the attack off of. The Samy worm in 2004 was an attack that took place on the social media website, MySpace. Although this attack did not cause any destruction, it created an example of why cyber security is so important if he were to have negative intensions and created awareness for this type of attack.
References
Acunetix, 2013. Blind XSS: The Ticking Time Bomb of XSS Attacks. Acunetix.
https://www.acunetix.com/blog/articles/blind-xss/
Acunetix, 2018. Types of XSS: Stored XSS, Reflected XSS and DOM-based XSS. Acunetix. https://www.acunetix.com/websitesecurity/xss/
Franceschi-Bicchierai, 2015. The MySpace Worm that Changed the Internet Forever. Motherboard. https://motherboard.vice.com/en_us/article/wnjwb4/the-myspace-worm-that-changed-the-internet-forever
Kallin and Lobo Valbuena, 2016. Excess XSS: A comprehensive tutorial on cross-site scripting. Excess XSS. https://excess-xss.com
N. DuPaul, 2917. Malicious Code: What is Malicious Code? Veracode. Burlington, MA. https://www.veracode.com/security/malicious-code
S Khanal, 2017. Direct and Indirect Input Device- Examples, Advantages and Disadvantages. ICT trends. https://icttrends.com/direct-input-device-examples-advantages-disadvantages/