XSS in practice

By Roderick W. Lucas

Internet has become more and more important. Millions of dollars are invested in websites. Big businesses don’t work with simple HTML sites anymore; everything has to be dynamic these days. But by giving people the opportunity to insert data on a website, the chance of getting vulnerable gets bigger: Damage to your site will be unpreventable. Unless you are prepared and know the possible consequences…

Although programmers spend months on securing web pages, there will always be people who find a way to do more on your site then you would like them to. Pages that have dynamic content such as input fields and variables that are shown in the URL, are even more vulnerable. These site can be exploited by a Cross Site Scripting attack, abbreviated; XSS.

Cross Site Scripting flaws, are often caused because the website doesn’t check whether the inserted data, inside for example a search form, contains code. This code that is ran inside the script itself, can cause problems for the site and it’s members. Mostly JavaScript is used, but other forms of code are possible as well.

There are many reasons why hackers try to find XSS flaws in a website, but the most common and most known one is cookie hijacking.

A hacker can obtain a cookie from another user, through XSS. When he has this cookie, and installs the cookie on his own computer, and then visits the website, the website will recognize the hacker as the person he stole the cookie from.

With Cross Site Scripting, it is also possible to exploit security holes inside a browser: this is called ‘browser exploitation’. If you have ever read about browser exploitation, you can realize surfing around on the web can be a very dangerous activity: malicious code can be installed locally on a computer and then ran.

Now we know the possible consequences, it is time to start learning how the hackers find these security flaws inside a site.

The two kinds of hackers (script kiddies and ‘real’ hackers), both have their own way of making advantage out of XSS. The script kiddies, search the web for a security flaw, for example in a forum such as Invision Power Board or phpBB. Then they go to www.google.com and search for sites that host the board they found an exploit for. Then they hack the board and take control over the site.

The ‘real’ hackers, search for the holes their selves. They look for variables and input forms, they can use to run their malicious code.

They work according to figure 1:

Figure 1. Hacking process

First of all, the hacker chooses the site he wants to hack.T his must by a dynamic site. So it should  be written in a language that supports this, like PHP, JSP, ASP, etc. His goal: he would like to get someone’s account on www.example.com. Suppose he looks at the URL, while visiting the news-page and sees the following:

www.example.com/index.php?page=news.php

The hacker remarks that there is a variable (?page=) that is declared in the URL. Perhaps the site runs the following script to navigate through pages. The webmaster of the site had very poor knowledge of securing his website. He used PHP to He created a script according to listing1.

Listing 1. InsecurePageNavigator

#################################
######insecurePageNavigator########
################################
<?php if (isset($_GET['page'])) {    // checks whether $page is set or not

 print '<html>';

    if (file_exists($_GET['page'])) {    // checks if the requested page exists

 include($_GET['page']);        //if it is, it includes the page
 }
 else {
 print 'Page '.$_GET['page'].' does not exists!';    // else it creates an error
 print '</html>';

        }
 }
 else {                // if $page is not set, it sends you to “homepage.php”
 header('Location: '.$_SERVER['PHP_SELF'].'?page=homepage.php');    

    }
 ?>

The script is designed to see if a page exists and if it does, to send you there. When you visit the site for the first time, and the variable ‘page’ is not set, it sends you to the homepage.

As you can see, the script doesn’t check the anywhere the input.

A d v e r t i s e m e n t