XSS

CS 161 Spring 2025 - Lecture 15

Computer Science 161

Last Time: Cookies

• Cookie: a piece of data used to maintain state across multiple requests
• Set by the browser or server
• Stored by the browser
• Attributes: Name, value, domain, path, secure, HttpOnly, expires
• Cookie policy
• Server with domain X can set a cookie with domain attribute Y if the domain attribute is a domain suffix of the server’s domain, and the domain attribute Y is not a top-level domain (TLD)
• The browser attaches a cookie on a request if the domain attribute is a domain suffix of the server’s domain, and the path attribute is a prefix of the server’s path
• Cookie domain: example.com and cookie path: /some/path will be included in request to https://foo/example/com/some/path/index.html

2

Computer Science 161

Last Time: Session Authentication

• Session authentication
• Use cookies to associate requests with an authenticated user
• First request: Enter username and password, receive session token (as a cookie)
• Future requests: Browser automatically attaches the session token cookie
• Session tokens
• If an attacker steals your session token, they can log in as you
• Should be randomly and securely generated by the server
• The browser should not send tokens to the wrong place

3

Computer Science 161

Last Time: CSRF

• Cross-site request forgery (CSRF or XSRF): An attack that exploits cookie-based authentication to perform an action as the victim
• User authenticates to the server
• User receives a cookie with a valid session token
• Attacker tricks the victim into making a malicious request to the server
• The server accepts the malicious request from the victim
• Recall: The cookie is automatically attached in the request
• Attacker must trick the victim into creating a request
• GET request: click on a link
• POST request: use JavaScript

4

Computer Science 161

Today: XSS

• XSS
• Websites use untrusted content as control data
• Stored XSS
• Reflected XSS
• Defense: HTML sanitization
• Defense: Content Security Policy (CSP)
• UI attacks
• Clickjacking
• Phishing

5

Computer Science 161

Cross-Site Scripting (XSS)

6

Textbook Chapter 22

Computer Science 161

Top 25 Most Dangerous Software Weaknesses (2020)

7

Computer Science 161

Review: Same-Origin Policy

• Two webpages with different origins should not be able to access each other’s resources
• Example: JavaScript on http://evil.com cannot access the information on http://bank.com

8

Computer Science 161

Review: JavaScript

• JavaScript: A programming language for running code in the web browser
• JavaScript is client-side
• Code sent by the server as part of the response
• Runs in the browser, not the web server!
• Used to manipulate web pages (HTML and CSS)
• Makes modern websites interactive
• JavaScript can be directly embedded in HTML with <script> tags
• Most modern webpages involve JavaScript
• JavaScript is supported by all modern web browsers
• You don’t need to know JavaScript syntax
• However, knowing common attack functions helps

9

Computer Science 161

Review: JavaScript

• JavaScript can create a pop-up message

10

<script>alert("Happy Birthday!")</script>

HTML (with embedded JavaScript)

Webpage

Happy Birthday!

​

​

OK

When the browser loads this HTML, it will run the embedded JavaScript and cause a pop-up to appear.

Computer Science 161

A Go HTTP Handler

11

func handleSayHello(w http.ResponseWriter, r *http.Request) {

name := r.URL.Query()["name"][0]

fmt.Fprintf(w, "<html><body>Hello %s!</body></html>", name)

}

<html><body>Hello EvanBot!</body></html>

https://vulnerable.com/hello?name=EvanBot

Handler

URL

Response

Computer Science 161

A Go HTTP Handler

12

func handleSayHello(w http.ResponseWriter, r *http.Request) {

name := r.URL.Query()["name"][0]

fmt.Fprintf(w, "<html><body>Hello %s!</body></html>", name)

}

https://vulnerable.com/hello?name=<b>EvanBot</b>

<html><body>Hello <b>EvanBot</b>!</body></html>

Handler

URL

Response

Computer Science 161

A Go HTTP Handler

13

func handleSayHello(w http.ResponseWriter, r *http.Request) {

name := r.URL.Query()["name"][0]

fmt.Fprintf(w, "<html><body>Hello %s!</body></html>", name)

