Project's page on XSS notes, the name “cross-site scripting” is something of a misnomer. A Web Developer's Guide to Cross-Site Scripting.Preventing Cross- Site Scripting From Uploads - SAP Net. Weaver Security Guide. Cross- site scripting (XSS) is caused by web application that allow attackers to inject active content. A user agent, such as a web browser, runs the active content on the client side, circumventing the security policies of the client (for example, the same origin policy). This section focuses on those scenarios, where an end user can upload files to a repository. The files uploaded can contain active content and offer a potential attack surface. Figure 1. Sequence of a Cross- Site Scripting Attack. The attacker, Mallory, uploads a document with malicious content to the document storage of the SAP system. When Alice downloads the document, her client or user agent executes the active content in her session context.
This execution enables Mallory to perform the XSS attack. Attack Scenarios. Different types of documents allow for different ways to attack a system. Some example scenarios are as follows: Files with active content. MIME type sniffing. Files with Active Content. The following table lists examples of how an attacker could use a file upload function to build an XSS attack using active content. File Type. . HTMLThe browser of the user interprets HTML files in the same session. The option to upload an HTML file provides a direct option to craft an XSS attack with Java. Script. JARIf a web browser loads a Java applet from a trusted site, the browser provides no security warning. If an attacker can upload a JAR file with an applet, the file is executed even if the web page, which embeds the applet is located on a different site. Neither the. . Content. Type nor the file type matter in this scenario, as long as the JAR file is valid. Flash. Similar to unsigned Java applets, but for Flash files (. The. . Content. Type does not matter in this scenario, as long as it is a valid. Silverlight. Similar to unsigned Java applets, but for Silverlight files (. The. . Content. Type does not matter in this scenario, as long as it is a valid. XMLThis attack is not directly obvious to the user. The attack uses the extensible style sheet language transformations (XSLT) capabilities of modern browsers. XSLT is a standard mechanism to transform an XML file with an XSL transformation (using an XSL style sheet) to some other content type. This enables the attacker to inject active code with the XSL style sheet. Although the document looks like plain XML to the user, the browser treats the document as HTML with Java. Script. MIME Type Sniffing. This attack is similar to uploading an HTML file, but not directly obvious to the user. The attack uses a browser mechanism called MIME type sniffing to hide HTML or Java. Script in another file type, such as PDF. MIME type sniffing is a mechanism implemented by web browsers to compensate for misconfigured web servers providing the wrong MIME type for a file. When a web browser receives an unspecific. Preventing Cross-Site Scripting Attacks Cross-site scripting involves the injection of malicious scripts into web pages. Step 3 In the Cross-Site Scripting (XSS). Application scans, 17% were vulnerable to XSS. Cross-Site-Scripting (XSS; deutsch. Cross-site scripting (XSS) is caused by web application that allow attackers to inject active content. Content. Type header value like. MIME type of the file by parsing the first bytes of the binary content stream. Some web browsers can be tricked to assume. HTML (executing Java. Script). Although the document looks like a PDF to the user, the browser treats the file as HTML with Java. Script. Such files, which pretend to be a MIME type different from the one the browser guesses from its algorithm for MIME type sniffing, are also known as chameleon files. Example. Microsoft Internet Explorer 7. Java. Script embedded in a. PDF signature. %PDF- , and pretends to be a PDF file. Countermeasures. Ways to avoid an XSS attack from an uploaded file include the following: Block the upload of files with active content to the server. Block execution on the client of active content for files downloaded from the server. Figure 2. Points in a Sequence Where a Cross- Site Scripting Attack Can Be Blocked. Use the virus scan interface to block active content on the SAP Net. Weaver Application Server. For more information, see. Virus Scan Interface . For more information about how to implement server- side countermeasures for your custom development, see. Secure Programming . Blocking the execution of active content on the client side depends on the browser being used, including the plug- ins. For more information, see the documentation of the browser vendor.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |