|
|
|
|
|
<!DOCTYPE html>
|
|
|
|
|
|
<html lang="en">
|
|
|
|
|
|
<head>
|
|
|
|
|
|
<meta charset="UTF-8">
|
|
|
|
|
|
<title>What is XSS? | tait.tech</title>
|
|
|
|
|
|
<link rel="stylesheet" href="/assets/css/style.css">
|
|
|
|
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
|
|
|
|
<meta name="author" content="Tait Hoyem">
|
|
|
|
|
|
<meta name="keywords" content="">
|
|
|
|
|
|
<meta name="description" content="">
|
|
|
|
|
|
</head>
|
|
|
|
|
|
<body>
|
|
|
|
|
|
<div id="wrapper">
|
|
|
|
|
|
<header>
|
|
|
|
|
|
<h1>tait.tech</h1>
|
|
|
|
|
|
|
|
|
|
|
|
<nav>
|
|
|
|
|
|
|
|
|
|
|
|
<a href="/" class="nav-link" >Home</a>
|
|
|
|
|
|
|
|
|
|
|
|
<a href="/blog/" class="nav-link" >Blog</a>
|
|
|
|
|
|
|
|
|
|
|
|
<a href="/ideas/" class="nav-link" >Ideas</a>
|
|
|
|
|
|
|
|
|
|
|
|
<a href="/links/" class="nav-link" >Links</a>
|
|
|
|
|
|
|
|
|
|
|
|
<a href="https://github.com/TTWNO/" class="nav-link" target="_blank" rel="noopener noreferrer" >Github</a>
|
|
|
|
|
|
|
|
|
|
|
|
</nav>
|
|
|
|
|
|
|
|
|
|
|
|
</header>
|
|
|
|
|
|
<main>
|
|
|
|
|
|
<article>
|
|
|
|
|
|
<header>
|
|
|
|
|
|
<h1 class="post-title">What is XSS?</h1>
|
|
|
|
|
|
<time datetime="20-04-25" class="post-date">Saturday, April 25 2020</time>
|
|
|
|
|
|
</header>
|
|
|
|
|
|
<hr>
|
|
|
|
|
|
|
|
|
|
|
|
<p>I found a cross-site scripting (XSS) attack
|
|
|
|
|
|
in a well-known quiz hosting website.
|
|
|
|
|
|
I disclosed the vulnerability to them years ago, so I thought
|
|
|
|
|
|
now might be a good time to write about it.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>In this first article I will explain what XSS is.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>In the next article I will explain how I found this attack.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h2 id="what-is-cross-site-scripting-xss">What is cross-site scripting (XSS)</h2>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Cross-site scripting, XSS for short,
|
|
|
|
|
|
is a technique to execute arbitrary Javascript code on a user visiting a website
|
|
|
|
|
|
by linking to Javascript code stored on another server.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>So for example:</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>I have a file on my website called <a href="/assets/js/hacked.js">hacked.js</a>.
|
|
|
|
|
|
If I was able to run this javascript file on anybody visiting a certain website <em>that is not mine</em>, this would be called cross-site scripting.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Click the above <code class="language-plaintext highlighter-rouge">hacked.js</code> link to view the code I use to “hack” this website.
|
|
|
|
|
|
It’s safe, I promise ;)</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Now, how can we get this code to execute when a user visits this site?
|
|
|
|
|
|
To explain, I will start with some of the underlying technologies.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h3 id="escape-characters">Escape Characters!</h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p>No, this is not a Sherlock Holmes novel!</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>If we suppose that a website is built with sequences like these (called “tags”):
|
|
|
|
|
|
<code class="language-plaintext highlighter-rouge"><body></code>, <code class="language-plaintext highlighter-rouge"><p></code> (for paragraph), <code class="language-plaintext highlighter-rouge"><link></code> and <code class="language-plaintext highlighter-rouge"><b></code> for bold,
|
|
|
|
|
|
then why can you <em>see</em> the left and right angle bracket characters?
