From 531e6cd0f7b605598a1825ee02b07f0142316c30 Mon Sep 17 00:00:00 2001 From: Tait Hoyem Date: Fri, 24 Apr 2020 18:12:25 +0000 Subject: [PATCH] Update _site static files --- _site/2020/01/22/padding-and-margin.html | 2 +- _site/2020/01/26/rsa1.html | 2 +- _site/2020/02/19/rsa2.html | 2 +- _site/2020/04/02/rsa3.html | 2 +- _site/2020/04/06/rsa4.html | 2 +- _site/2020/04/12/nas1.html | 2 +- _site/2020/04/21/rfi.html | 2 +- _site/2020/04/22/quiz-your-friends.html | 178 +++++++++++++++++++++++ _site/assets/js/hacked.js | 2 + _site/blog/index.html | 14 +- _site/feed.xml | 136 ++++++++++++++++- _site/ideas/index.html | 19 ++- _site/index.html | 2 +- _site/links/index.html | 2 +- _site/sitemap.xml | 4 + 15 files changed, 359 insertions(+), 12 deletions(-) create mode 100644 _site/2020/04/22/quiz-your-friends.html create mode 100644 _site/assets/js/hacked.js diff --git a/_site/2020/01/22/padding-and-margin.html b/_site/2020/01/22/padding-and-margin.html index 8cecc59..ed0278c 100644 --- a/_site/2020/01/22/padding-and-margin.html +++ b/_site/2020/01/22/padding-and-margin.html @@ -79,7 +79,7 @@ diff --git a/_site/2020/01/26/rsa1.html b/_site/2020/01/26/rsa1.html index 3b9a93d..4a13f80 100644 --- a/_site/2020/01/26/rsa1.html +++ b/_site/2020/01/26/rsa1.html @@ -85,7 +85,7 @@ Japan lags slightly behind with 80 percent encrypted traffic.

diff --git a/_site/2020/02/19/rsa2.html b/_site/2020/02/19/rsa2.html index 89e1bdb..8d27870 100644 --- a/_site/2020/02/19/rsa2.html +++ b/_site/2020/02/19/rsa2.html @@ -177,7 +177,7 @@ I will discuss this more in another article, but for the technically inclined: diff --git a/_site/2020/04/02/rsa3.html b/_site/2020/04/02/rsa3.html index b955fe3..81aa55c 100644 --- a/_site/2020/04/02/rsa3.html +++ b/_site/2020/04/02/rsa3.html @@ -176,7 +176,7 @@ so it is easy for devlopers to work into their own applications without worrying diff --git a/_site/2020/04/06/rsa4.html b/_site/2020/04/06/rsa4.html index d67e054..db02659 100644 --- a/_site/2020/04/06/rsa4.html +++ b/_site/2020/04/06/rsa4.html @@ -375,7 +375,7 @@ I am happy to improve this guide as time goes on if that is necessary.

diff --git a/_site/2020/04/12/nas1.html b/_site/2020/04/12/nas1.html index 3248b2e..32be297 100644 --- a/_site/2020/04/12/nas1.html +++ b/_site/2020/04/12/nas1.html @@ -85,7 +85,7 @@ I will likely have luck on a place like Kijiji ( diff --git a/_site/2020/04/21/rfi.html b/_site/2020/04/21/rfi.html index 4fe41ef..64037cf 100644 --- a/_site/2020/04/21/rfi.html +++ b/_site/2020/04/21/rfi.html @@ -51,7 +51,7 @@ it gets a random file from the specified directory if you give it one like so: diff --git a/_site/2020/04/22/quiz-your-friends.html b/_site/2020/04/22/quiz-your-friends.html new file mode 100644 index 0000000..c6ce398 --- /dev/null +++ b/_site/2020/04/22/quiz-your-friends.html @@ -0,0 +1,178 @@ + + + + + The "Quiz Your Friends" Cross-Site Scripting Vulnerability | tait.tech + + + + +
+ + +

The "Quiz Your Friends" Cross-Site Scripting Vulnerability

+

Wednesday, April 22 2020

+ +
+

This was fun to write! I found a cross-site scripting (XSS) attack +in a well-known quiz hosting website. +I disclosed the vulnerability to them years ago, so I thought +now might be a good time to write about it.

+ +

In this first section I will explain what XSS is.

+ +

In the second section I will show you how I found this exploit and how to reproduce it yourself.

+ +

What is cross-site scripting (XSS)

+ +

Cross-site scripting, XSS for short, +is a technique to execute arbitrary Javascript code on a user visitng a website +by linking to Javascript code stored on another website.

+ +

So for example:

+ +

I have a file on my website called hacked.js. +If I was able to run this javascript file on anybody visiting a certain website that is not mine, this would be called cross-site scripting.

+ +

Click the above hacked.js link to view the code I use to “hack” this website. +It’s safe, I promise ;)

+ +

Now, how can we get this code to execute when a user visits this site?

+ +

How Do These Happen?

+ +

Most of the time, these attacks are done using poorly sanatized <input> elements. +Sanitization is when an input box of some type does not escape html characters like < or >.

+ +

Sanitization is when a program (usually on the server side), +will remove characters like < and replace them with escape characters +which internally would be something like &lt;, +but your browser would interpret that as “show me the character ‘less than sign’”.

+ +

A Thought Experiment

+ +

The question is:

+ +

If we suppose that a website is built with sequenses like these: <body>, <p> (for paragraph), <link> and <b> for bold, then why can you also see the left and right angle bracket characters? +Why doesn’t everything after me typing <b> turn bold?

+ +

The answer is:

+ +

There are special characters to type a visible left (<) +and right angle bracket (>) in a website. +If I type with the left and right bracket on my keyboard, +things will indeed show up bold.

+ +

This is the code for the sentence I wrote above:

+
+There are special characters to type a visible left (&lt;)
+and right angle bracket (&gt;) in a website.
+If I type with the left and right bracket on my keyboard,
+things will indeed <b>show up bold</b>.
+
+ +

Notice how all visible left angle brackets used an &lt; to show them?

+ +

This is the core of an XSS exploit.

+ +

If when a site takes in input it does not convert all <s and >s to &lt; and &gt;, +then when this data is returned to the user the browser will interpret the user input being displayed as HTML code.

+ +

How I Found This Exploit

+ +

While filling in one of my friend’s surveys I thought it would be +funny for them to know it is me without anyone else knowing. +We were young and had Inspect Elemented a few things together, +so it was a safe bet that an HTML joke would let them know.

+ +

So I typed in my name like so:

+ +

BOLD_STEVE.JPG

+ +

Now in theory this should have shown in in the leaderboard as: “<b>Bold Steve</b>” +However, to my horror and excitement, I saw this in the leaderboard:

+ +

BOLD_STEVE_LEADERBOARD.JPG

+ +

The text “Bold Steve” showed up in bold on the leaderboard. +This told me all I needed to know. To add a <script> tag was next.

+ +

Hacking:

+ +

So I went on my merry way thinking about ways to use malicious javascript. +Then, I thought that might be mean, so I decided to warn users instead. +I filled in the name with a script tag and a call to alert() to warn the user about this site.

+ +

JAVASCRIPT_NAME.JPG

+ +

I ran out of room before I could finish it. Hmmm. +What if I do “Inspect Element” and manually override the max-length attribute?

+ +

The unfortunate truth is: this worked as well!

+ +

Not only could I manually set the max-length by changing it in the HTML, +but there were no client-side OR server-side checks to make sure the name I was sending was less than or equal to 20 characters.

+ +

If Javascript checked it, it would have stopped me (although maybe not a professional). +If the server checked it, it could have stopped almost anyone.

+ +
Server-Side Validation
+ +

As a side note, here is a great reason why you should do most of your validation on the server side. +As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.

+ +

Imagine trying to fit in a script tag doing anything useful with 20 characters?

+ +

<script src="http:">

+ +

There’s your 20 characters! No more! Good luck trying to do anything useful with this!

+ +

The Quiz My Friends server has no such checks in place. +Therefore, I can send an almost arbitrary load to them. +Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own. +Imagine being able to send entire executable progrmas as your “name” in one of these quizes?

