From 531e6cd0f7b605598a1825ee02b07f0142316c30 Mon Sep 17 00:00:00 2001
From: Tait Hoyem
This was fun to write! I found a cross-site scripting (XSS) attack +in a well-known quiz hosting website. +I disclosed the vulnerability to them years ago, so I thought +now might be a good time to write about it.
+ +In this first section I will explain what XSS is.
+ +In the second section I will show you how I found this exploit and how to reproduce it yourself.
+ +Cross-site scripting, XSS for short, +is a technique to execute arbitrary Javascript code on a user visitng a website +by linking to Javascript code stored on another website.
+ +So for example:
+ +I have a file on my website called hacked.js. +If I was able to run this javascript file on anybody visiting a certain website that is not mine, this would be called cross-site scripting.
+ +Click the above hacked.js
link to view the code I use to “hack” this website.
+It’s safe, I promise ;)
Now, how can we get this code to execute when a user visits this site?
+ +Most of the time, these attacks are done using poorly sanatized <input>
elements.
+Sanitization is when an input box of some type does not escape html characters like <
or >
.
Sanitization is when a program (usually on the server side),
+will remove characters like <
and replace them with escape characters
+which internally would be something like <
,
+but your browser would interpret that as “show me the character ‘less than sign’”.
The question is:
+ +If we suppose that a website is built with sequenses like these: <body>
, <p>
(for paragraph), <link>
and <b>
for bold, then why can you also see the left and right angle bracket characters?
+Why doesn’t everything after me typing <b>
turn bold?
The answer is:
+ +There are special characters to type a visible left (<) +and right angle bracket (>) in a website. +If I type with the left and right bracket on my keyboard, +things will indeed show up bold.
+ +This is the code for the sentence I wrote above:
++There are special characters to type a visible left (<) +and right angle bracket (>) in a website. +If I type with the left and right bracket on my keyboard, +things will indeed <b>show up bold</b>. ++ +
Notice how all visible left angle brackets used an <
to show them?
This is the core of an XSS exploit.
+ +If when a site takes in input it does not convert all <s and >s to < and >, +then when this data is returned to the user the browser will interpret the user input being displayed as HTML code.
+ +While filling in one of my friend’s surveys I thought it would be
+funny for them to know it is me without anyone else knowing.
+We were young and had Inspect Element
ed a few things together,
+so it was a safe bet that an HTML joke would let them know.
So I typed in my name like so:
+ +BOLD_STEVE.JPG
Now in theory this should have shown in in the leaderboard as: “<b>Bold Steve</b>” +However, to my horror and excitement, I saw this in the leaderboard:
+ +BOLD_STEVE_LEADERBOARD.JPG
The text “Bold Steve” showed up in bold on the leaderboard.
+This told me all I needed to know. To add a <script>
tag was next.
So I went on my merry way thinking about ways to use malicious javascript.
+Then, I thought that might be mean, so I decided to warn users instead.
+I filled in the name with a script tag and a call to alert()
to warn the user about this site.
JAVASCRIPT_NAME.JPG
I ran out of room before I could finish it. Hmmm. +What if I do “Inspect Element” and manually override the max-length attribute?
+ +The unfortunate truth is: this worked as well!
+ +Not only could I manually set the max-length by changing it in the HTML, +but there were no client-side OR server-side checks to make sure the name I was sending was less than or equal to 20 characters.
+ +If Javascript checked it, it would have stopped me (although maybe not a professional). +If the server checked it, it could have stopped almost anyone.
+ +As a side note, here is a great reason why you should do most of your validation on the server side. +As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.
+ +Imagine trying to fit in a script tag doing anything useful with 20 characters?
+ +<script src="http:">
There’s your 20 characters! No more! Good luck trying to do anything useful with this!
+ +The Quiz My Friends server has no such checks in place. +Therefore, I can send an almost arbitrary load to them. +Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own. +Imagine being able to send entire executable progrmas as your “name” in one of these quizes?
+ +Suppose we’re on a vulnerable site like Quiz Your Friends +and you decide you want to hack your friend’s quiz! +How can this be done?
+ +Here is my quiz below:
+ +CREATING_QUIZ.IMG
Just like the image above, about how I found out about this vulnerability: go ahead and use an HTML tag in your name to test this out.
+ +BOLD_ITALIC_STEVE.JPG
+ The "Quiz Your Friends" Cross-Site Scripting Vulnerability
+ 22 April 2020
+ This was fun to write! I found a cross-site scripting (XSS) attack +in a well-known quiz hosting website. +I disclosed the vulnerability to them years ago, so I thought +now might be a good time to write about it. + |
+
rfi: A Simple Linux utility to get a random file from a directory @@ -97,7 +109,7 @@ These are the everyday tools of many privacy advocates and computer nerds. |
With the Linux Speakup project already written, would this mean I could just plug a RPi up to a braille display and be on my merry way?
+Using a image matching algorithm (no idea which one or how). +Or, frankly, even a scaled down image with binary closeness algorithm.
+ +Either way, take the best matching picture and use that as the basis to describe the picture. +Unsure how I would go about describing unlimited amount of new memes, but that is to be seen.
+ +Best idea is to get in contact with the guys who make this meme generator as most memes there are at least partially described.
+ +I would like to make a Linux distro which combines the easy of installation of Anarchy Linux +with the speech tools available from Talking Arch.
+ +This should require relatively little effort, as Talking Arch has a tool to build your own ISOs with additional packages (IIRC).
+All my big projects are on my homepage.
diff --git a/_site/sitemap.xml b/_site/sitemap.xml index 6fc6640..87a137d 100644 --- a/_site/sitemap.xml +++ b/_site/sitemap.xml @@ -29,6 +29,10 @@