|
|
|
|
|
|
Don’t they mean something? Shouldn’t they be telling the browser:
|
|
|
|
|
|
<em>“Hey! Make me bold!”?</em>
|
|
|
|
|
|
Why <em>doesn’t</em> everything after me typing <code class="language-plaintext highlighter-rouge"><b></code> turn bold?</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>The answer is:</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>There are special characters in HTML to type a visible left (<)
|
|
|
|
|
|
and visible right angle bracket (>) in a website.
|
|
|
|
|
|
If I use the left and right brackets on my keyboard however,
|
|
|
|
|
|
things will indeed <b>show up bold</b>.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>This is the code for the sentence I wrote above:</p>
|
|
|
|
|
|
<pre class="terminal">
|
|
|
|
|
|
There are special characters in HTML to type a visible left (&lt;)
|
|
|
|
|
|
and visible right angle bracket (&gt;) in a website.
|
|
|
|
|
|
If I use the left and right brackets on my keyboard however,
|
|
|
|
|
|
things will indeed <b>show up bold</b>.
|
|
|
|
|
|
</pre>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Notice how all visible left angle brackets use an <code class="language-plaintext highlighter-rouge">&lt;</code> to show them?</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>These are called <a href="https://en.wikipedia.org/wiki/Escape_character">escape characters</a>.
|
|
|
|
|
|
They tell a system, in this case your web browser:
|
|
|
|
|
|
<em>“Hello! Please show me off! I don’t want to be hidden.”</em></p>
|
|
|
|
|
|
|
|
|
|
|
|
<h4 id="sanitization">Sanitization</h4>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Most of the time XSS attacks are done using poorly sanitized HTML <code class="language-plaintext highlighter-rouge"><input></code> elements.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Sanitization is when a program (usually on the server side),
|
|
|
|
|
|
will remove characters like <code class="language-plaintext highlighter-rouge"><</code> and replace them with the aforementioned “escape characters”.
|
|
|
|
|
|
Internally this would be something like <code class="language-plaintext highlighter-rouge">&lt;</code>,
|
|
|
|
|
|
but they would show up to a user as <code class="language-plaintext highlighter-rouge"><</code>.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>When inputs are not properly sanitized <em>and</em> the input is shown to the user in another part of the website,
|
|
|
|
|
|
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.
|
|
|
|
|
|
For example: a name for a quiz website (input) and the leaderboard for said quiz (display).</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>HTML, by itself is not very dangerous.
|
|
|
|
|
|
The worst thing you could do is probably put a link on your name,
|
|
|
|
|
|
and then point it to a porn site.
|
|
|
|
|
|
Make your name bold, italic. Maybe make the background a funny color.
|
|
|
|
|
|
Although this may annoy your victim it is not dangerous security wise.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>There is one tag however, that <em>is</em> scary…</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h2 id="script"><code class="language-plaintext highlighter-rouge"><script></code></h2>
|
|
|
|
|
|
|
|
|
|
|
|
<p>The <code class="language-plaintext highlighter-rouge"><script></code> tag allows you to write code that can:</p>
|
|
|
|
|
|
|
|
|
|
|
|
<ol>
|
|
|
|
|
|
<li>Change the page contents.</li>
|
|
|
|
|
|
<li>Redirect the user to a new page automatically.</li>
|
|
|
|
|
|
<li>Get a user’s location.</li>
|
|
|
|
|
|
<li>Open a user’s microphone/webcam.</li>
|
|
|
|
|
|
<li>With the <code class="language-plaintext highlighter-rouge">src</code> <a href="https://www.w3schools.com/htmL/html_attributes.asp">attribute</a> you can also load a script from another site. (This is XSS)</li>
|
|
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Those last two will ask for permission from the user (if their browser isn’t insanely insecure).</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>In my next article I’ll talk about a website I found which is vulnerable to this attack.
|
|
|
|
|
|
And, show you how you can run your own XSS attack.</p>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</article>
|
|
|
|
|
|
|
|
|
|
|
|
</main>
|
|
|
|
|
|
<hr>
|
|
|
|
|
|
<footer>
|
|
|
|
|
|
This page will be mirrored on <a href="https://beta.tait.tech/2020/04/25/xss/">beta.tait.tech</a>.
|
|
|
|
|
|
|
|
|
|
|
|
</footer>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
</body>
|
|
|
|
|
|
</html>
|
