Wednesday, June 1, 2016

XSS - Cross Site Scripting Malware





What is Cross Site Scripting (XSS)?

May 26th 2016 jetpack disclosed a XSS vulnerability discovered in their popular plugin.
We would to take this opportunity and describe what is XSS.

Cross Site Scripting or XSS attack refers to injection of the malicious code or malicious payload into pages of legitimate website. Further, when these compromised pages are visited by website users, the injected malicious code (or payload) is executed by client-side application (visitor's web browser) and performs the actual malicious action such as: redirecting visitor to another website, download and installation of malicious code, showing adult ads and etc...

In most cases, malicious code injection does not require direct access to web site files or internals. It, basically, utilizes and exploits certain kind of security vulnerability when website or web application stores and further present invalidated user input. Such unfiltered forms, pop-ups and other dynamic content is where malicious code or payload could be specially crafted into string serving JavaScript code or a link/ Iframe to another compromised website.

XSS vulnerabilities could be very trivial and be detected by XSS vulnerability scanner. However, in its complex variants it may take several years until it gets uncovered (like with Jetpack plugin where XSS vulnerability remained undetected since 2012).


XSS example

Following example show basic XSS vulnerability.

Take a look at the following web page:




If comment variable will contain pure text then user's comment will be presented as required. But if the input has something like:



Then. instead of presenting text of the comment, web browser will handle Iframe tag and download content of the Iframe's URL
which is http[://]thirdparty-site[.]xyz/drive-by-download-attack-page.php

This kind of attack known as DOM-based XSS. The same result could be achieved directly on server side during page/HTML generation .

Following PHP code depicts such kind of vulnerability:



If get_user_last_comment_from_database() call will return the same string as in previous example,
instead of presenting comment, this page will download malicious code from http[://]thirdparty-site[.]xyz/drive-by-download-attack-page.php

How to prevent XSS attacks?

The XSS vulnerable web applications are an easy target and it is just a matter of time until they'll be exploited by hackers. Hence, first step is to verify that your website is not vulnerable. If you use third party software modules, make sure proper input filtering is implemented. If you develop your own website, verify every piece of user input.

We think this is a good check-list for developers: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

How to detect XSS infection on your website?

Here at Quttera, we deal with XSS and other malware on a daily basis. If you need our help in identifying and removing the infection from your site we are here to help.

ThreatSing! Website Antimalware scans and verifies every link on scanned web page. Comprehensive report notifies website owners about detected malicious & blacklisted links.