The Sin Explained

The sin is straightforward: a web application takes some input from a user , perhaps from a querystring, fails to validate the input, and echoes that input directly in a web page. Its really that simple! Because the web server is echoing input, the input might be a script language, such as JavaScript, and this is echoed and interpreted in the destination browser.

As you can see, this is a classic input trust issue. The web application is expecting some text, a name for example, in a querystring, but the bad guy provides something the web application developer never expected.

An XSS attack works this way:

1. The attacker identifies a web site that has one or more XSS bugs for example, a web site that echoes the contents of a querystring.

2. The attacker crafts a special URL that includes a malformed and malicious querystring containing HTML and script, such as JavaScript.

3. The attacker finds a victim, and gets the victim to click a link that includes the malformed querystring. This could be simply a link on another web page, or a link in an HTML e-mail.

4. The victim clicks the links and the victims browser makes a GET request to the vulnerable server, passing the malicious querystring.

5. The vulnerable server echoes the malicious querystring back to the victims browser, and the browser executes the JavaScript embedded in the response.

Because the code is running in the context of the vulnerable web server, it can access the victims cookie tied to the vulnerable servers domain. The code can also access the Document Object Model (DOM) and modify any element within it; for example, the exploit code could tweak all the links to point to porn sites. Now when the victim clicks on any link, he is whisked off to some location in cyberspace he wished he hadnt gone to.

Be wary of blog or product review/feedback web applications because this type of application must read arbitrary HTML input from a user (or attacker) and then echo said text for all to read. In an insecure application, this leads to XSS attacks.

Lets look at some sinful code examples.

 DWORD WINAPI HttpExtensionProc (EXTENSION_CONTROL_BLOCK *lpEcb){  char szTemp [2048];  ...  if (*lpEcb->lpszQueryString)  sprintf(szTemp,"Hello, %s", lpEcb->lpszQueryString);  dwSize = strlen(szTemp);  lpEcb->WriteClient(lpEcb->ConnID, szTemp, &dwSize, 0);  ... } 

 <% Response.Write(Request.QueryString("Name")) %> 

 <img src='<%= Request.Querysting("Name") %>'> 

 private void btnSubmit_Click(object sender, System.EventArgs e) {  if(IsValid) {  Application.Lock();  Application[txtName.Text] = txtValue.Text  Application.UnLock();  lblName.Text = "Hello, " + txtName.Text;  } } 

 <% out.println(request.getParameter("Name")) %> 

 <%= request.getParameter("Name") %> 

 <?php  $name=$_GET['name'];  if (isset($name)) {  echo "Hello $name";  } ?> 

 #!/usr/bin/perl use CGI; use strict; my $cgi = new CGI; print CGI::header(); my $name = $cgi->param('name'); print "Hello, $name"; 

 #!/usr/bin/perl use Apache::Util; use Apache::Request; use strict; my $apr = Apache::Request->new(Apache->request); my $name = $apr->param('name'); $apr->content_type('text/html'); $apr->send_http_header; $apr->print("Hello); $apr->print($name);