Infinite Loop

Anti XSS AJAX

XSS have became a problem that most web developers still suffering from it tell now, simply because however you try hard to validate every user input it only takes a single line of code that prints out the user input without validation to render your whole application vulnerable to XSS attacks and once you are vulnerable several attacks methods can be applied on the users of your web application some of these attacks like the one I’ve demonstrated before can be really dangerous and undetectable. As we all know that perfect code is an illusion and also we all know that several bugs pass the testing phase without being detected especially if the testers were testing without security in mind so it’s very normal to have a web application that is vulnerable to XSS attacks even after testing several times. So what about a risk mitigation plan to avoid XSS attacks in case some XSS vulnerabilities showed up after the product have been deployed in live environment? Imagine if we can have a nice safe valve that can stop a catastrophe from happening, but how? This is a good question and to answer this question we have to think about the following:

1-    The XSS attacks basically happen in the client side.

2-    The XSS attacks usually happen using java script.

After considering the previous two points we can conclude that to stop a XSS attack that passed through our server side defenses and validations we need to stop it in the client side and because XSS attacks basically depends on java script which means the existence of <script> tags in the attacker code. So now we can get a conclusion that to stop XSS at the client side we can use java script to filter the return HTML from the server to identify attacker java script and warn the user about it or even warn the site admin about it so s/he can become aware of the attack so s/he can do something about it. But the real question now is how to identify the attacker java script from our legitimate java script? Well, we can do this by supplying something like a signature with our legitimate java script so we can identify it from the malicious attacker java script that have been injected in our web application pages and we can use another java script that will filter the page content to identify the unsigned java script as the attacker script and take some action about it in the client side whenever it’s founded, here is an example

<body>

<html>

<?

//our signature will be a random number generated by the server

$signature = rand();

?>

<!-- here is our legitimate script with the signature as its element id -->

<script id="<? echo $signature ?>">

alert("hello world")

</script>

<!-- here is the injected attacker script that doesn't have the signature -->

<script>

alert("evil code")

</script>

<!-- here is a more evil script where the attacker will try to imitate the signature -->

<script id="1234">

alert("more evil code")

</script>

<!-- here is the script that will do the check and of course it have the signature too -->

<script id="<? echo $signature ?>">

//here we gather all the script tags elements in one array

var scripts = document.getElementsByTagName("script")

for(var i = 0; i < scripts.length; i++)

  if(scripts[i].id != null)

  {

    //then we compare it with our signature if it have one, if it’s invalid we warn the user/admin

    if(scripts[i].id != <? echo $signature ?>)

      warn(scripts[i].innerHTML) 

  }

  else //else if there is no signature in the 1^st place we warn the user/admin

    warn(scripts[i].innerHTML)

function warn(attackscript)

{

  //here we create our XMLHttpRequest object

  xmlHttp=GetXmlHttpObject()

  //and here we create a request string to our logger script then send the attacker script

  //to be logged for later analysis so we can tell what exactly happened

  var url="http://host/logger.php?attackscript=" + attackscript

  xmlHttp.open("GET",url,true)

  xmlHttp.send(null)

  //then we warn the user about what is going on and advice him/her to change his/her password

  alert("put your favorite warning message here")

}

//the rest of this code is the code that is responsible of creating

//the XMLHttpRequest object for different browsers

function GetXmlHttpObject()

{

  var xmlHttp=null;

  try

    {

    // Firefox, Opera 8.0+, Safari

    xmlHttp=new XMLHttpRequest();

    }

  catch (e)

    {

    // Internet Explorer

    try

      {

      xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");

      }

    catch (e)

      {

      xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");

      }

    }

  return xmlHttp;

}

</script>

</body>

</html>

In this example we used the rand() function to generate a random number that is used to sign every java script in the page to identify it from the other malicious scripts where malicious scripts when found the user can be alarmed and advised for example to change his/her password while the malicious script content is sent to the logger script that may look like this

<?

$file = fopen("log.txt","a");

$timestamp = date("D dS M,Y h:i a");

fwrite($file, "$timestamp\n");

fwrite($file, "$attackscript\n--------------------\n");

fclose($file);

?>

Which can log the malicious script contents so the site admin can analyze the attack later. The log file will look something like this

--------------------

Fri 20th Jul,2007 12:38 am

alert(\"evil code\")

--------------------

Fri 20th Jul,2007 12:41 am

alert(\"more evil code\")

--------------------

Also we can log other more important information such as the referral URL where the user got this link from so we can know how the attack is done weather it’s by mass mail or other means also we can log the user name so we can contact him/her to help him/her or to get more information from him/her about the attack.

As we can see using ajax programming techniques can help us for early warning and it will make it harder for the attacker to test your application for XSS vulnerabilities without you being aware of it. But this technique have a very big draw back that it only warns the user after the damage is already done and that is because the very nature of java script of being a sequential scripting language that is loaded by the browser from the web server sequentially thus our warning script must be at the end of the web page so it loads the last thing after the whole page is loaded so it can parse the scripts that have loaded before it otherwise it won’t be able to parse the scripts that didn’t load yet, yes we can make it wait or run every little interval of milliseconds while the page is loading, but for sorry we won’t be able to run it exactly when the malicious script is loaded and before it’s execution. Being in the end of web page means it will run the last after the attacker code have already done the damage or maybe also redirecting the user to another page before our warning script is executed. There would be a very good solution for this if java script supports sleep() function so it can be the in the page beginning and start a sleep tell the whole page is loaded then parse the page thus not allowing any other java script to until is validated but for sorry sleep() function is not supported is java script, there is a solution to this but not very practical where the script will enter a loop tell the page load then start parsing the page but this solution will take 100% of CPU usage and users will hate your web page because it will lag there machines. Another solution is to fully ajax the web page and request the page HTML content using XMLHttpRequest object and update the page with it every time a user clicks a new link then validate the java script in it, but that would require too much ajax work.

I hope you liked this article and I’m waiting for your feedback and comments

Thanks for reading