Tuesday, May 28, 2019

Cross-site scripting vulnerability

  • Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)







  • Q: How can you defend yourself against CSRF attacks?

To defend yourself against CSRF attacks, you can opt for two available methods. Firstly, with every request try to include a random token. In this way a unique string of tokens will be generated which is a good safeguard. Secondly, for each field of form, try using different names. This will somewhat help you in becoming anonymous due to the entry of so many different names and thus will behave as a safeguard from CSRF attacks.
https://mindmajix.com/cyber-security-interview-questions

  • If a logged-in user clicks that link, what would stop the picture from being submitted? You guessed it: Nothing. Hacker wins.
That's because we didn't do anything to verify the user's intention to submit a picture. The "F" in CSRF stands for forgery: The hacker has forged (faked) a request on behalf of the user
WordPress uses nonces (numbers used once) to validate the request was actually made by the current user.

The basic process looks like this:

    A nonce is generated.
    That nonce is submitted with the form.
    On the back end, the nonce is checked for validity. If valid, the action continues. If invalid, everything halts - the request was probably forged!
https://css-tricks.com/wordpress-front-end-security-csrf-and-nonces/


  • DOM Based XSS

Definition
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
https://www.owasp.org/index.php/DOM_Based_XSS


  • DOM Based XSS simply means a Cross-site scripting vulnerability that appears in the DOM (Document Object Model) instead of part of the HTML. In reflective and stored Cross-site scripting attacks you can see the vulnerability payload in the response page but in DOM based cross-site scripting, the HTML source code and response of the attack will be exactly the same, i.e. the payload cannot be found in the response. It can only be observed on runtime or by investigating the DOM of the page.





https://www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/
  • What do you mean by Cross Site Scripting?

Cross Site Scripting generally tends to refer to an injected attack which is from the side of the client code.
Such kinds of attack are generally seen where the web application is making use of the non-encoded or non-validated inputs of the users inside the range of the output which is generated.

 Q: What can you defend yourself from Cross Site Scripting attack?
Like any other injection attack, Cross Site Scripting attack can also be prevented by the use of the proper available sanitizers.
There are software or applications available for doing this, like the XSS Me for Firefox and domsnitch for Google Chrome
https://mindmajix.com/cyber-security-interview-questions



  • XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS). It does NOT currently test for stored XSS.rnrnThe tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack

https://addons.mozilla.org/en-US/firefox/addon/xss-me/

HACKING TUTORIAL - XSS Me


  • What is Cross-Site Request Forgery?

when an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically).

What is the difference between stored and reflected XSS?
Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.

What are the common defenses against XSS?
Input Validation/Output Sanitization, with focus on the latter.
What is spear phishing
Spear phishing is a social engineering attack in which a perpetrator, disguised as a trusted individual, tricks a target into clicking a link in a spoofed email, text message or instant message. As a result, the target unwittingly reveals sensitive information, installs malicious programs (malware) on their network or executes the first stage of an advanced persistent threat (APT), to name a few of the possible consequences.
While similar to phishing and whaling attacks, spear phishing is launched in a unique way and its targets differ from other social engineering assaults.
At the same time, a command and control agent is installed on the sysadmin’s machine, which can then be used as a backdoor into the enterprise’s network to execute the first stage of an APT.

Spear phishing vs. phishing and whaling attacks
Phishing emails are impersonal, sent in bulk and often contain spelling errors or other mistakes that reveal their malicious intent.
Spear phishing emails, on the other hand, are more challenging to detect because they appear to come from sources close to the target. Cyber-criminals send personalized emails to particular individuals or groups of people with something in common, such as employees working in the same department.
Whaling uses deceptive email messages targeting high-level decision makers within an organization, such as CEOs, CFOs, and other executives.
The difference between whaling and spear phishing is that whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile.

Spear phishing mitigation
several risk prevention measures can help, including two-factor authentication (2FA), password management policies and educational campaigns.

Two factor authentication
2FA helps secure login to sensitive applications by requiring users to have two things: something they know, such as a password and user name, and something they have, such as a smartphone or cryptographic token. When 2FA is used, even if a password is compromised using a technique like spear phishing, it’s of no use to an attacker without the physical device held by the real user.

Password management policies
A prudent password management policy should take steps to prevent employees from using corporate access passwords on fake external websites.

Educational campaigns
At the organizational level, enterprises can raise awareness and actively train employees
https://www.imperva.com/learn/application-security/spear-phishing/


  • 5 Practical Scenarios for XSS Attacks

PoCs to prove the real risk of Cross-Site Scripting (XSS) vulnerabilities.

how to create XSS attack PoCs in order to:
Hijack a user’s session
Perform unauthorized activities
Perform phishing attacks
Capture key strokes
Steal sensitive information

If the application does not escape special characters in the input/output and reflects user input as-is back to the browser, an adversary may be able to launch a Cross-Site Scripting (XSS) attack successfully.

XSS Attack 1: Hijacking the user session
XSS Attack 2: Perform unauthorized activities
XSS Attack 3: Phishing to steal user credentials
XSS Attack 4: Capture the key strokes by injecting a keylogger
XSS Attack 5: Stealing sensitive information


https://pentest-tools.com/blog/xss-attacks-practical-scenarios/


  • What is Cross-Site Scripting?

