Hello mo chairde, This blog post has potential to get me in trouble. It's naughty, but I feel it's essential people are made aware of how widespread and common Cross site scripting vulnerabilities are. They have the potential to be malicious and this is why people need to learn how to spot them. Not everyone is as web savvy as they should be yet most of us spend a significant amount of time online. I will do my best to explain in simple terms how to spot these common attacks. I will also provide some tips to developers how to mitigate them.
Cross site scripting (XSS) is easily the most common web based vulnerability. For certain types of xss, The dangers are quite significant. The two main types are reflective xss and persistant xss. In this post I will only be discussing reflective, the less dangerous and more focused attack. A reflective xss attack normally involves an attacker sending or posting a malicious url to the victim. When the user visits this crafted url, something malicious can occur.
How can you recognise these malicious urls or links?
The easiest thing you may first recognize is html tags in a url. (Ex.http://blah.com/?s=) My only suggestion is to at least be familiar with the format <*something*> In a malicious link this allows an attacker to execute malicious javascript code as your browser. The attacker could steal your session cookies and be logged in as you, make a fake login box, maybe over the current one, change the layout of your page... The list is endless. These of course can be hidden using url encoding so they can be quite hard to spot. The above url example encoded could look like (http://blah.com/?s=%3C%73%63%72%69%70%74%20%73%72%63%3D%2E%2E%2E%3E)
Firefox has a lot of great plugins and is a great web browser, sadly it doesn't have as good protection as chrome. There are some methods to bypass this on chrome though. If you aren't web savvy I'd suggest using chrome as it has methods of mitigating these attacks.
Just how common are these attacks?
I'd like to say they aren't everywhere but after some investigation it seems they are. I wrote a short script that inserts ""> into the first input box on a web page (this is normally a search bar). To my suprise 8/10 times I found it untampered in the source code and a popup with "1337" in it. The script then checked if the same attack string was in the url, if it was, replaced it with script tags. I tried 25 various Irish websites known to myself and 17 were vulnerable to these attacks.
The main problem with these attacks is that they are very easy to find and require little more than some basic knowlege of javascript and html to exploit. They aren't an attack on the website as such, they are an attack on the browser of the person visiting the trusted site. I may eventually take the time to email each of these sites about these small vulnerabilities but they are so common they are probably looked at as a non-issue.
Scroll down and you can see examples, some of these are not low profile sites and have quite a few users who could be affected by such attacks. The best way to avoid xss attacks like these for a developer is to either encode ALL of your output with something like php's htmlentities() or to strip ALL html tags completely. The users input needs to be sanitized and checked 100% of the time.
This type of Xss is pretty much the lowest hanging fruit of web application security. They are literally everywhere and I feel it is very important people are aware of just how common they are. Be careful out there on the internet...
The javascript payload I used was
alert("I win the game...");
document.body.style.background="#000000 url(http://i0.kym-cdn.com/entries/icons/original/000/001/727/wtf_hax.jpg)";
List of effected sites: aviva.ie, biodiversityireland.ie, buyandsell.ie, courts.ie, crokepark.ie, donedeal.ie, engineersireland.ie, failteireland.ie, grantthornton.ie, iftn.ie, iii.ie, irishjobs.ie, itb.ie, nli.ie, pac.iee, rcsi.ie, ticketweb.ie
These links will only work in firefox...
aviva.ie , biodiversityireland.ie
buyandsell.ie , courts.ie
crokepark.ie , donedeal.ie
engineersireland.ie , failteireland.ie
grantthornton.ie , iftn.ie
iii.ie , irishjobs.ie
itb.ie , nli.ie
pac.iee , rcsi.ie
ticketweb.ie