Wednesday, March 05, 2008

XSS and CSRF attacks

Of late, I have been doing a lot of study to understand 'Cross-Site Scripting' attacks and 'Cross Sitre Request forging' attacks.
XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc. http://www.technicalinfo.net/papers/CSS.html
http://www.shocking.com/~rsnake/xss.html

How to prevent XSS atacks? Tips from the www.owasp.org site
1. Use proper input validation techniques
2. Encoding the output. This includes data read from files and databases.
For input validation, its better to go for a ‘positive’ security policy that specifies what is allowed rather than a ‘Negative’ or attack signature based policies as they are difficult to maintain and are likely to be incomplete.

The following link at MSDN contains some good info about preventing XSS attacks:
http://msdn2.microsoft.com/en-us/library/ms998274.aspx
Microsoft even has a "Anti-Cross Site Scripting Library" available at:
http://msdn2.microsoft.com/en-us/library/aa973813.aspx

The OWASP site defines CSRF as follows:
Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.

One technique to prevent event CSRF attacks is to use the 'Token Synchronization' pattern. Sample filters for JEE and .NET are available on the OSWAP site at the following links:
http://www.owasp.org/index.php/CSRF_Guard
http://www.owasp.org/index.php/.Net_CSRF_Guard