Wednesday, April 16, 2008

XSS - Cross-site scripting

A Real-World Example

The term XSS gets thrown around a lot. Lot's of people don't quite know what it is though. Basically an XSS attack is a client-side vulnerability where a server does not properly sanitize data inputted to readily accessible forms.

In layman's terms, this generally means that a website will display any information given to it, regardless of its malicious content. This is important because it can be used to fool people into clicking on links to (otherwise) trustworthy sites which will, instead, cause malicious code to be loaded.

For this example, we are going to look at a government website which is vulnerable to XSS in two sites using the input from only one form. This is the website for the New York State Assembly. They have a convenient little page to help search for your representative.

Our target for today is the little box I have highlighted in yellow. Now, zip codes are normally numbers, let's see what happens if we give it deliberately false information. In this case, we tell it our "zip code" is "word"

This is the first sign that there might be an XSS vulnerability. The server is readily displaying our input.

Now, what we want to do is see if we can pass code to it. I generally test this by seeing if I can get it to display

In place of a plaintext output. To do this, we are going to take our previous link ( and change it to our potential XSS link [instead of word we can put script alert('hi') ] please put script between <> and see what that gives us.

Here are some key things to remember about forming a sucessful XSS attack:

1. Forms can often be escaped with a ">
2. Some forms of sanitation can be escaped! Of course, this is often hard to do, it is definitely possible
3. Don't be modest. In a case like this, the form could have been pushed to the point of loading iframes with malicious code and all other kinds of fun stuff

No comments: