|
|
|
---
|
|
|
|
title: "What is XSS?"
|
|
|
|
layout: post
|
|
|
|
---
|
|
|
|
|
|
|
|
I found a cross-site scripting (XSS) attack
|
|
|
|
in a well-known quiz hosting website.
|
|
|
|
I disclosed the vulnerability to them years ago, so I thought
|
|
|
|
now might be a good time to write about it.
|
|
|
|
|
|
|
|
In this first article I will explain what XSS is.
|
|
|
|
|
|
|
|
In the next article I will explain how I found this attack.
|
|
|
|
|
|
|
|
## What is cross-site scripting (XSS)
|
|
|
|
|
|
|
|
Cross-site scripting, XSS for short,
|
|
|
|
is a technique to execute arbitrary Javascript code on a user visiting a website
|
|
|
|
by linking to Javascript code stored on another server.
|
|
|
|
|
|
|
|
So for example:
|
|
|
|
|
|
|
|
I have a file on my website called [hacked.js](/assets/js/hacked.js).
|
|
|
|
If I was able to run this javascript file on anybody visiting a certain website *that is not mine*, this would be called cross-site scripting.
|
|
|
|
|
|
|
|
Click the above `hacked.js` link to view the code I use to "hack" this website.
|
|
|
|
It's safe, I promise ;)
|
|
|
|
|
|
|
|
Now, how can we get this code to execute when a user visits this site?
|
|
|
|
To explain, I will start with some of the underlying technologies.
|
|
|
|
|
|
|
|
### Escape Characters!
|
|
|
|
|
|
|
|
No, this is not a Sherlock Holmes novel!
|
|
|
|
|
|
|
|
If we suppose that a website is built with sequences like these (called "tags"):
|
|
|
|
`<body>`, `<p>` (for paragraph), `<link>` and `<b>` for bold,
|
|
|
|
then why can you *see* the left and right angle bracket characters?
|
|
|
|
Don't they mean something? Shouldn't they be telling the browser:
|
|
|
|
*"Hey! Make me bold!"?*
|
|
|
|
Why *doesn't* everything after me typing `<b>` turn bold?
|
|
|
|
|
|
|
|
The answer is:
|
|
|
|
|
|
|
|
There are special characters in HTML to type a visible left (<)
|
|
|
|
and visible right angle bracket (>) in a website.
|
|
|
|
If I use the left and right brackets on my keyboard however,
|
|
|
|
things will indeed <b>show up bold</b>.
|
|
|
|
|
|
|
|
This is the code for the sentence I wrote above:
|
|
|
|
<pre class="terminal">
|
|
|
|
There are special characters in HTML to type a visible left (&lt;)
|
|
|
|
and visible right angle bracket (&gt;) in a website.
|
|
|
|
If I use the left and right brackets on my keyboard however,
|
|
|
|
things will indeed <b>show up bold</b>.
|
|
|
|
</pre>
|
|
|
|
|
|
|
|
Notice how all visible left angle brackets use an `<` to show them?
|
|
|
|
|
|
|
|
These are called [escape characters](https://en.wikipedia.org/wiki/Escape_character).
|
|
|
|
They tell a system, in this case your web browser:
|
|
|
|
*"Hello! Please show me off! I don't want to be hidden."*
|
|
|
|
|
|
|
|
#### Sanitization
|
|
|
|
|
|
|
|
Most of the time XSS attacks are done using poorly sanitized HTML `<input>` elements.
|
|
|
|
|
|
|
|
Sanitization is when a program (usually on the server side),
|
|
|
|
will remove characters like `<` and replace them with the aforementioned "escape characters".
|
|
|
|
Internally this would be something like `<`,
|
|
|
|
but they would show up to a user as `<`.
|
|
|
|
|
|
|
|
When inputs are not properly sanitized *and* the input is shown to the user in another part of the website,
|
|
|
|
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.
|
|
|
|
For example: a name for a quiz website (input) and the leaderboard for said quiz (display).
|
|
|
|
|
|
|
|
HTML, by itself is not very dangerous.
|
|
|
|
The worst thing you could do is probably put a link on your name,
|
|
|
|
and then point it to a porn site.
|
|
|
|
Make your name bold, italic. Maybe make the background a funny color.
|
|
|
|
Although this may annoy your victim it is not dangerous security wise.
|
|
|
|
|
|
|
|
There is one tag however, that *is* scary...
|
|
|
|
|
|
|
|
## `<script>`
|
|
|
|
|
|
|
|
The `<script>` tag allows you to write code that can:
|
|
|
|
|
|
|
|
1. Change the page contents.
|
|
|
|
2. Redirect the user to a new page automatically.
|
|
|
|
3. Get a user's location.
|
|
|
|
4. Open a user's microphone/webcam.
|
|
|
|
5. With the `src` [attribute](https://www.w3schools.com/htmL/html_attributes.asp) you can also load a script from another site. (This is XSS)
|
|
|
|
|
|
|
|
Those last two will ask for permission from the user (if their browser isn't insanely insecure).
|
|
|
|
|
|
|
|
In my next article I'll talk about a website I found which is vulnerable to this attack.
|
|
|
|
And, show you how you can run your own XSS attack.
|
|
|
|
|