Monday, December 18, 2006

Introduction to XSS Part 1


This document is purely for illustrative purposes only. I am not responsible for any losses arising to the websites mentioned below. Webmasters please be more alert...

What is it?

XSS stands for cross site scripting (CSS) Since CSS is already taken by Cascaded Style Sheets, it is named XSS X standing for a Cross. It is a kind of hacking which allows you to deface websites, loggin as another user etc.



Introduction

Let us start by looking how websites work. Starting with the simple ones, for example take this blog. It consists of a series of pages, connected by many links. This is just a simple case, now let us take a look at websites that are interactive. We are particularly interested in websites that allows us to post something and it appears on the site. The most simple example is google.com, when you search for something, it appears on their site. Or take the example of digg.com, reddit.com etc where you can submit information that is displayed on their site.



Phase 2 : Javascript injection

The next thing you try to do is put javascript into those areas which appear on the site. For example


<script>alert("hi");</script>

Most probably it wouldn't have work, because either you tried it on some well known site or you have to enter a little more code. Take the following example:
The following page has an XSS hole
http://www.propmart.com/search/pm_IdSearch.asp?
txtPropertyId=somesearchitem


But if you put
http://www.propmart.com/search/pm_IdSearch.asp?
txtPropertyId=<script>alert("xsjavascript:void(0)
Publishs");</script>

It didn't work. To understand why it didn't work we gotta look at its source.
This is how the rendered source (source that is outputted with your code) looks. To find out whether your injection has worked, take the source and search for your injected script. In this case it was found here :



Our script did not work because it was encapsulated within a string. So to break it out , we add extra code so that the new url would become :
http://www.propmart.com/search/pm_IdSearch.asp?
txtPropertyId="e;><script>alert("xss");</script><span style="e;

Now our script is properly executed and can be seen



The highlighted in red portion is the injected code. As you can see it works.
Another page with XSS hole is
http://www.propmart.com/mtrends/pm_marketrates.asp?city=Bangalore
and the injected url looks something like
http://www.propmart.com/mtrends/pm_marketrates.asp?
city=Bangalore-rates.jpg%22%3E%3Cscript%3Ealert(%22hi%22);%3C/script%3E%3Cimg%20src=%22Banglore

Now that you see that you can execute javascript on a clients browser, you can do anything from phishing, cookie stealing, defacement etc(Bookmark me and wait for more on this topic).
This is the case of simple sites that are not well made. Well made sites like google, yahoo and hotmail take this issue into serious consideration and have filters. Finding an XSS hole there is tough.
However some weak filters can be bypassed using the technologies mentioned in XSS Cheat Sheet

Message to Webmasters (specially of PropMart.com)

This article was written for you. Please provide a filter from Request to Response so that XSS can be prevented. Strip all html tags wherever it is ok to do so. Anti-XSS libraries are avalilable for use. For php users the strip_tags() function is a great way to prevent XSS in most cases.

Happy surfing...

More XSS holes ...
» 99acres.com : search for <script>alert(document.cookie);</script>
»Got another XSS hole ? Lemme know ....

4 comments:

Arun Prabhakar said...

more XSS holes:
yaari.com
justdial.com
grazeit.com

Anonymous said...

Hey,
u have hacked my site too..

Anyways thanks for pointing out the security holes..

I will try to fix this as soon as possible.
And i have bookmarked ur blog also.

Arun Prabhakar said...

My latest additions ...

http://www.ideas4all.com/ideas/31056-new_idea_for_apple

Anonymous said...

http://vista.tutorvista.com/login/login.php?err=%3Cscript%3Ealert%28%22hii%22%29;%3C/script%3E&userid=xcv&redURL=http%3A%2F%2Fvista.tutorvista.com%2Flogin%2Flogin.php&strBounceURL=&strBounceURLPost=