Malicious web programming

[ampakine]

Malicious isn't the right word as it implies causing harm, what I mean is creating web applications capable of hacking site visitors. I often hear about "malicious web sites" and sometimes get warnings from firefox to avoid a particular site and I'd like to learn about how all this works. I know a fair bit of PHP and although I know very little javascript, I've been meaning to learn it for a long time so I'll gladly use this as an excuse. I really have little or no knowledge about how a website can hack the visitors so I don't even know where to begin asking questions. Do these "malicious websites" target the browsers or something? If so is this all the domain of javascript or can PHP be used to do it? I want to play around with building these "malicious sites" on my apache server and use myself as a guinea pig, that way I'll learn rapidly. Can anyone suggest a good place to start given that the only programming language I know so far is PHP?

[Goatboy]

Generally a website is labeled as malicious if it tries to exploit a vulnerability in either the browser or some application connected to it. These might be the Java VM that runs some web-apps, might be Flash, might be ActiveX for IE. Might be many things other than the browser itself. And these are usually patched pretty quickly once they have been used, so you'd need some fresh 0-day to really get any benefit.

As for just using PHP, the best you can do is probably log their IP or steal cookies. I suppose you could be annoying about it and redirect them to a shock site, but that's not what I would consider malicious.

[ampakine]

Can you elaborate on stealing cookies? Can you steal cookies set by other websites?

[Goatboy]

Can you elaborate on stealing cookies?

Basically you discover a XSS vulnerability on a site and use that to generate a link to your site containing the cookie info, which you log. XSS is when something is typed in and then displayed on the site without being properly sanitized first. This means you can type JavaScript code and have it be executed.

Can you steal cookies set by other websites?

Only if the ste in question is vulnerable, as above.

[Okeymaker]

Some easy ways to actually HARM a visitor would be through javascript and vbscript (in IE). Vbscript is not as powerful as it was, because of several reasons. One is that all advanced Active X operations are prompted multiple times by IE nowdays. But still it has potential to really harm someone foolish enough.
I have some knowledge in vbscript but I am not going to show any "hardcore" harmful scripts, because they would most probaly be censored. But I CAN show you some "malicious" javascript. Actually I don't know javascript very well, but an EXTREMELY simple way to mess aound and crasch someones browser session would be to place this code in the head section:

Code: Select all

<script type="text/javascript">
while(1) {
        alert("EVIL CODE!");
}

</script>