+ +

Executing An Exploit

+ +

Suppose we’re on a vulnerable site like Quiz Your Friends +and you decide you want to hack your friend’s quiz! +How can this be done?

+ +

Creating A Quiz

+ +

Here is my quiz below:

+ +

CREATING_QUIZ.IMG

+ +

Setting A Name With an HTML Tag

+ +

Just like the image above, about how I found out about this vulnerability: go ahead and use an HTML tag in your name to test this out.

+ +

BOLD_ITALIC_STEVE.JPG

+ + +
+ +
+ This page is mirrored on beta.tait.tech; it is not hosted by Linode. +
+ +
+ + diff --git a/_site/assets/js/hacked.js b/_site/assets/js/hacked.js new file mode 100644 index 0000000..212749b --- /dev/null +++ b/_site/assets/js/hacked.js @@ -0,0 +1,2 @@ +alert("Warning! This site is insecure and open to an attack called XSS. You are now being redirected to an article about this vulnerability."); +window.href = "https://tait.tech/2020/04/22/quiz-your-friends.html"; diff --git a/_site/blog/index.html b/_site/blog/index.html index 9e0b646..9fa7538 100644 --- a/_site/blog/index.html +++ b/_site/blog/index.html @@ -28,6 +28,18 @@ + + + +
+

The "Quiz Your Friends" Cross-Site Scripting Vulnerability

+ 22 April 2020 +

This was fun to write! I found a cross-site scripting (XSS) attack +in a well-known quiz hosting website. +I disclosed the vulnerability to them years ago, so I thought +now might be a good time to write about it.

+
+

rfi: A Simple Linux utility to get a random file from a directory

@@ -97,7 +109,7 @@ These are the everyday tools of many privacy advocates and computer nerds.

