Operation n

Awaking the Sleeping Giant v1.0
Demystifying Cross Site Scripting Attacks
Author: David Kierznowski (david.kierznowski_at_gmail.com)
http://michaeldaw.org/projects/

Table of contents:
1.0 Introduction
2.0 Summary of paper
3.0 Entry nodes (Where)
4.0 Capabilities (Why)
5.0 Exploits (How)
6.0 Tools

1.0 Introduction:

I assume the person reading this paper will know what XSS is.This paper attempts to demystify and categorise current XSS entry nodes, attack capabilities and trends.

This paper was put together fairly quickly on a Saturday afternoon. I do not attempt to give an in-depth analysis of anything that is what Google is for. This paper is an initial attempt to categorise and track XSS in general.

XSS attacks are gaining popularity quickly. There are loads of vulnerabilities waiting to be found. It can be simple and difficult to prevent. it can propogate around the Internet in hours, exploit internal or private networks and offers the ability to manipulate web services for fun and profit without compromising a single system.

Feedback and corrections (if any) are most certainly welcome and encouraged. I doubt I covered everything in an hour and I doubt I would in 100.

2.0 Summary of paper

2.1 Entry Nodes
* CSS - Cascading Style Sheets
* RSS readers - RSS XSS (Sounds good)
* Flash (possibly AFLAX), ActiveX etc.
* Files - Image or other
* Phishing Attacks and other human related weaknesses
* Dynamic HTML in general including HTML tags and the DOM

2.2 Capabilities
* Internal IP address leakage
* Network Sweeping
* Port Scanning
* Browser plug in detection
* Retrieving browser history
* Cross domain forgery
* XSS for fun and profit

2.3 Exploits
* Information theft
* Operating system exploitation
* URL based exploits
* Browser Plugin Exploitation
* Worms and Trojans
* Brute force attacks
* Botnets

2.4 Tools
* http://www.gnucitizen.org/projects/attackapi

–END of Summary

3.0 Entry nodes
3.1 Applications with insufficient input validation

3.1.1 CSS - Cascading Style Sheets
Eg: MySpace worm http://namb.la/popular/tech.html

3.1.2 RSS readers - RSS XSS (Sounds good)
http://www.spidynamics.com/assets/documents/HackingFeeds.pdf#search=%22rss%20injection%22

3.1.3 Flash (possibly AFLAX), ActiveX etc.
http://www.cgisecurity.com/lib/flash-xss.htm

3.1.4 Files - Image or other
Its definitely a possibility but haven’t seen it used?

3.1.5 Phishing Attacks and other human related weaknesses
http://www.antiphishing.org/Evolution%20of%20Phishing%20Attacks.pdf#search=%22phishing%20attacks%20and%20xss%22

3.1.6 Dynamic HTML in general including HTML tags and exploiting the DOM
eg: <script>alert(document.cookie)</script>
http://ha.ckers.org/xss.html

4.0 Capabilities (Information Available via XSS):
Internal IP address leakage
Network Sweeping
Port Scanning
Browser plug in detection
Retrieving browser history
Cross domain forgery
XSS for fun and profit

5.0 Exploits:

5.1 Information theft
Stealing Cookies, login credentials, banking information etc.
http://jehiah.com/archive/xss-stealing-cookies-101

5.2 Operating system exploitation:
eg: http://p.ulh.as/xploitsdb/NT/6078.html

5.3 URL based exploits:
Attacking routers, firewalls etc
eg: /cisco/level/99/show/running/config

5.4 Browser Exploits
http://bcheck.scanit.be/bcheck/index.php

5.5 Browser Plugin Exploitation
http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/

5.6 Worms
Manipulating web services
eg: MySpace worm

5.7 Brute force attacks
5.8 Cross Site forgery
http://en.wikipedia.org/wiki/Cross-site_request_forgery

5.9 Botnets

6.0 Tools
http://www.gnucitizen.org/projects/attackapi