}

https://vulnerable.com/hello?name=<script>alert(1)</script>

<html><body>Hello <script>alert(1)</script>!</body></html>

Handler

URL

Response

Computer Science 161

A Go HTTP Handler

14

func handleSayHello(w http.ResponseWriter, r *http.Request) {

name := r.URL.Query()["name"][0]

content := "<html><body>Hello "+name+"!</body></html>"

fmt.Fprint(w, content)

}

https://vulnerable.com/hello?name=<script>alert(1)</script>

<html><body>Hello <script>alert(1)</script>!</body></html>

Handler

URL

Response

Computer Science 161

Cross-Site Scripting (XSS)

• Idea: The attacker adds malicious JavaScript to a legitimate website
• The legitimate website will send the attacker’s JavaScript to browsers
• The attacker’s JavaScript will run with the origin of the legitimate website
• Now the attacker’s JavaScript can access information on the legitimate website!
• Cross-site scripting (XSS): Injecting JavaScript into websites that are viewed by other users
• Cross-site scripting subverts the same-origin policy
• Two main types of XSS
• Stored XSS
• Reflected XSS

15

Computer Science 161

Stored XSS

• Stored XSS (persistent XSS): The attacker’s JavaScript is stored on the legitimate server and sent to browsers
• Classic example: Facebook pages
• An attacker puts some JavaScript on their Facebook page
• Anybody who loads the attacker’s page will see JavaScript (with the origin of Facebook)
• Remember: Stored XSS is a server-side vulnerability!

16

Computer Science 161

Stored XSS

17

bank.com

Attacker

Victim

4. Victim browser executes malicious script

Computer Science 161

Reflected XSS

• Reflected XSS: The attacker causes the victim to input JavaScript into a request, and the content is reflected (copied) in the response from the server
• Classic example: Search
• If you make a request to http://google.com/search?q=evanbot, the response will say “10,000 results for evanbot”
• If you make a request to http://google.com/search?q=<script>alert(1)</script>, the response will say “10,000 results for <script>alert(1)</script>”
• Reflected XSS requires the victim to make a request with injected JavaScript

18

Computer Science 161

Reflected XSS

19

bank.com

Attacker

Victim

4. Victim browser executes malicious script

Computer Science 161

Reflected XSS: Making a Request

• How do we force the victim to make a request to the legitimate website with injected JavaScript?
• Trick the victim into visiting the attacker’s website, and include an embedded iframe that makes the request
• Can make the iframe very small (1 pixel x 1 pixel), so the victim doesn’t notice it:�<iframe height=1 width=1 src="http://google.com/search?q=<script>alert(1)</script>">
• Trick the victim into clicking a link (e.g. posting on social media, sending a text, etc.)
• Trick the victim into visiting the attacker’s website, which redirects to the reflected XSS link
• … and many more!

20

Computer Science 161

Reflected XSS is not CSRF

• Reflected XSS and CSRF both require the victim to make a request to a link
• XSS: An HTTP response contains maliciously inserted JavaScript, executed on the client side
• CSRF: A malicious HTTP request is made (containing the user’s cookies), executing an effect on the server side

21

Computer Science 161

XSS in the Wild… On CalNet?!

• In 2021, 61C student Rohan Mathur was exploring the CalNet login page
• Fields submitted when logging in:
• username: What user am I logging in as?
• password: What’s the user’s password?
• execution: Server-side state (like a CSRF token with extra data)

22

Computer Science 161

XSS in the Wild… On CalNet?!

