Wednesday, May 11, 2011

Hacking Web-Based#1: XSS

Decided I would do a really quick post before I go out for the night...
Odds are I will edit it late to contain more information.

============== Cross Site Scripting (XSS) ===================

    Cross Site Scripting (henceforth know as XSS) is a way to manipulate a web page such that the page itself, or simply the link, contain the payload to be dropped on connecting clients typically using javascript and unbeknownst to the client connecting to the web server.                        

XSS exists because programmers forget to parse (analyze and scrutinize input before letting it get passed to a function) certain fields in a web form or search box which utilizes a javascript function on the input given to perform some task.
For Example, here is a typical form to sign up for a website

##User Name:  |________________|
##Password:   |________________|
##Confirm Password: |______________|
##email:   |_______________|
##Home Phone: |______________|
##Address:  |______________|

In this form, certain things are checked for (or should be checked for) such as: User Name can't contain any special characters (only A-Z, 0-9), the email field HAS to contain an '@' symbol, so that should be checked for to ensure a proper, or at least semi proper email address has been given...

But what if the programmer didn't do any input validation at all?...
A line of code in a function, whatever language you're writing in, looks something of the sort:

char* username = get_user_name("INPUT");

Where INPUT is a file descriptor pointing to standard-IN or a buffer already containing your input value. If the input has not been validated or checked at all, the following situation can arise:

INPUT = BoB_Faggit"); execl(cmd, "code to telnet back to attackers comp");

And when this input gets passed into get_user_name(), the following lines of code look like:

char* username = get_user_name("Bob_Faggit");
execl(cmd, "code to telner back to attackers comp");
continue with program...

This would cause browser to run malicious code on whomever was on this site... unfortunately, right now, that is only us. And we can't make someone else type in the malicious code manually and hit enter... so wat do?
Look at the URL of the page you are viewing that is vulnerable to XSS, odds are it is using PHP GET/POST functions to relay the data back and forth... this method causes the values entered to be passed along in URL parameters...
For Example: (PHP URL off top of my head... not very PHP familiar)

www.some_XSS_vulnerable_site.com/index.php?username=Bob&?phone=23489023&?etc,etc,etc...

Now, simply replace whichever value was vulnerable with your specially crafted payload:

www.some_XSS_vulnerable_site.com/index.php?username=Bob&?phone=234BoB_Faggit"); execl(cmd, "code to telnet back to attackers comp");&?phone=23489023

Now you have a link that, when sent to someone, will cause the malicious code to run. Of course, the code I provided does not work and is just a representation of what could be done.

A typical XSS attack is very simple and hard to avoid. The first and best way to avoid getting caught with your pants down is to always analyze links before you click them... the one in the previous example looks mighty suspicious... hopefully you wouldn't click it (though links can be obfuscated with URL encrypters and Base64 encrypters... but we won't worry about that now).
Also, most importantly... turn Javascript OFF by default... if it is ON by default, if you run across any XSS vulnerable links you could get infected without even knowing it.

To do this, in Firefox 4, go to Edit->Preferences->Content
and then uncheck/disable the "Enable Javascript" option...

Or do what I recommend and download the Firefox add-on "NoScript", it allows you to customize which sites you trust and will allows allow to run javascript, and blocks all other sites from utilizing javascript through XSS or ClickJacking methods.

3 comments:

  1. good one!!!! but i want more info about it....

    ReplyDelete
  2. Thanks for all the info. Cheers.

    ReplyDelete
  3. I never Saw such a helpful Blog Ever before!

    ReplyDelete