Computer

profilekoby8855

    

Cross-site scripting (XSS) Attacks

Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim’s web browser.

Using this malicious code, the attackers can steal the victim’s credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks.

To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application named Elgg in our pre-built Ubuntu VM image. Elgg is an open-source web application for social networking, and it has implemented a number of countermeasures to remedy the XSS threat. To demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any arbitrary message, including JavaScript programs, to the user profiles. In this lab, students need to exploit this vulnerability to launch an XSS attack on the modified Elgg, in a way that is similar to what Samy Kamkar did to MySpace in 2005 through the notorious Samy worm. The ultimate goal of this attack is to spread an XSS worm among the users, such that whoever views an infected user profile will be infected, and whoever is infected will add you (i.e., the attacker) to his/her friend list.

Environment setup for the problem:

For this problem, we will assume that you have set up the Ubuntu virtual machine environment based on the instructions in the Syllabus under “Special Software Installation Requirements”.

We will need the following: 

  • Firefox web browser 
  • Apache web server
  • Elgg web application

For the Firefox browser, we need to use the LiveHTTPHeaders extension for Firefox to inspect the HTTP requests and responses (available under the “Tools” menu in Firefox). The pre-built Ubuntu VM image provided to you has already installed the Firefox web browser with the required extension. 

The Apache web server is also included in the pre-built Ubuntu image. However, the web server is not started by default. You have to first start the web server using one of the following two commands:

% sudo apache2ctl start 

or 

% sudo service apache2 start

The Elgg web application is already set up in the pre-built Ubuntu VM image. We have also created several user accounts on the Elgg server and the credentials are given below (username, password):

admin, seedelgg

alice, seedalice

boby, seedboby

charlie, seedcharlie

samy, seedsamy

You can access the Elgg server using the following URL (the Apache server needs to be started first):

http://www.xsslabelgg.com

(this URL is only accessible from inside of the virtual machine, because we have modified the /etc/hosts file to map the domain name (www.xsslabelgg.com) to the virtual machine’s local IP address 127.0.0.1).

Once you log in as a user in Elgg, you can access your Profile and list of Friends by clicking on icons in the upper left part of the browser window.

Note: Some of the project tasks require some basic familiarity with JavaScript. Wherever necessary,

we provide a sample JavaScript program to help you get started.


Writing a Self-Propagating XSS Worm

To become a real worm, the malicious JavaScript program should be able to propagate itself. Namely, whenever some people view an infected profile, not only will their profiles be modified, the worm will also be propagated to their profiles, further affecting others who view these newly infected profiles. This way, the more people view the infected profiles, the faster the worm can propagate. This is exactly the same mechanism used by the Samy Worm: within just 20 hours of its October 4, 2005 release, over one million users were affected, making Samy one of the fastest spreading viruses of all time. The JavaScript code that can achieve this is called a self-propagating cross-site scripting worm. In this task, you need to implement such a worm, which infects the victim’s profile.

To achieve self-propagation, when the malicious JavaScript modifies the victim’s profile, it should copy itself to the victim’s profile. If the entire JavaScript program (i.e., the worm) is embedded in the infected profile, to propagate the worm to another profile, the worm code can use DOM APIs to retrieve a copy of itself from the web page. An example of using DOM APIs is given below. This code gets a copy of itself, and display it in an alert window:

  

<script id=worm>

var   strCode = document.getElementById("worm");

alert(strCode.innerHTML);

</script>

URL Encoding: All messages transmitted using HTTP over the Internet use URL Encoding, which converts all non-ASCII characters such as space to special code under the URL encoding scheme. In the worm code, messages sent to Elgg should be encoded using URL encoding. The escape function can be used to URL encode a string. An example of using the encode function is given below.

  

<script>

var   strSample = "Hello World";

var   urlEncSample = escape(strSample);

alert(urlEncSample);

</script>

Under the URL encoding scheme, the “+” symbol is used to denote space. In JavaScript programs, “+” is used for both arithmetic operations and string concatenation operations. To avoid this ambiguity, you may use the concat function for string concatenation, and avoid using addition. For the worm code in the exercise, you don’t have to use additions. If you do have to add a number (e.g a+5), you can use subtraction (e.g a-(-5)).

Other notes:

  • To modify the victim's      profile, the HTTP request sent by the worm should contain the following      information in the HTML body of the request (which is sent via the content variable): 

&accesslevel%5Bdescription%5D=2

(in fact, using the LiveHTTPHeaders extension, you can see this is included in a regular edit profile request)

  • Be careful when dealing      with an infected profile. If a profile is already infected by the XSS      worm, you may want to leave them alone, instead of modifying them again.      If you are not careful, you may end up removing the XSS worm from the      profile.

What you need to do: 

1. Based on the format of the POST request to change a user's profile, write a JavaScript script that changes the "About me" field in the profile of any user (the victim) who views an infected profile. The "About me" field should contain the following text: 

Samy is my HERO (added by <insert your team member name/s here>)

Save your JavaScript script in a file task5.txt.

2. Login as user Samy and inject in the "About me" field of Samy's profile the script from file task5.txt. (Make sure to select "Remove editor" before editing this field, in order to disable any automatic formatting)

3. Logout and login as user Alice, and then view Samy's profile by selecting user Samy from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Alice's profile will be infected as well.

4. Logout and login as user Boby, and then view Alice's profile by selecting user Alice from "More => Members" in the Elgg menu. At this point, the malicious Javascript script will be executed and Boby's profile will be infected as well.

5. Include in your project document: 

a. a screen printout with Alice's profile after viewing Samy's profile.

b. a screen printout with Boby's profile after viewing Alice's profile.

c. A printout of your JavaScript file task5.txt.


    • 5 years ago
    • 20
    Answer(0)