• The server expects execution to be in a specific format that contains its server-side state
• What if you muck with execution?
• The “corrupted” execution key is placed into the error message in the HTML to aid debugging
• … and CalNet at the time did not escape the execution key

23

Computer Science 161

Constructing an Attack on CalNet

<html>� <head>� <script>� // When the malicious page finishes loading, automatically submit the form!� document.addEventListener('DOMContentLoaded', () => {� document.getElementById('form').submit();� });� </script>� </head>� <body>� <!-- Malicious form containing our malicious execution data. -->� <form id="form" action="https://auth.berkeley.edu/cas/login" method="POST">� <input name="username" type="text" value="evanbot" />� <input name="password" type="text" value="obviously-not-the-real-password" />� <input name="execution" type="text" value="<script>alert('XSS!')</script>" />� </form>� </body>�</html>

24

Attack: Force a POST request to CalNet!

Computer Science 161

So What Happened?

• CalNet also accepts execution parameters over URL query parameters
• A link like https://auth.berkeley.edu/cas/login?execution=<script>alert('XSS!')</script> would result in the same attack
• It would only fire if you clicked the button to show the error
• … But if clicked, the injected JavaScript could
• Present a fake login prompt
• Steal your CalNet password
• Log you in as the attacker’s account
• Steal your authentication session token
• Root cause: A >5 year old sample page modified by CalNet
• CalNet uses software from Apereo, which comes with sample pages for logging in
• Apereo fixed that bug many years before, but sample pages don’t get included in bug fixes!

25

Computer Science 161

XSS Defenses

• Defense: HTML sanitization
• Idea: Certain characters are special, so server should remove those characters or encode them in a way that will render them harmless
• Escaping: e.g., replace < with &lt; with " with &quot;
• Rely on trusted libraries to do this for you

26

<html>

<body>

Hello &lt;script&gt;alert(1)&lt;/script&gt;!

</body>

</html>

Computer Science 161

XSS Defenses: Escaping

27

func handleSayHello(w http.ResponseWriter, r *http.Request) {

name := r.URL.Query()["name"][0]

fmt.Fprintf(w, "<html><body>Hello %s!</body></html>", html.EscapeString(name))

}

https://vulnerable.com/hello?name=<script>alert(1)</script>

<html><body>Hello &lt;script&gt;alert(1)&lt;/script&gt;!</body></html>

Handler

URL

Response

Computer Science 161

XSS Defenses: Escaping

• If a programmer has to take an extra action for every usage…
• They are eventually going to forget (e.g., CalNet)
• Consider human factors!
• Nowadays, escaping is generally achieved through templating
• HTML templates are essentially their own language, where you declare what data goes where
• The templating engine handles all the escaping internally, automatically

28

Computer Science 161

XSS Defenses: CSP

• Defense: Content Security Policy (CSP)
• Idea: Instruct the browser to only use resources loaded from specific places
• Uses additional headers to specify the policy
• Standard approach:
• Disallow all inline scripts (JavaScript code directly in HTML), which prevents inline XSS
• Example: Disallow <script>alert(1)</script>
• Only allow scripts from specified domains, which prevents XSS from linking to external scripts
• Example: Disallow <script src="https://cs161.org/hack.js">
• Also works with other content (e.g. iframes, images, etc.)
• Relies on the browser to enforce security, so more of a mitigation for defense-in-depth

29

Computer Science 161

UI Attacks

30

Textbook Chapter 23

Computer Science 161

User Interface (UI) Attacks

• General theme: The attacker tricks the victim into thinking they are taking an intended action, when they are actually taking a malicious action
• Takes advantage of user interfaces: The trusted path between the user and the computer
• Browser disallows the website itself to interact across origins (same-origin policy), but trusts the user to do whatever they want
• Remember: Consider human factors!
• Two main types of UI attacks
• Clickjacking: Trick the victim into clicking on something from the attacker
• Phishing: Trick the victim into sending the attacker personal information

31

Computer Science 161

Clickjacking

• Clickjacking: Trick the victim into clicking on something from the attacker
• Main vulnerability: the browser trusts the user’s clicks
• When the user clicks on something, the browser assumes the user intended to click there
• Why steal clicks?
• Download a malicious program
• Like a Facebook page/YouTube video
• Delete an online account
• Why steal keystrokes?
• Steal passwords
• Steal credit card numbers
• Steal personal info

32

Computer Science 161

Clickjacking: Download buttons

• Which is the real download button?
• What if the user clicks the wrong one?

