donderdag 18 november 2010

The Chronicles of XSS - HTML, Cookies and Javascript

"Why is that Narnia reference in the title?" you might ask yourself. Well, in the movie, the characters were able to enter a whole new world with new possibilities through a small wardrobe. That's what XSS does, open up new possibilities through a small hole.

First off, let me start with a little disclaimer. This blog is for educational purposes only. I am by no means an expert XSS exploiter or an experienced web developer. I just like to mess around on the internet. If you came here to learn how to exploit XSS, you came to the wrong place. I will not be naming websites or showing the actual XSS used. No websites were harmed in the making of this blog.

So what is XSS? Well, let's quote wikipedia on that one: "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.". Does that make it clear? No, didn't think so. I'll try to explain using some real world examples.

As you may or may not know, the most basic language used to create websites is HTML. HTML contains everything a browser needs to know to display a website. It has the style, content and everything else in one file. The browser interprets this file and builds the website for you to browse. Now, some websites also have inputs available for their viewers. Think of things like contact forms, guestbooks, stuff like that. This is where the basics for XSS lie.

When you enter text into an input field and click "Submit", the data is sent to the webserver, who in turn gives your browser a new HTML file with the text you entered processed in it. So if you have signed the guestbook and posted "Great website!", that will show as the latest entry in that guestbook. That means that text is now somewhere in the HTML file. So what if you paste HTML into that text field, can you alter the website? Yes, and that's exactly what XSS is.

When you paste HTML code into an input form on a website that does not properly trim the input, you can "break open" the form and change the layout of the website itself. An example of a guestbook that is vulnerable to XSS exploiting:

This is your typical guestbook. You enter a name, a code to prove you're human, and your message. But what happens if you insert a prepared XSS string? Well then you can add pretty much anything you want outside of the input fields:

As you can see I have succesfully changed the lay-out of the website to show a big "Hello World" underneath the "Your Name:" field. While this change is only visible to me, and not dangerous to the website and it's users, it's still an opening. If I were to post this on the guestbook, all of the visitors to that website would see the broken lay-out.

So, we can change the appearance of a website to all it's users, now what? Well, the next step you could take is to check if you can execute javascript. Javascript is used on most websites, and supported by most browsers. If you want more information about Javascript, see this page. For this example I will use another website, this time the contact form:

And I insert my prepared XSS string with javascript code:

As you can see, I have made the webpage display a pop-up telling me it is exploitable. While this is harmless Javascript, you could theoretically inject any javascript. Javascript that steals your facebook cookies and places them somewhere for the attacker to take them, for example. Post this XSS exploit to a guestbook and everyone visiting that guestbook will have their facebook cookies uploaded somewhere else. So what, you might ask? Well, an attacker can use these cookies to access your facebook profile, thats what. How does that work exactly? Well, check out this blog.

The thing is, although this all sounds very complicated and high tech, almost everyone can do it. Here are some examples of exploitable sites I found on google when searching for "sign guestbook" on the first two or three pages:

Nice collection right? Like I said, I will not be naming these websites, but trust me when I say that some of these examples are not small, private websites. Some are actually quite large with a lot of visitors. A better known example of XSS recently is this twitter exploit where people managed to use XSS to create a self spreading "virus" on Twitter.

So how do you protect yourself from XSS? Well, first of all, make sure that your website is correctly sanitizing inputs. Don't put simple input forms everywhere and expect for them to be secure.

If you're a user? Well, that's a different story. Because XSS is HTML, and executed by the browser, most (all) security software packages will not detect them (or not untill they start calling malicious javascript files at least). So what then? Well, protect the browser itself. There are a number of add-ons for Firefox and Chrome to prevent XSS or even disable all scripts entirely. It's a bit like killing a fly with a shotgun, but it works.

The point of this blog is to create awareness among web designers to properly secure their websites and make sure that XSS is not possible. With properly executed XSS, anything is possible. As XSS is becoming more and more popular, more and bigger sites will get attacked. In the end, this is what a web designer wants someone using XSS exploits to see:

Geen opmerkingen:

Een reactie posten