Saturday, June 14, 2008

XSS Attacks and The Implications in Financial Applications

Inline security of web applications and those of desktop applications developed to interact using third-party web plugins has increased the level of controls that should be in place. Apart from injection attacks (SQL injection) there is another attack vector becoming more clearer called 'XSS' or 'Cross Site Scripting'. In basics this attack vector has three main divisions for itself:

1. DOM-based XSS
DOM-based XSS usually works on victim local machine as soon as malicious website will be visited.

2. Non-Persistent
Non-Persistent XSS work with the crafted code/URL being executed to generate the dynamic page with attacker's choice of code. This happens when there is no sanitization of a user input (i.e. search engines). This type of XSS attack works as far as the crafted URL with pre-defined code get executed by victim browser.

3. Persistent
Persistent XSS permanently stays on the malicious website, waiting to be executed on the victim machine. It can take a form of a worm or any other malware served to its visitors.

Affect on Financial Applications
From practical point of view, it is possible to successfully steal the user's bank cookies and get over the session in one way or another. There is another way around with similar approach of transfering the $$amount from exisiting authenticated user session using crafted URL (if the bank allows those transfers without any pre-confirmation screen).





In another scenario, an attacker can demonstrate the XSS tunnelling through the use of XSS-Shell tool. It allows an attacker to create a XSS Channel between a victim and an attacker. By referring the XSS-Shell using the injected javascript code, the attacker can easily control over the victim's browser (requests & responses through a XSS Channel).
For more info: http://www.portcullis-security.com/tools/free/xssshell-xsstunnell.zip


A sample screenshot taken from "xssed.com" shows the major commercial and Government organizations websites are affected under this threat. Although, it could only be a few listed there but more can be known as soon as Web Pen-Testing is progressing.

Remediation Schemes
XSS and other injection attacks can be filtered at application layer by following some tactics as below:

-Sanitizing the user input for malicious characters.
-To make sure that web application return user values using HTML entities (instead of tags) and only after checking for malicious code.
-Using a WAF technology (Web Application Firewalls) like 'ModSecurity'.