tait.tech/_site/2020/04/25/xss/index.html

<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>What is XSS? | tait.tech</title> <link rel="stylesheet" href="/assets/css/style.css"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="author" content="Tait Hoyem"> <meta name="keywords" content=""> <meta name="description" content=""> </head> <body> <div id="wrapper"> <header> <nav> <input type="checkbox" id="menu"> <label for="menu">&#9776;</label> <div class="menu-content"> <a href="/" class="nav-link">Home</a> <a href="/blog/" class="nav-link">Blog</a> <a href="https://github.com/TTWNO/" class="nav-link" target="_blank" rel="noopener noreferrer">Github</a> </div> </nav> </header> <main> <article> <header> <h1 class="post-title">What is XSS?</h1> <time datetime="20-04-25" class="post-date">Saturday, April 25 2020</time> </header> <hr> <p>I found a cross-site scripting (XSS) attack in a well-known quiz hosting website. I disclosed the vulnerability to them years ago, so I thought now might be a good time to write about it.</p> <p>In this first article I will explain what XSS is.</p> <p>In the next article I will explain how I found this attack.</p> <h2 id="what-is-cross-site-scripting-xss">What is cross-site scripting (XSS)</h2> <p>Cross-site scripting, XSS for short, is a technique to execute arbitrary Javascript code on a user visiting a website by linking to Javascript code stored on another server.</p> <p>So for example:</p> <p>I have a file on my website called <a href="/assets/js/hacked.js">hacked.js</a>. If I was able to run this javascript file on anybody visiting a certain website <em>that is not mine</em>, this would be called cross-site scripting.</p> <p>Click the above <code class="language-plaintext highlighter-rouge">hacked.js</code> link to view the code I use to “hack” this website. It’s safe, I promise ;)</p> <p>Now, how can we get this code to execute when a user visits this site? To explain, I will start with some of the underlying technologies.</p> <h3 id="escape-characters">Escape Characters!</h3> <p>No, this is not a Sherlock Holmes novel!</p> <p>If we suppose that a website is built with sequences like these (called “tags”): <code class="language-plaintext highlighter-rouge">&lt;body&gt;</code>, <code class="language-plaintext highlighter-rouge">&lt;p&gt;</code> (for paragraph), <code class="language-plaintext highlighter-rouge">&lt;link&gt;</code> and <code class="language-plaintext highlighter-rouge">&lt;b&gt;</code> for bold, then why can you <em>see</em> the left and right angle bracket characters? Don’t they mean something? Shouldn’t they be telling the browser: <em>“Hey! Make me bold!”?</em> Why <em>doesn’t</em> everything after me typing <code class="language-plaintext highlighter-rouge">&lt;b&gt;</code> turn bold?</p> <p>The answer is:</p> <p>There are special characters in HTML to type a visible left (&lt;) and visible right angle bracket (&gt;) in a website. If I use the left and right brackets on my keyboard however, things will indeed <b>show up bold</b>.</p> <p>This is the code for the sentence I wrote above:</p> <pre class="terminal">
There are special characters in HTML to type a visible left (&amp;lt;)
and visible right angle bracket (&amp;gt;) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed &lt;b&gt;show up bold&lt;/b&gt;.
</pre> <p>Notice how all visible left angle brackets use an <code class="language-plaintext highlighter-rouge">&amp;lt;</code> to show them?</p> <p>These are called <a href="https://en.wikipedia.org/wiki/Escape_character">escape characters</a>. They tell a system, in this case your web browser: <em>“Hello! Please show me off! I don’t want to be hidden.”</em></p> <h4 id="sanitization">Sanitization</h4> <p>Most of the time XSS attacks are done using poorly sanitized HTML <code class="language-plaintext highlighter-rouge">&lt;input&gt;</code> elements.</p> <p>Sanitization is when a program (usually on the server side), will remove characters like <code class="language-plaintext highlighter-rouge">&lt;</code> and replace them with the aforementioned “escape characters”. Internally this would be something like <code class="language-plaintext highlighter-rouge">&amp;lt;</code>, but they would show up to a user as <code class="language-plaintext highlighter-rouge">&lt;</code>.</p> <p>When inputs are not properly sanitized <em>and</em> the input is shown to the user in another part of the website, then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed. For example: a name for a quiz website (input) and the leaderboard for said quiz (display).</p> <p>HTML, by itself is not very dangerous. The worst thing you could do is probably put a link on your name, and then point it to a porn site. Make your name bold, italic. Maybe make the background a funny color. Although this may annoy your victim it is not dangerous security wise.</p> <p>There is one tag however, that <em>is</em> scary…</p> <h2 id="script"><code class="language-plaintext highlighter-rouge">&lt;script&gt;</code></h2> <p>The <code class="language-plaintext highlighter-rouge">&lt;script&gt;</code> tag allows you to write code that can:</p> <ol> <li>Change the page contents.</li> <li>Redirect the user to a new page automatically.</li> <li>Get a user’s location.</li> <li>Open a user’s microphone/webcam.</li> <li>With the <code class="language-plaintext highlighter-rouge">src</code> <a href="https://www.w3schools.com/htmL/html_attributes.asp">attribute</a> you can also load a script from another site. (This is XSS)</li> </ol> <p>Those last two will ask for permission from the user (if their browser isn’t insanely insecure).</p> <p>In my next article I’ll talk about a website I found which is vulnerable to this attack. And, show you how you can run your own XSS attack.</p> </article> </main> <hr> <footer> This page is mirrored on <a href="https://beta.tait.tech/2020/04/25/xss/">beta.tait.tech</a>. </footer> </div> </body> </html>