Understanding Cross-Site Scripting (XSS) Threat Vectors

Advisory ID: cisco-amb-20060922-understanding-xss

http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-understanding-xss

Revision 1.0

For Public Release 2006 September 22 16:00 UTC (GMT)

Related Resources:

Cisco Guard Enables Cross Site Scripting Cisco Unified Communications Manager Cross-Site Scripting Vulnerability Multiple Vulnerabilities in Cisco Data Center Network Manager Software Cisco Jabber Clients Cross-Site Scripting Vulnerability Cisco WAP150 Wireless Cross-Site Scripting Vulnerability Cisco Web Security Appliance Reflected Cross-Site Scripting Vulnerability Multiple Vulnerabilities in Cisco UCS Central Software Cisco Small Business 300 and 500 Series Managed Switches Cross-Site Scripting Vulnerability Cisco Identity Services Engine DOM Cross-Site Scripting Vulnerability Cisco Jabber Clients Cross-Site Scripting Vulnerability

Contents

Cisco Response

Vulnerability Characteristics

XSS exploits have become one of the most common web application vulnerabilities and are achieved through three standard attack vectors: reflected, stored, and advanced. The results of XSS attacks are the same regardless of the vector; these results can consist of installation or execution of malicious code, account compromise, session cookie hijacking, revelation or modification of local files, and site redirection (which could be to a vulnerable server or malicious website).

XSS attacks use obfuscation by encoding tags or malicious portions of the script using the Unicode method so that the link or HTML content is disguised to the end user browsing to the site. The origins of XSS attacks are difficult to identify using traceback methods because the vulnerable server is used to inject the malicious code to the users' browsers, thus concealing the identity of the malicious user.

Reflected Attack Vector

A reflected attack, also known as nonpersistent, takes place when malicious code or scripts are injected by a vulnerable web server via any method that produces a response as part of a valid HTTP request. Some common examples of responses are error messages, search engine results, or submitted web forms. An example of a reflected XSS attack is a case in which an unsuspecting user is enticed to follow a malicious link to a vulnerable server that injects (reflects) the malicious code back to the user's browser. The browser then executes the code or script because the vulnerable server is usually a known or trusted site. Standard methods of delivery for XSS exploits are via e-mail, instant messenger applications, or search engines.

Stored Attack Vector

A stored attack, also known as persistent, takes place when the malicious code or script is permanently stored on a vulnerable or malicious server using a database, blog entries, newsgroup or web forum posts, or any other permanent storage method. An example of a stored XSS attack is a case in which a user requests the stored information from the vulnerable or malicious server, which then injects the requested malicious script into the user's browser. The browser then executes the code or script because the vulnerable server is usually a known or trusted site.

Advanced Attack Vectors

Advanced attack vectors use HTML img and frame constructs (, ,