Transcript Cross-Site Scripting (XSS) Attack Lab

Cross-Site Scripting (XSS)
Attack Lab
Zutao Zhu
11/10/2009
Outline
• Basic idea
Basic Idea
Task 1
• Run the code
Task 2
• Run the code
Task 3
• Run the code
• Pay attention to the empty space in the
cookie
• You can use escape() to delete the space
in cookie
• http://www.w3schools.com/jsref/jsref_esca
pe.asp
Task 4
• Change the sample code to include cookie
into the post data
• Use urlConn.addRequestProperty()
• http://java.sun.com/j2se/1.4.2/docs/api/jav
a/net/URLConnection.html
• Refer to http://java.sun.com/ to learn how
to install JDK
Task 5
• Goal: When the victim clicks this post, it
will automatically create a post for this
victim.
• Steps:
– Retrieve the session ID of the user using
JavaScript.
– Forge a HTTP post request to post a
message using the session ID.
Task 5
• Write an XSS worm
– construct the Http request
– find the sid in cookie
– construct the content to send, the format
of the content can be get from
LiveHttpHeader
– Send
– Try to minimize the size of the script
Task 6
• To be able to propagate itself, the forged
message should also include a worm, so
whenever somebody clicks on the forged
message, a new forged message that
carry the same worm will be created. This
way, the worm can be propagated.
Task 6
• Self-Propagating XSS Worm
– making a copy of itself when posting the
message
– ensuring the message posted is encoded
using URL encoding
Strategy
• Uses DOM API for making a copy of itself
• Uses the JavaScript function encode() for
the purpose of URL encoding
• Avoids using the ‘+’ symbol for string
concatenation and addition, because URL
encoding use ‘+’ to denote a space
• Uses absolute values, avoids number
manipulation, and the concat() function for
string concatenation
Note
• concat() - Combines the text of two or
more strings and returns a new string.