Self-XSS

Last updated

Self-XSS (self cross-site scripting) is a type of security vulnerability used to gain control of victims' web accounts. In a Self-XSS attack, the victim of the attack runs malicious code in their own web browser, thus exposing personal information to the attacker. [1]

Contents

Overview

A Self-XSS attack warning on a browser's web developer console Self-XSS attack warning.jpg
A Self-XSS attack warning on a browser's web developer console

Self-XSS operates by tricking users also into copying and pasting malicious content into their web browser. This includes both where a user copies a payload into an input, and in the web developer console. [1] Usually, the attacker posts a message that says by copying and running certain code, the user will be able to receive virtual rewards or hack a website. In fact, the code allows the attacker to hijack the victim's account. [2] Self-XSS usually has very low impact, however, chaining it with a cross-site request forgery vulnerability escalates its impact to that of typical cross-site-scripting. [3]

History and mitigation

In the past, a very similar attack took place, in which users were tricked into pasting malicious JavaScript into their address bar. When browser vendors stopped this by preventing easily running JavaScript from the address bar, [4] [5] attackers started using Self-XSS in its current form. Web browser vendors and web sites have taken steps to mitigate this attack. Firefox [6] and Google Chrome [7] have both begun implementing safeguards to warn users about Self-XSS attacks. Facebook and others now display a warning message when users open the web developer console, and they link to pages explaining the attack in detail. [8] [9]

Etymology

The "self" part of the name comes from the fact that the user is attacking themselves. The "XSS" part of the name comes from the abbreviation for cross-site scripting, because both attacks result in malicious code running on a legitimate site. However, Self-XSS has much less impact than most other XSS vulnerabilities because it relies on social engineering. Additionally, the risk of Self-XSS arising from using the web developer console cannot be eliminated by the site operator, [10] unlike other XSS vulnerabilities which can be solved.

Related Research Articles

<span class="mw-page-title-main">JavaScript</span> High-level programming language

JavaScript, often abbreviated as JS, is a programming language and core technology of the Web, alongside HTML and CSS. 99% of websites use JavaScript on the client side for webpage behavior.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and transverses any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of cybercrime.

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application or user with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.

Code injection is a class of computer security exploit in which vulnerable computer programs or system processes fail to correctly handle external data, such as user input, leading to the program misinterpreting the data as a command that should be executed. An attacker using this method "injects" code into the program while it is running. Successful exploitation of a code injection vulnerability can result in data breaches, access to restricted or critical computer systems, and the spread of malware.

<span class="mw-page-title-main">Mozilla Application Suite</span> Discontinued Internet suite

The Mozilla Application Suite is a discontinued cross-platform integrated Internet suite. Its development was initiated by Netscape Communications Corporation, before their acquisition by AOL. It was based on the source code of Netscape Communicator. The development was spearheaded by the Mozilla Organization from 1998 to 2003, and by the Mozilla Foundation from 2003 to 2006.

NoScript is a free and open-source extension for Firefox- and Chromium-based web browsers, written and maintained by Giorgio Maone, a software developer and member of the Mozilla Security Group.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

JSONP, or JSON-P, is a historical JavaScript technique for requesting data by loading a <script> element, which is an element intended to load ordinary JavaScript. It was proposed by Bob Ippolito in 2005. JSONP enables sharing of data bypassing same-origin policy, which disallows running JavaScript code to read media DOM elements or XMLHttpRequest data fetched from outside the page's originating site. The originating site is indicated by a combination of URI scheme, hostname, and port number.

An XSS worm, sometimes referred to as a cross site scripting virus, is a malicious payload, usually written in JavaScript, that breaches browser security to propagate among visitors of a website in the attempt to progressively infect other visitors. They were first mentioned in 2002 in relation to a cross site scripting vulnerability in Hotmail.

<span class="mw-page-title-main">Clickjacking</span> Malicious technique of tricking a Web user

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript fetch or XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

<span class="mw-page-title-main">WebCL</span>

WebCL is a JavaScript binding to OpenCL for heterogeneous parallel computing within any compatible web browser without the use of plug-ins, first announced in March 2011. It is developed on similar grounds as OpenCL and is considered as a browser version of the latter. Primarily, WebCL allows web applications to actualize speed with multi-core CPUs and GPUs. With the growing popularity of applications that need parallel processing like image editing, augmented reality applications and sophisticated gaming, it has become more important to improve the computational speed. With these background reasons, a non-profit Khronos Group designed and developed WebCL, which is a Javascript binding to OpenCL with a portable kernel programming, enabling parallel computing on web browsers, across a wide range of devices. In short, WebCL consists of two parts, one being Kernel programming, which runs on the processors (devices) and the other being JavaScript, which binds the web application to OpenCL. The completed and ratified specification for WebCL 1.0 was released on March 19, 2014.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

Mozilla is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, publishes and supports Mozilla products, thereby promoting exclusively free software and open standards, with only minor exceptions. The community is supported institutionally by the non-profit Mozilla Foundation and its tax-paying subsidiary, the Mozilla Corporation.

History sniffing is a class of web vulnerabilities and attacks that allow a website to track a user's web browsing history activities by recording which websites a user has visited and which the user has not. This is done by leveraging long-standing information leakage issues inherent to the design of the web platform, one of the most well-known of which includes detecting CSS attribute changes in links that the user has already visited.

References

  1. 1 2 Scharr, Jill (July 28, 2014). "Facebook Scam Tricks Users Into Hacking Themselves". Tom's Guide US. Purch . Retrieved September 27, 2014.
  2. "Social Networking Security Threats". Sophos. n.d. Retrieved September 27, 2014.
  3. Stephens, Luke (2021-03-25). "The Ultimate Guide to Finding and Escalating XSS Bugs | @Bugcrowd". Bugcrowd. Retrieved 2024-10-04.
  4. "Bug 656433 – Disallow javascript: and data: URLs entered into the location bar from inheriting the principal of the currently-loaded page". Bugzilla. Mozilla Foundation. May 11, 2011. Retrieved September 28, 2014.
  5. "Issue 82181: [Linux] Strip javascript: schema from pastes/drops to omnibox". Google Code . May 10, 2011. Retrieved September 28, 2014.
  6. "Bug 994134 – Warn first-time users on pasting code into the console". Bugzilla. Mozilla Foundation. April 9, 2014. Retrieved September 28, 2014.
  7. "Issue 345205: DevTools: Combat self-XSS". Google Code . May 10, 2011. Retrieved September 28, 2014.
  8. "What do Self-XSS scams look like?". Facebook Help. Facebook. July 11, 2014. Retrieved September 27, 2014.
  9. "What is Self-XSS?". Facebook Help. Facebook. July 15, 2014. Retrieved September 27, 2014.
  10. Ilascu, Ionut (July 28, 2014). "Hackers Trick Facebook Users into Self Cross-Site Scripting (XSS) Scam". Softpedia . SoftNews NET SRL. Retrieved September 27, 2014.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.