diff --git a/_site/feed.xml b/_site/feed.xml index 49cc788..77e76a7 100644 --- a/_site/feed.xml +++ b/_site/feed.xml @@ -1,4 +1,138 @@ -Jekyll2020-04-22T02:38:30+00:00http://localhost:4000/feed.xmlrfi: A Simple Linux utility to get a random file from a directory2020-04-21T00:00:00+00:002020-04-21T00:00:00+00:00http://localhost:4000/2020/04/21/rfi<p>I made a <a href="https://lbry.tv/@tait:7/rfi:5">little video</a> about this script I wrote:</p> +Jekyll2020-04-24T18:09:21+00:00http://localhost:4000/feed.xmlThe “Quiz Your Friends” Cross-Site Scripting Vulnerability2020-04-22T00:00:00+00:002020-04-22T00:00:00+00:00http://localhost:4000/2020/04/22/quiz-your-friends<p>This was fun to write! I found a cross-site scripting (XSS) attack +in a well-known quiz hosting website. +I disclosed the vulnerability to them years ago, so I thought +now might be a good time to write about it.</p> + +<p>In this first section I will explain what XSS is.</p> + +<p>In the <a href="#executing-an-exploit">second section</a> I will show you how I found this exploit and how to reproduce it yourself.</p> + +<h2 id="what-is-cross-site-scripting-xss">What is cross-site scripting (XSS)</h2> + +<p>Cross-site scripting, XSS for short, +is a technique to execute arbitrary Javascript code on a user visitng a website +by linking to Javascript code stored on another website.</p> + +<p>So for example:</p> + +<p>I have a file on my website called <a href="/assets/js/hacked.js">hacked.js</a>. +If I was able to run this javascript file on anybody visiting a certain website <em>that is not mine</em>, this would be called cross-site scripting.</p> + +<p>Click the above <code class="highlighter-rouge">hacked.js</code> link to view the code I use to “hack” this website. +It’s safe, I promise ;)</p> + +<p>Now, how can we get this code to execute when a user visits this site?</p> + +<h3 id="how-do-these-happen">How Do These Happen?</h3> + +<p>Most of the time, these attacks are done using poorly sanatized <code class="highlighter-rouge">&lt;input&gt;</code> elements. +Sanitization is when an input box of some type does not <a href="">escape</a> html characters like <code class="highlighter-rouge">&lt;</code> or <code class="highlighter-rouge">&gt;</code>.</p> + +<p>Sanitization is when a program (usually on the server side), +will remove characters like <code class="highlighter-rouge">&lt;</code> and replace them with <a href="">escape characters</a> +which internally would be something like <code class="highlighter-rouge">&amp;lt;</code>, +but your browser would interpret that as “show me the character ‘less than sign’”.</p> + +<h3 id="a-thought-experiment">A Thought Experiment</h3> + +<p>The question is:</p> + +<p>If we suppose that a website is built with sequenses like these: <code class="highlighter-rouge">&lt;body&gt;</code>, <code class="highlighter-rouge">&lt;p&gt;</code> (for paragraph), <code class="highlighter-rouge">&lt;link&gt;</code> and <code class="highlighter-rouge">&lt;b&gt;</code> for bold, then why can you also <em>see</em> the left and right angle bracket characters? +Why doesn’t everything after me typing <code class="highlighter-rouge">&lt;b&gt;</code> turn bold?</p> + +<p>The answer is:</p> + +<p>There are special characters to type a visible left (&lt;) +and right angle bracket (&gt;) in a website. +If I type with the left and right bracket on my keyboard, +things will indeed <b>show up bold</b>.</p> + +<p>This is the code for the sentence I wrote above:</p> +<pre class="terminal"> +There are special characters to type a visible left (&amp;lt;) +and right angle bracket (&amp;gt;) in a website. +If I type with the left and right bracket on my keyboard, +things will indeed &lt;b&gt;show up bold&lt;/b&gt;. +</pre> + +<p>Notice how all visible left angle brackets used an <code class="highlighter-rouge">&amp;lt;</code> to show them?</p> + +<p>This is the core of an XSS exploit.</p> + +<p>If when a site takes in input it does not convert all &lt;s and &gt;s to &amp;lt; and &amp;gt;, +then when this data is returned to the user the browser will interpret the user input being displayed <em>as HTML code</em>.</p> + +<h2 id="how-i-found-this-exploit">How I Found This Exploit</h2> + +<p>While filling in one of my friend’s surveys I thought it would be +funny for them to know it is me without anyone else knowing. +We were young and had <code class="highlighter-rouge">Inspect Element</code>ed a few things together, +so it was a safe bet that an HTML joke would let them know.</p> + +<p>So I typed in my name like so:</p> + +<p><code class="highlighter-rouge">BOLD_STEVE.JPG</code></p> + +<p>Now in theory this should have shown in in the leaderboard as: “&lt;b&gt;Bold Steve&lt;/b&gt;” +However, to my horror and excitement, I saw this in the leaderboard:</p> + +<p><code class="highlighter-rouge">BOLD_STEVE_LEADERBOARD.JPG</code></p> + +<p>The text “Bold Steve” showed up <strong>in bold</strong> on the leaderboard. +This told me all I needed to know. To add a <code class="highlighter-rouge">&lt;script&gt;</code> tag was next.</p> + +<h4 id="hacking">Hacking:</h4> + +<p>So I went on my merry way thinking about ways to use malicious javascript. +Then, I thought that might be mean, so I decided to warn users instead. +I filled in the name with a script tag and a call to <code class="highlighter-rouge">alert()</code> to warn the user about this site.</p> + +<p><code class="highlighter-rouge">JAVASCRIPT_NAME.JPG</code></p> + +<p>I ran out of room before I could finish it. Hmmm. +What if I do “Inspect Element” and manually override the max-length attribute?</p> + +<p>The unfortunate truth is: this worked as well!</p> + +<p>Not only could I manually set the max-length by changing it in the HTML, +but there were no client-side OR server-side checks to make sure the name I was sending was less than or equal to 20 characters.</p> + +<p>If Javascript checked it, it would have stopped me (although maybe not a professional). +If the server checked it, it could have stopped almost anyone.</p> + +<h5 id="server-side-validation">Server-Side Validation</h5> + +<p>As a side note, here is a great reason why you should do most of your validation on the server side. +As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.</p> + +<p>Imagine trying to fit in a script tag doing anything useful with 20 characters?</p> + +<p><code class="highlighter-rouge">&lt;script src="http:"&gt;</code></p> + +<p>There’s your 20 characters! No more! Good luck trying to do anything useful with this!</p> + +<p>The Quiz My Friends server has <em>no such checks in place</em>. +Therefore, I can send an almost arbitrary load to them. +Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own. +Imagine being able to send entire executable progrmas as your “name” in one of these quizes?</p> + +<h2 id="executing-an-exploit">Executing An Exploit</h2> + +<p>Suppose we’re on a vulnerable site like <a href="https://www.quizyourfriends.com/">Quiz Your Friends</a> +and you decide you want to hack your friend’s quiz! +How can this be done?</p> + +<h4 id="creating-a-quiz">Creating A Quiz</h4> + +<p>Here is my quiz below:</p> + +<p><code class="highlighter-rouge">CREATING_QUIZ.IMG</code></p> + +<h4 id="setting-a-name-with-an-html-tag">Setting A Name With an HTML Tag</h4> + +<p>Just like the image above, about how I found out about this vulnerability: go ahead and use an HTML tag in your name to test this out.</p> + +<p><code class="highlighter-rouge">BOLD_ITALIC_STEVE.JPG</code></p>This was fun to write! I found a cross-site scripting (XSS) attack in a well-known quiz hosting website. I disclosed the vulnerability to them years ago, so I thought now might be a good time to write about it.rfi: A Simple Linux utility to get a random file from a directory2020-04-21T00:00:00+00:002020-04-21T00:00:00+00:00http://localhost:4000/2020/04/21/rfi<p>I made a <a href="https://lbry.tv/@tait:7/rfi:5">little video</a> about this script I wrote:</p> <pre class="terminal"> $ rfi diff --git a/_site/ideas/index.html b/_site/ideas/index.html index 2c2d197..b363ade 100644 --- a/_site/ideas/index.html +++ b/_site/ideas/index.html @@ -69,6 +69,23 @@ system would also integrate well with idea 1.2