Cross-site scripting (XSS) is a code injection security attack which delivers malicious, client-side scripts to a user’s web browser for execution. Targets are not attacked directly, rather vulnerable websites and web applications are used to carry out cross-site scripting attacks when users interact with these sites/applications.

Types of Cross-Site Scripting Attacks

Reflected XSS
A reflected XSS attack involves a vulnerable website accepting data (i.e. malicious script) sent by the target’s own web browser to attack the target with. Because the malicious script is sent by the client itself and is not stored on the vulnerable server, this type of attack is also referred to as “non-persistent.”

Persistent XSS
As the name implies, a persistent XSS attack is stored/persisted on the vulnerable server itself. Unlike a reflected attack, where the malicious script is sent by the target, users of a vulnerable website or web app can be attacked during their usual interactions with the vulnerable site/app.

DOM-Based XSS
Another type of XSS attack is DOM-based, where the vulnerability exists in the client-side scripts that the site/app always provides to visitors. This attack differs from reflected and persistent XSS attacks in that the site/app doesn’t directly serve up the malicious script to the target’s browser

https://www.rapid7.com/fundamentals/cross-site-scripting/









  • Preventing XSS: 3 Ways to Keep Cross-Site Scripting Out of Your Apps


1. Escaping
The first method you can and should use to prevent XSS vulnerabilities from appearing in your applications is by escaping user input. Escaping data means taking the data an application has received and ensuring it’s secure before rendering it for the end user. By escaping user input, key characters in the data received by a web page will be prevented from being interpreted in any malicious way. In essence, you’re censoring the data your web page receives in a way that will disallow the characters – especially < and > characters – from being rendered, which otherwise could cause harm to the application and/or users.
If your page doesn’t allow users to add their own code to the page, a good rule of thumb is to then escape any and all HTML, URL, and JavaScript entities. However, if your web page does allow users to add rich text, such as on forums or post comments, you have a few choices.  You’ll either need to carefully choose which HTML entities you will escape and which you won’t, or by using a replacement format for raw HTML such as Markdown, which will in turn allow you to continue escaping all HTML.

2. Validating Input
Validating input is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users. While whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS. Whereas blacklisting, or disallowing certain, predetermined characters in user input, disallows only known bad characters, whitelisting only allows known good characters and is a better method for preventing XSS attacks as well as others.

3. Sanitizing
Sanitizing user input is especially helpful on sites that allow HTML markup, to ensure data received can do no harm to users as well as your database by scrubbing the data clean of potentially harmful markup, changing unacceptable user input to an acceptable format.

https://www.checkmarx.com/2017/10/09/3-ways-prevent-xss/


  • This article provides a simple positive model for preventing XSS using output escaping/encoding properly. 

XSS Prevention Rules
The following rules are intended to prevent all XSS in your application.
RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
RULE #3.1 - HTML escape JSON values in an HTML context and read the data with JSON.parse
RULE #4 - CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
RULE #6 - Sanitize HTML Markup with a Library Designed for the Job
RULE #7 - Avoid JavaScript URL's
RULE #8 - Prevent DOM-based XSS
Bonus Rule #1: Use HTTPOnly cookie flag
Bonus Rule #2: Implement Content Security Policy
Bonus Rule #3: Use an Auto-Escaping Template System
Bonus Rule #4: Use the X-XSS-Protection Response Header
Bonus Rule #5: Properly use modern JS frameworks like Angular (2+) or ReactJS
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

  • What does trigger an incident investigation?

Keepnet Labs’ Incident Responder is one helpful tool that does this by installing a user-friendly plugin that lets end-users instantly report a suspicious email to the Keepnet Incident Response Platform IRP). The alert can be sent with only one click. This way, the incident response time is reduced from minutes to seconds. 
An incident investigation can be triggered in different ways:

    A user reports a suspicious email with a single click using phishing reporter add-in installed in Outlook and sends it automatically to the analysis. If the results are malicious, an incident response operation is started on the inboxes of the other users.
    A SOC team member initiates a manual investigation and triggers an incident response operation. He/she can investigate the suspicious email in the users’ inboxes in minutes. Once he/she detected the suspicious email, he/she can delete/remove or contain it by sending a warning message to all users.
    An investigation and incident response can be started according to the data coming from the indicator of compromise (IOC ). For example, the feeds taken from popular phishing websites like phishthank, openphish and IBMXforce, it triggers an automatic investigation and prevents dangerous phishing threats.
https://www.keepnetlabs.com/protecting-employees-inboxes-phishing-threats-incident-response/


  • Security Incident Phishing workflow template

The Security Incident - Phishing - Template allows you to perform a series of tasks designed to handle spear phishing emails on your network. 
The workflow is triggered when the Category in a security incident is set to Spear Phishing. This action causes a response task to be created for the first activity in the workflow.
https://docs.servicenow.com/bundle/newyork-security-management/page/product/security-incident-response-orchestration/task/si-phishing-template.html

3 comments: