Question

1) Some people group XSS attacks with XSRF attacks, while others think they should be considered separate. Make an argument that they are different and do this with an example of an attack under each (illustrating their differences).

2) Suppose I want to do a XSS attack that executes through someone’s brower, but I know the server blacklists the string Dogs as well as the word script. Describe at least two distinct ways to bypass this filter and give me the strings that do so.

Answer 1

As we know Cross-site request forgery is a type of web attack which destroys the trust of a website in the user’s browser. Furthermore,the attacker manipulates the victim’s browser to send requests in the user’s name to websites that he has visited or are currently visiting, without the victim knowing about these activities happening in the background.

On the other hand xss destroys the trust of the victim’s browser in a web server. While CSRF does not require the presence of a vulnerabiliy, XSS needs a vulnerability in order to be successful.

The two attacks are different and are opposites when it comes to damage, popularity and ease of enacting.

Example: if the victim is an accountant for a small business, making online payments to suppliers and contractors on a daily basis, it is highly likely that the victim’s browser has authentication cookies available for the online payment website or web application. Now Assuming that the attackers already have the knowledge of the online payment web application, they can create legitimate Money transfer requests then trick the victims into visiting the malicious web pages that will manipulate their browser into sending these requests to the online payment system. The end result may be the online payment system transferring funds to the target account.

Ans 2) To avoid the blacklist the use of various filter evasion techniques are required which may seem tivialat first. The naïve blacklist that blocks words or patterns of words can be circumvented by using context-specific encodings that the browser will then decode and interpret as code.

e.g. using JavaScript encoding when the landing space is a JavaScript context.

Alternative forms of JavaScript function calls or property accessors are also useful in getting around the blacklist. Because of the flexibility of HTML and JavaScript, bypassing a blacklist filter can be done with small but informed effort.