While phishing is a topic many people are aware, and wary, of, many of these attacks originate with cross-site scripting (XSS) attacks. When phishing attacks include XSS, they become harder to spot and more malicious. Do you, as a developer or end user, know how to mitigate your risk when it comes to XSS phishing attacks?
Phishing attacks come in all shapes and sizes and, even in 2016, they show no sign of stopping. From those creative emails about Nigerian princes that need to hide their wealth to schemes that impersonate trusted banks and eCommerce websites, phishing can occur wherever the internet is being used.
Phishing works through social engineering, which works when the attacker is able to manipulate people into breaking normal security procedures or exposing sensitive information (such as a home address, even credit card info) that can then be used to carry out a full attack on them. While early phishing attempts would save time by sending mass emails without the customer’s name, the recent trend has been to use spear phishing, which zeroes in on certain people or groups (think elderly people) for higher chances of success in a hacking attempt. Spear phishing highly increases the “legitimacy” of this fraudulent communication.
Successful phishing attacks happen when an unsuspecting internet user is tricked into giving his personal details to a malicious third-party posing as a bank, ecommerce vendor or any other trusted institution or organization. Early phishing was often done via mass generic emails to customers of a certain bank, or institution, which warned the user about an “urgent” problem with their account and included what appeared to be a legitimate link to the bank’s, or trusted company’s, website.
This link would usually just be a hyperlink to a malicious website that would appear as the trusted entity, such as, www.mybank.com/account despite being a different URL underneath the hyperlinked text. Once the unsuspecting user gives away their personal information, or even a small portion of it, hackers are able to either access their account, or gain access to the correct login details with the personal data that the user has provided.
With the amount of spam filters and general awareness about email scams, hackers are turning to more sophisticated methods of scamming the public using phishing. In 2015, the top phishing techniques, or lures, included fraudulent e-Fax communications with malicious URL’s leading to “faxes,” invoices, fake order confirmations from trusted brands, social networks and solicitations for job offers, romantic meetups and more. Phishing attacks in 2015 also included Ransomware attacks in which a company, or individual, has their access to their system limited or prevented and are forced to pay a ransom to the attacker to gain access to their data.
Cross-site scripting, or XSS, occurs when malicious parties inject client-side scripts into web pages which trick the unsuspecting user’s browser into thinking that the script came from a trusted source. Once the browser executes the script, the malicious party can access any cookie, session token or sensitive data stored in the browser and use in that site.
Exploitable URL based XSS vulnerabilities add another, more sinister, layer to conventional phishing attacks and are much harder to spot. Simpler phishing attacks without an XSS component happen when attackers employ fake links, such as the text of a trusted URL with a hyperlink to another website, or a trusted brand’s website with a number inserted in the URL to make a fake link appear as real as possible (www.mybank1.com). These links may appear real to a victim who is upset and frantic that their account balance may be in jeopardy and but can be relatively easily spotted, if you’re looking in the right places.
Phishing attacks with an XSS component often employ query strings in the malicious URLs that are sent out to the victims which makes the fake URL harder to spot to experienced users and internet novices alike. Query strings make phishing attacks much more effective since the URL for the actual website is used in the link rather than shady subdomains (www.mybank.register.com) or false links (www.mybank1.com/accountsecurity).
For example, in the following URL, www.mybank.com/program?querystring, the text after the “?” is the query string which is sent to the program at www.mybank.com. Attackers will use this part of the URL to create query strings which include code, rather than data values, to instruct the targeted website to carry out the malicious instructions. A query string could appear as www.mybank.com/?q=%28%22%3Ciframe+src%3D%27http%3A%2F%2F… where the % signs with numbers and letters are actually hexadecimal character encodings which translate into executable instructions.
If a victim clicks a link with that includes malicious code, the trust issues that they have accorded to the site are then erroneously associated with the fraudulent code in the URL, thus putting the user in grave danger of having their personal data exploited.
As opposed to phishing attacks based on URL spoofing, which are limited in their nature because they occur on fake sites, XSS phishing attacks are carried out on the trusted website itself which gives attackers a large advantage. XSS attacks occur on all levels of websites, from small businesses to large, multinational corporations and financial institutions, despite the existing precautions that companies can take to prevent these attacks.
What sets XSS phishing attacks apart from other attacks, like SQL injections, is the fact that they go after the organization’s back end, rather than one user. The amount of credibility and financial losses at stake when organizations, and users, are exploited by phishing attacks involving XSS is incredibly high and every precaution must be taken to mitigate these risks.
Some of the most targeted sites for XSS phishing attacks hold our most sensitive data (ecommerce sites, banking and finance portals, etc.) so it’s imperative that both end users and organizations know how to mitigate the risks posed by XSS attacks.
For end users, it’s very important to use common sense while you browse online. Pay extra attention to any offer that seems too good to be true and make sure to be on the lookout for spelling and grammar mistakes from communications that seem to be from a brand that you trust.
For developers, be sure to validate user-submitted input and escape user-submitted output. Additionally, whitelist inputs, accepting only expected characters and use an encoder library such as Microsoft’s AntiXSS. While developing, don’t ignore issues where input through a HTTP could make its way to output. Also, never store passwords as cookies.
For organizations, it’s critical to provide ongoing Application Security training for developers while implementing a secure Software Development Life Cycle. Also, to ensure that your application’s code is free from XSS vulnerabilities, use a mixture of blackbox and whitebox testing, including static code analysis.
Lastly, avoid relying on your WAF for detecting and stopping XSS. To create a culture of secure development aware at your organization, be sure to measure, analyze and adapt your Application Security processes on a regular basis.
Stay safe while browsing and coding, and if you can think of any more tips to avoid XSS phishing attacks, post them on the comments below!
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.