Full shownotes for L3pprd/ocC0DE’s Cross-site Scripting episode
September 19, 2006
What is Cross-site Scripting?
Cross-site scripting (XSS) is a very common vulnerability in web applications which can have a variety of different unintented effects.
What can it do?
Nefarious hackers have done all sorts of things that are anything from annoying to incredibly malicious and profiteering.
Cross-site scripting is often used for cookie theft. A crafted cross-site scripting attack can be used to steal cookies from users who browse your site. If your site is an e-commerce site, it could expose their shopping history. It could their usernames and passwords, and be used to track where your users go on the net and what they do.
How the bad guys exploit it:
According to Wikipedia, there are three major types of Cross-site scripting attacks.
A Type-1 vulnerability is the most common type. In a Type-1 vulnerability, a text string is input from the user and written out to a browser without validation, which could possibly contain script. This is no big deal, usually, since a user can only write code out to their own browser. This becomes a big deal, however, if a spammer or phisher sends out a link containing some malicious script code.
A Type-2 vulnerability is similar with the exception that the user’s input is stored to a database or similar storage facility. This malicious script will usually be visible to the browser of anyone who visits the site. This can be devastating since there are a large number of users potentially affected, and the malicious code becomes persistent.
How to prevent against it if you’re a webmaster:
Most server-side scripting languages provide some sort of escape function to take potentially dangerous characters and translate them to something which is safe to write out to the web page a user’s browser will render.
The more complex a website becomes, the more places you have input coming from. Add a database, and your complexity increases again. It takes a lot of thought, testing, and thinking like a hacker to really make sure you’re safe. Preventing XSS vulnerabilities may even keep other exploits from working, like SQL injection (check out TWAT radio episode 33, by livinded).
Quite a few big-named websites have had very public XSS vulnerabilities: Hotmail, MySpace, Paypal, and even the new Netscape.com website. You can follow the Bugtraq and/or Full Disclosure Mailing Lists at http://seclists.org/ to see that there are new ones reported and fixed every day.
The following page is sufficient to demonstrate the XSS vulnerabilities at the ha.ckers.org cheatsheet; simply save the contents as a .php file. WARNING: Do not put this page on any public internet-facing webserver!
<p>Hey there, <?= $_GET['hithere'] ?>!</p>
After installing this vulnerable php page, (again, only recommended on a machine which is not visible to the outside world — you have been warned!) you can call it with parameters such as:
http://localhost/test.php?hithere=<script>alert('I am vulnerable!');</script>
How to guard yourself as a websurfer:
Referenced pages and links for more information: