Saturday, June 14, 2008

Cross-Site Scirpting (XSS) - A Real-World Example

Cross-Site Scripting (XSS).

Cross-Site Scripting (XSS) si an attack that's pretty basic to detect, pretty basic in execution, and you'd think that it would be rather simple to understand. Unfortunately this is apparently not the case. I won't go into the details of Cross-Site Scripting because others have beat that to death - but rather I'm going to go through a little real-world exercise for you. I'm hiding the actual URL until the site owner either does something about it, or ignores this issue long-enough for me to disclose it on this blog.

First, I've been looking around and just doing non-invasive, non-malicious checks to see how wide-spread XSS is on some of the sites I use regularly. I came across one that made me think, and so I got a little creative and came up with a real-world use-case for this vulnerability, and how it can be executed and cause real damage.

Looking at the URL and I though - gee, I bet I can make it look like the user has to click to get results and send them somewhere malicious. Here's how this works:

  1. Standard email goes out to people (pet owners are particularly susceptible), telling them of a great new offer at this site which will get them something for free for, say, their dog.
  2. The link looks like this:; the malicious attacker simply stands up a site that looks relatively close to this site, either in an iframe, or who knows... think creatively.
  3. The site result looks like this in the user's browser...
  4. The user unknowingly clicks the link, and gets sent to the malicious user's site and after that... it's game over.
All this because of a simple Cross-Site Scripting (XSS) flaw. It is a rather complex attack, I know... inserting an html-encoded link into a URL... (I'm joking of course).

Look - it's simple. Cross-Site Scripting causes major Pwnag3... and all you have to do is write better code, or at the very freakin' least... use a black-box testing tool and it'll find stuff like this!



Christian said...

Hey Rafal,

Liked the brief summary of your findings. Just wanted to let you know that I'd be careful about publishing these findings, especially if you haven't gone through the appropriate channels to perform this type of testing. A quick google of inurl:noResults.jsp?kw didn't produce many results (1 actually).


Rafal said...

Actually, I didn't use the "inurl:" search. I just did a regular Google search for "" exactly like that - 291 results right now. Granted, not all of them are ideal for testing - but a good portion of them are :)

Christian said...

Haha.That's pretty funny.