Skip to content

Page390

Cross-Site Scripting and Cross-Site Request Forgery

Cross-Site Scripting (XSS) leverages third-party execution of web scripting languages such as JavaScript within the security context of a trusted site. Cross-Site Request Forgery (CSRF, or sometimes XSRF) leverages third-party redirect of static content within the security context of a trusted site. Cross-Site Scripting and Cross-Site Request Forgery are often confused. They are both web attacks: the difference is XSS executes a script in a trusted context:

<script>alert("XSS Test!");</script>

The previous code would pop up a harmless “XSS Test!” alert. A real attack would include more JavaScript, often stealing cookies or authentication credentials. XSS may also be used to “hook” browsers, which allows an attacker to take remote control of a user’s browser, and pivot through it. A pivot allows the attacker to establish a foothold “behind enemy lines” (behind the firewall) and surf to internal websites, etc. To learn more about this concept, see the BeEF (Browser Exploitation Framework Project) project at http://beefproject.com/.

CSRF often tricks a user into processing a URL (sometimes by embedding the URL in an HTML image tag) that performs a malicious act, for example, tricking a white hat into rendering the following image tag:

<img src=”https://bank.example.com/transfer-money?from=WHITEHAT&to=BLACKHAT”>

Privilege Escalation

Privilege escalation vulnerabilities allow an attacker with (typically limited) access to be able to access additional resources. Vertical escalation leverages non-privileged access into higher-level access. One example is escalating privileges from a normal UNIX user into root access (UID 0).

Horizontal escalation allows an attacker to access other accounts, such as pivoting from one non-privileged account to another (with access to different resources).

Improper software configurations and poor coding and testing practices often cause privilege escalation vulnerabilities.

Backdoors

Backdoors are shortcuts in a system that allow a user to bypass security checks (such as username/password authentication) to log in. Attackers will often install a backdoor after compromising a system. For example, an attacker gains shell access to a system by exploiting a vulnerability caused by a missing patch. The attacker wants to maintain access (even if the system is patched), so she installs a backdoor to allow future access.