Cross-Site Scripting (XSS) si an attack that's pretty basic to detect, pretty basic in execution, and you'd think that it would be rather simple to understand. Unfortunately this is apparently not the case. I won't go into the details of Cross-Site Scripting because others have beat that to death - but rather I'm going to go through a little real-world exercise for you. I'm hiding the actual URL until the site owner either does something about it, or ignores this issue long-enough for me to disclose it on this blog.
First, I've been looking around and just doing non-invasive, non-malicious checks to see how wide-spread XSS is on some of the sites I use regularly. I came across one that made me think, and so I got a little creative and came up with a real-world use-case for this vulnerability, and how it can be executed and cause real damage.
Looking at the URL and I though - gee, I bet I can make it look like the user has to click to get results and send them somewhere malicious. Here's how this works:
- Standard email goes out to people (pet owners are particularly susceptible), telling them of a great new offer at this site which will get them something for free for, say, their dog.
- The link looks like this: http://www.________.com/search/noResults.jsp?kw=%3Ca%20href=
http://www.malicious.com%3EClick%20Here%20for%20Results%3C/a%3E; the malicious attacker simply stands up a site that looks relatively close to this site, either in an iframe, or who knows... think creatively.
- The site result looks like this in the user's browser...
- The user unknowingly clicks the link, and gets sent to the malicious user's site and after that... it's game over.
Look - it's simple. Cross-Site Scripting causes major Pwnag3... and all you have to do is write better code, or at the very freakin' least... use a black-box testing tool and it'll find stuff like this!