33

Computer Science 161

Clickjacking

34

Navigate to berkeley.edu. Notice the URL when hovering over the image.

Computer Science 161

Clickjacking

35

<iframe style="opacity: 1.0" src="https://www.berkeley.edu/"></iframe>

Load berkeley.edu in an iframe

Computer Science 161

Clickjacking

36

<iframe style="opacity: 1.0" src="https://www.berkeley.edu/"></iframe>

<p style="margin-top: 210pt"><em>You <b>Know</b> You Want To Click Here!</em></p>

Place some enticing content underneath

Computer Science 161

Clickjacking

37

<iframe style="opacity: 0.8" src="https://www.berkeley.edu/"></iframe>

<p style="margin-top: 210pt"><em>You <b>Know</b> You Want To Click Here!</em></p>

Make the iframe slightly transparent…

Computer Science 161

Clickjacking

38

<iframe style="opacity: 0.1" src="https://www.berkeley.edu/"></iframe>

<p style="margin-top: 210pt"><em>You <b>Know</b> You Want To Click Here!</em></p>

Make it more transparent

Computer Science 161

Clickjacking

39

<iframe style="opacity: 0" src="https://www.berkeley.edu/"></iframe>

<p style="margin-top: 210pt"><em>You <b>Know</b> You Want To Click Here!</em></p>

Make it entirely transparent

Computer Science 161

Clickjacking: Invisible iframes

• Variant #1: Frame the legitimate site invisibly, over visible, enticing content
• Victim thinks they’re clicking on the attacker’s enticing website
• But their click actually happened on the legitimate website!

40

Computer Science 161

Clickjacking: Invisible iframes

• Variant #2: Frame the legitimate site visibly, under invisible malicious content
• Victim thinks they’re clicking on the legitimate site
• But their click actually happened on the malicious website!

41

Computer Science 161

Clickjacking: Invisible iframes

• Variant #3: Frame the legitimate site visibly, under malicious content partially overlaying the site
• The attacker can change the appearance of the site without breaking SOP!

42

Computer Science 161

Clickjacking: Temporal Attack

• JavaScript can detect the position of the cursor and change the website right before the user clicks on something
• The user clicks on the malicious input (embedded iframe, download button, etc.) before they notice that something changed

43

Computer Science 161

Clickjacking: Temporal Attack

44

Instructions:

Please double-click on the button below to continue to your content

​

​

​

Click here

​

​

​

​

Computer Science 161

Clickjacking: Temporal Attack

45

Instructions:

Please double-click on the button below to continue to your content

​

​

​

Click here

​

​

​

​

Computer Science 161

Clickjacking: Cursorjacking

• CSS has the ability to style the appearance of the cursor
• JavaScript has the ability to track a cursor’s position
• If we change the appearance a certain way, we can create a fake cursor to trick users into clicking on things!

46

Computer Science 161

Clickjacking: Cursorjacking

47

Download .exe

PLAY NOW!

What do you think you’re clicking on?

Computer Science 161

Clickjacking: Defenses

• Enforce visual integrity: Ensure clear visual separation between important dialogs and content
• Windows User Account Control darkens the entire screen and freezes the desktop
• Firefox dialogs “cross the boundary” between the URL bar and content, something that only valid dialogs can do

48

Computer Science 161

Clickjacking: Defenses

• Enforce temporal integrity: Ensure that there is sufficient time for a user to register what they are clicking on
• Notice: Firefox blocks the “OK” button until 1 second after the dialog has been focused

49

Computer Science 161

Clickjacking: Defenses

• Require confirmation from users
• The browser needs to confirm that the user’s click was intentional
• Drawbacks: Asking for confirmation annoys users (consider human factors!)
• Frame-busting: The legitimate website forbids other websites from embedding it in an iframe
• Defeats the invisible iframe attacks
• Can be enforced by Content Security Policy (CSP)
• Can be enforced by X-Frame-Options (an HTTP header)

