tait
/
site
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c055e94b85'
${ noResults }
site/2020/04/25/xss/index.html

148 lines
6.1 KiB
Raw Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>What is XSS? | tait.tech</title>
<link rel="stylesheet" href="/assets/css/style.css">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="author" content="Tait Hoyem">
<meta name="keywords" content="">
<meta name="description" content="">
</head>
<body>
<div id="wrapper">
<header>
<h1>tait.tech</h1>
<nav>
<a href="/" class="nav-link" >Home</a>
<a href="/blog/" class="nav-link" >Blog</a>
<a href="/ideas/" class="nav-link" >Ideas</a>
<a href="/links/" class="nav-link" >Links</a>
<a href="https://github.com/TTWNO/" class="nav-link" target="_blank" rel="noopener noreferrer" >Github</a>
</nav>
</header>
<main>
<article>
<header>
<h1 class="post-title">What is XSS?</h1>
<time datetime="20-04-25" class="post-date">Saturday, April 25 2020</time>
</header>
<hr>
<p>I found a cross-site scripting (XSS) attack
in a well-known quiz hosting website.
I disclosed the vulnerability to them years ago, so I thought
now might be a good time to write about it.</p>
<p>In this first article I will explain what XSS is.</p>
<p>In the next article I will explain how I found this attack.</p>
<h2 id="what-is-cross-site-scripting-xss">What is cross-site scripting (XSS)</h2>
<p>Cross-site scripting, XSS for short,
is a technique to execute arbitrary Javascript code on a user visiting a website
by linking to Javascript code stored on another server.</p>
<p>So for example:</p>
<p>I have a file on my website called <a href="/assets/js/hacked.js">hacked.js</a>.
If I was able to run this javascript file on anybody visiting a certain website <em>that is not mine</em>, this would be called cross-site scripting.</p>
<p>Click the above <code class="language-plaintext highlighter-rouge">hacked.js</code> link to view the code I use to “hack” this website.
Its safe, I promise ;)</p>
<p>Now, how can we get this code to execute when a user visits this site?
To explain, I will start with some of the underlying technologies.</p>
<h3 id="escape-characters">Escape Characters!</h3>
<p>No, this is not a Sherlock Holmes novel!</p>
<p>If we suppose that a website is built with sequences like these (called “tags”):
<code class="language-plaintext highlighter-rouge">&lt;body&gt;</code>, <code class="language-plaintext highlighter-rouge">&lt;p&gt;</code> (for paragraph), <code class="language-plaintext highlighter-rouge">&lt;link&gt;</code> and <code class="language-plaintext highlighter-rouge">&lt;b&gt;</code> for bold,
then why can you <em>see</em> the left and right angle bracket characters?
Dont they mean something? Shouldnt they be telling the browser:
<em>“Hey! Make me bold!”?</em>
Why <em>doesnt</em> everything after me typing <code class="language-plaintext highlighter-rouge">&lt;b&gt;</code> turn bold?</p>
<p>The answer is:</p>
<p>There are special characters in HTML to type a visible left (&lt;)
and visible right angle bracket (&gt;) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed <b>show up bold</b>.</p>
<p>This is the code for the sentence I wrote above:</p>
<pre class="terminal">
There are special characters in HTML to type a visible left (&amp;lt;)
and visible right angle bracket (&amp;gt;) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed &lt;b&gt;show up bold&lt;/b&gt;.
</pre>
<p>Notice how all visible left angle brackets use an <code class="language-plaintext highlighter-rouge">&amp;lt;</code> to show them?</p>
<p>These are called <a href="https://en.wikipedia.org/wiki/Escape_character">escape characters</a>.
They tell a system, in this case your web browser:
<em>“Hello! Please show me off! I dont want to be hidden.”</em></p>
<h4 id="sanitization">Sanitization</h4>
<p>Most of the time XSS attacks are done using poorly sanitized HTML <code class="language-plaintext highlighter-rouge">&lt;input&gt;</code> elements.</p>
<p>Sanitization is when a program (usually on the server side),
will remove characters like <code class="language-plaintext highlighter-rouge">&lt;</code> and replace them with the aforementioned “escape characters”.
Internally this would be something like <code class="language-plaintext highlighter-rouge">&amp;lt;</code>,
but they would show up to a user as <code class="language-plaintext highlighter-rouge">&lt;</code>.</p>
<p>When inputs are not properly sanitized <em>and</em> the input is shown to the user in another part of the website,
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.
For example: a name for a quiz website (input) and the leaderboard for said quiz (display).</p>
<p>HTML, by itself is not very dangerous.
The worst thing you could do is probably put a link on your name,
and then point it to a porn site.
Make your name bold, italic. Maybe make the background a funny color.
Although this may annoy your victim it is not dangerous security wise.</p>
<p>There is one tag however, that <em>is</em> scary…</p>
<h2 id="script"><code class="language-plaintext highlighter-rouge">&lt;script&gt;</code></h2>
<p>The <code class="language-plaintext highlighter-rouge">&lt;script&gt;</code> tag allows you to write code that can:</p>
<ol>
<li>Change the page contents.</li>
<li>Redirect the user to a new page automatically.</li>
<li>Get a users location.</li>
<li>Open a users microphone/webcam.</li>
<li>With the <code class="language-plaintext highlighter-rouge">src</code> <a href="https://www.w3schools.com/htmL/html_attributes.asp">attribute</a> you can also load a script from another site. (This is XSS)</li>
</ol>
<p>Those last two will ask for permission from the user (if their browser isnt insanely insecure).</p>
<p>In my next article Ill talk about a website I found which is vulnerable to this attack.
And, show you how you can run your own XSS attack.</p>
</article>
</main>
<hr>
<footer>
This page will be mirrored on <a href="https://beta.tait.tech/2020/04/25/xss/">beta.tait.tech</a>.
</footer>
</div>
</body>
</html>
Reference in new issue View Git Blame Copy Permalink