Cross-Site Scripting is a wide-spread kind of attack. It has been reported and exploited since the 1990s and became more and more important in the era of Web 2.0. Roughly 80 percent of all security vulnerabilities are Cross-Site Scripting [Syman2007]. But Cross-Site Scripting has always been a web application security hole so far and everyone focused on secure programming of web applications. In addition to this, there are many more possibilities of data exchange like instant messaging. Instant messaging clients were developed further and are now able to interpret HTML. This new potential of security holes is the emphasis of this work. The focus is on the question: Is it possible to execute JavaScript in file system context?
Table of Contents
1 Abstract
2 Introduction
3 Overview
3.1 Cross-Site Scripting (XSS)
3.1.1 Reflected XSS
3.1.2 Stored XSS
3.1.3 DOM injection
3.2 Instant Messaging and Cross-Site Scripting (XSS)
3.2.1 ICQ
3.2.2 Miranda IM
3.2.3 Pidgin
3.2.4 Climm
4 Testing
4.1 Preparations
4.1.1 Platform adaptations
4.1.2 Analysing activities
4.2 Message Box
4.2.1 XSS Cheat Sheet
4.2.2 HTML Tags
4.2.3 CSS Expressions
4.3 Files
4.3.1 Maliciously Formed Names
4.3.2 Malicious Content
5 Conclusion
Research Objectives and Themes
This paper examines the potential for executing Cross-Site Scripting (XSS) attacks not only within traditional web browser contexts but also through modern instant messaging (IM) clients. The central research question investigates whether JavaScript code can be executed in a file system context by exploiting vulnerabilities in how IM clients handle and interpret diverse data formats like HTML and SVG.
- Security analysis of IM clients (specifically ICQ, Miranda IM, Pidgin, and Climm).
- Evaluation of XSS attack vectors in non-browser messaging environments.
- Investigation of file handling and input validation weaknesses in IM applications.
- Assessment of malicious payload delivery through file transfers and specifically crafted file formats like SVG.
Excerpt from the Book
4.3.2 Malicious Content
PNG files There is another possibility to send a prepared file with malicious content. Instead of changing its name, one can change its content. Pictures are proper for being sent to a victim, because they appear to be harmless compared to applications (*.EXE). So one could just prepare a PNG file with JavaScript code within and send it to the victim. This actually does not work, because ICQ throws error-messages which tell that "this picture seems not valid". Obviously, ICQ checks files for being valid in advance. But there is a possibility to make files appear valid. One could create a valid PNG file with a picture editor like gimp. Let aside the content, mentionable is the comment one can insert right before saving the picture file. Gimp asks the user to insert a comment which could actually be script code for this test scenario (figure ??)
After sending one can verify, that the file has been transfered properly without any errors. No execution occurs, but in some context this kind of attack might be successful.
Summary of Chapters
1 Abstract: Provides a brief overview of the prevalence of XSS and introduces the research focus on its potential execution in file system contexts via instant messaging.
2 Introduction: Discusses the historical context of web security, the rise of the OWASP Top Ten, and the security challenges emerging with the evolution of instant messaging clients.
3 Overview: Explains the theoretical foundations of different XSS types and evaluates the technical features and security profiles of several instant messaging clients.
4 Testing: Describes the methodology, environment, and experimental process of sending various malicious payloads, HTML tags, and file formats through ICQ to test for vulnerabilities.
5 Conclusion: Summarizes findings on the security risks of IM clients and argues for the necessity of treating non-browser application security with the same priority as web application security.
Keywords
Cross-Site Scripting, XSS, Instant Messaging, ICQ, Web Security, JavaScript, File System, Vulnerability, HTML Injection, SVG, Payload, Blacklist, Input Validation, Cyber Security, Threat Analysis
Frequently Asked Questions
What is the primary subject of this research paper?
The paper explores the risks associated with Cross-Site Scripting (XSS) when delivered through instant messaging clients, rather than traditional web applications.
What are the central thematic areas covered?
The research covers XSS mechanics, the evolution of instant messaging clients, security testing methodologies, input validation weaknesses, and the dangers of executing scripts in a file system context.
What is the core research objective?
The primary goal is to determine if JavaScript can be executed within a file system context, effectively turning an IM client into an "entrance gate" to a victim's machine.
What methodology is employed for the study?
The author uses empirical security testing, including analyzing network traffic with Wireshark and attempting to deliver various malicious payloads, HTML structures, and specially crafted files through the ICQ messaging client.
What does the main body of the work focus on?
The main body focuses on practical testing, specifically analyzing how the ICQ client filters and interprets user input, including messages, HTML tags, CSS expressions, and file attachments.
Which keywords best characterize this work?
Key terms include Cross-Site Scripting (XSS), Instant Messaging, ICQ, Security Vulnerabilities, and File System Context.
Why was ICQ selected as the primary IM client for testing?
ICQ was chosen because it is one of the most popular IM clients, and the research aims to test the security of widely used software that has evolved to support complex features like HTML interpretation.
How does the research illustrate the danger of SVG files?
The study demonstrates that because SVG files are XML-based and can contain scriptable content, they can be used to bypass simple validation checks in IM clients, allowing JavaScript execution when opened by the recipient.
- Quote paper
- MSc. Katharina Kurek (Author), 2011, Instant Messaging and Cross Site Scripting (XSS), Munich, GRIN Verlag, https://www.hausarbeiten.de/document/192840