50

Computer Science 161

Phishing

51

Computer Science 161

Phishing

52

Computer Science 161

Phishing

53

Computer Science 161

Phishing

54

evanbot@berkeley.edu

Computer Science 161

Phishing

55

Computer Science 161

Phishing

56

Evan

Bot

2019-08-21

hive12

cs.berkeley.edu

Caltopia

01100101011101100110000101101110

Computer Science 161

Phishing

57

Computer Science 161

Phishing

58

Computer Science 161

Phishing

59

Computer Science 161

Phishing

• Phishing: Trick the victim into sending the attacker personal information
• Main vulnerability: The user can’t distinguish between a legitimate website and a website impersonating the legitimate website

60

Computer Science 161

Phishing: Check the URL?

61

The attacker can still register an HTTPS certificate for the perfectly valid domain

Is this real?

Computer Science 161

Phishing: Check the URL?

62

Is this real?

Computer Science 161

Phishing: Homograph Attacks

• Idea: Check if the URL is correct?
• Homograph attack: Creating malicious URLs that look similar (or the same) to legitimate URLs
• Homograph: Two words that look the same, but have different meanings

63

Computer Science 161

Phishing: Check Everything

64

Is this real?

Computer Science 161

Phishing: Check Everything

65

Oops, never mind

Computer Science 161

Phishing: Browser-in-browser Attacks

• Idea: Check for a green padlock icon in the browser’s address bar, or any other built-in browser security feature
• Browser-in-browser attack: The attacker simulates the entire web browser with JavaScript

66

Computer Science 161

Phishing: Don’t Blame the Users

• Most users aren’t security experts
• Attacks are uncommon: users normally don't suspect malicious action
• Detecting phishing is hard, even if you’re on the lookout for attacks
• Legitimate messages often look like phishing attacks!

67

Computer Science 161

Two-Factor Authentication

• Problem: Phishing attacks allow attackers to learn passwords
• Idea: Require more than passwords to log in
• Two-factor authentication (2FA): The user must prove their identity in two different ways before successfully authenticating
• Three main ways for a user to prove their identity
• Something the user knows: Password, security question (e.g. name of your first pet)
• Something the user has: Their phone, their security key
• Something the user is: Fingerprint, face ID
• Even if the attacker steals the user’s password with phishing, they don’t have the second factor

68

Computer Science 161

Two-Factor Authentication

• Two-factor authentication also defends against other attacks where a user’s password is compromised
• Example: An attacker steals the password file and performs a dictionary attack
• Example: The user reuses passwords on two different websites. The attacker compromises one website and tries the same password on the second website
• With 2FA, the password alone is no longer enough for the attacker to log in

69

Computer Science 161

Subverting 2FA: Relay Attacks

• Relay attacks (transient phishing): The attacker steals both factors in a phishing attack
• Example
• Two-factor authentication scheme
• First factor: The user’s password (something the user knows)
• Second factor: A code sent to the user’s phone (something the user owns)
• Attack
• The phishing website asks the user to input their password (first factor)
• The attacker immediately tries to log in to the actual website as the user
• The actual website sends a code to the user
• The phishing website asks the user to enter the code (second factor)
• The attacker enters the code to log in as the user

70

Computer Science 161

Subverting 2FA: Relay Attacks

71

“Welcome to Google.�Please login”

Victim

Attacker

Google

“User: victim�Password: password123”

“User: victim�Password: password123”

“Your 2FA code is 382924”

Attacker

“Enter the security code.”