With the Linux Speakup project already written, would this mean I could just plug a RPi up to a braille display and be on my merry way?

+

1.4 Accessible Meme Description

+ +

Using a image matching algorithm (no idea which one or how). +Or, frankly, even a scaled down image with binary closeness algorithm.

+ +

Either way, take the best matching picture and use that as the basis to describe the picture. +Unsure how I would go about describing unlimited amount of new memes, but that is to be seen.

+ +

Best idea is to get in contact with the guys who make this meme generator as most memes there are at least partially described.

+ +

1.5 Talking Anarchy

+ +

I would like to make a Linux distro which combines the easy of installation of Anarchy Linux +with the speech tools available from Talking Arch.

+ +

This should require relatively little effort, as Talking Arch has a tool to build your own ISOs with additional packages (IIRC).

+

2. *NIX Ideas

2.1 Fan/Sensor Driver for My Old Toshiba

@@ -156,7 +173,7 @@ Seems liks fun.

- This page is mirrored on beta.tait.tech, which is also not hosted by Amazon. + This page is mirrored on beta.tait.tech; it is not hosted by Linode.
diff --git a/_site/index.html b/_site/index.html index 368705d..bff95b0 100644 --- a/_site/index.html +++ b/_site/index.html @@ -75,7 +75,7 @@ Those are here.

- This page is mirrored on beta.tait.tech, which is also not hosted by Amazon. + This page is mirrored on beta.tait.tech; it is not hosted by Linode.
diff --git a/_site/links/index.html b/_site/links/index.html index fa0332c..dcb780c 100644 --- a/_site/links/index.html +++ b/_site/links/index.html @@ -193,7 +193,7 @@

All my big projects are on my homepage.

- This page is mirrored on beta.tait.tech, which is also not hosted by Amazon. + This page is mirrored on beta.tait.tech; it is not hosted by Linode.
diff --git a/_site/sitemap.xml b/_site/sitemap.xml index 6fc6640..87a137d 100644 --- a/_site/sitemap.xml +++ b/_site/sitemap.xml @@ -29,6 +29,10 @@ 2020-04-21T00:00:00+00:00 +http://localhost:4000/2020/04/22/quiz-your-friends.html +2020-04-22T00:00:00+00:00 + + http://localhost:4000/blog/