“382924”

“382924”

Computer Science 161

Subverting 2FA: Social Engineering

• Some 2FA schemes text a one-time code to a phone number
• Attackers can call your phone provider (e.g., Verizon) and tell them to activate the attacker’s SIM card, so they receive your texts!
• 2FA via SMS is not great but better than nothing
• Some 2FA schemes can be bypassed with customer support
• Attackers can call customer support and ask them to deactivate 2FA!
• Companies should validate identity if you ask to do this (but not all do)

72

Computer Science 161

2FA Example: Authentication Tokens

• Authentication token: A device that generates secure second-factor codes
• Something the user owns
• Examples: RSA SecurID and Google Authenticator
• Usage
• The token and the server share a common secret key k
• When the user wants to log in, the token generates a code HMAC(k, time)
• The time is often truncated to the nearest 30 seconds for usability
• The code is often truncated to 6 digits for usability
• The user submits the code to the website
• The website uses its secret key to regenerate the code and compare
• Drawback: Vulnerable to relay attacks
• Drawback: Vulnerable to online brute-force attacks
• Possible fix: rate limits

73

Computer Science 161

2FA Example: Security Keys

• Security key: A device designed to defend against phishing
• Something the user owns
• Usage
• When the user signs up for a website, the security key generates a new public/private key pair and gives the public key to the website
• When the user wants to log in, the server sends a nonce to the security key
• The security key signs the nonce and website name (from the browser) and gives the signature to the server
• Security keys prevent phishing
• In a phishing attack, the security key generates a signature with the attacker’s website name, not the legitimate website name
• Impervious to relay attacks!

74

Computer Science 161

Summary: XSS

• Occurs when websites use untrusted content as control data
• <html><body>Hello EvanBot!</body></html>
• <html><body>Hello <script>alert(1)</script>!</body></html>
• Stored XSS
• The attacker’s JavaScript is stored on the legitimate server and sent to browsers
• Classic example: Make a post on a social media site (e.g. Facebook) with JavaScript
• Reflected XSS
• The attacker causes the victim to input JavaScript into a request, and the content it’s reflected (copied) in the response from the server
• Classic example: Create a link for a search engine (e.g. Google) query with JavaScript
• Requires the victim to click on the link with JavaScript

75

Computer Science 161

Summary: XSS Defenses

• Defense: HTML sanitization
• Replace control characters with data sequences
• < becomes &lt;
• " becomes &quot;
• Use a trusted library to sanitize inputs for you
• Defense: Content Security Policy (CSP)
• Instruct the browser to only use resources loaded from specific places
• Limits JavaScript: only scripts from trusted sources are run in the browser
• Enforced by the browser

76

Computer Science 161

Summary: Clickjacking

• Clickjacking: Trick the victim into clicking on something from the attacker
• Main vulnerability: the browser trusts the user’s clicks
• When the user clicks on something, the browser assumes the user intended to click there
• Examples
• Fake download buttons
• Show the user one frame, when they’re actually clicking on another invisible frame
• Temporal attack: Change the cursor just before the user clicks
• Cursorjacking: Create a fake mouse cursor with JavaScript
• Defenses
• Enforce visual integrity: Focus the user’s vision on the relevant part of the screen
• Enforce temporal integrity: Give the user time to understand what they’re clicking on
• Ask the user for confirmation
• Frame-busting: The legitimate website forbids other websites from embedding it in an iframe

77

Computer Science 161

Summary: Phishing

• Phishing: Trick the victim into sending the attacker personal information
• A malicious website impersonates a legitimate website to trick the user
• Don’t blame the users
• Detecting phishing is hard, especially if you aren’t a security expert
• Check the URL? Still vulnerable to homograph attacks (malicious URLs that look legitimate)
• Check the entire browser? Still vulnerable to browser-in-browser attacks
• Defense: Two-Factor Authentication (2FA)
• User must prove their identity two different ways (something you know, something you own, something you are)
• Defends against attacks where an attacker has only stolen one factor (e.g. the password)
• Vulnerable to relay attacks: The attacker phishes the victim into giving up both factors
• Vulnerable to social engineering attacks: Trick humans to subvert 2FA
• Example: Authentication tokens for generating secure two-factor codes
• Example: Security keys to prevent phishing

78

Computer Science 161