<h1>The "Quiz Your Friends" Cross-Site Scripting Vulnerability</h1>
<h4class="post-date line-under">Wednesday, April 22 2020</h4>
<h1>The "Quiz Your Friends" XSS Exploit</h1>
<h4class="post-date line-under"></h4>
<divclass="article">
<p>This was fun to write! I found a cross-site scripting (XSS) attack
in a well-known quiz hosting website.
I disclosed the vulnerability to them years ago, so I thought
now might be a good time to write about it.</p>
<p>In this first section I will explain what XSS is.</p>
<p>In the <ahref="#executing-an-exploit">second section</a> I will show you how I found this exploit and how to reproduce it yourself.</p>
<h2id="what-is-cross-site-scripting-xss">What is cross-site scripting (XSS)</h2>
<p>Cross-site scripting, XSS for short,
is a technique to execute arbitrary Javascript code on a user visitng a website
by linking to Javascript code stored on another website.</p>
<p>So for example:</p>
<p>I have a file on my website called <ahref="/assets/js/hacked.js">hacked.js</a>.
If I was able to run this javascript file on anybody visiting a certain website <em>that is not mine</em>, this would be called cross-site scripting.</p>
<p>Click the above <codeclass="highlighter-rouge">hacked.js</code> link to view the code I use to “hack” this website.
It’s safe, I promise ;)</p>
<p>Now, how can we get this code to execute when a user visits this site?</p>
<h3id="how-do-these-happen">How Do These Happen?</h3>
<p>Most of the time, these attacks are done using poorly sanatized <codeclass="highlighter-rouge"><input></code> elements.
Sanitization is when an input box of some type does not <ahref="">escape</a> html characters like <codeclass="highlighter-rouge"><</code> or <codeclass="highlighter-rouge">></code>.</p>
<p>Sanitization is when a program (usually on the server side),
will remove characters like <codeclass="highlighter-rouge"><</code> and replace them with <ahref="">escape characters</a>
which internally would be something like <codeclass="highlighter-rouge">&lt;</code>,
but your browser would interpret that as “show me the character ‘less than sign’”.</p>
<h3id="a-thought-experiment">A Thought Experiment</h3>
<p>The question is:</p>
<p>If we suppose that a website is built with sequenses like these: <codeclass="highlighter-rouge"><body></code>, <codeclass="highlighter-rouge"><p></code> (for paragraph), <codeclass="highlighter-rouge"><link></code> and <codeclass="highlighter-rouge"><b></code> for bold, then why can you also <em>see</em> the left and right angle bracket characters?
Why doesn’t everything after me typing <codeclass="highlighter-rouge"><b></code> turn bold?</p>
<p>The answer is:</p>
<p>There are special characters to type a visible left (<)
and right angle bracket (>) in a website.
If I type with the left and right bracket on my keyboard,
things will indeed <b>show up bold</b>.</p>
<p>This is the code for the sentence I wrote above:</p>
<preclass="terminal">
There are special characters to type a visible left (&lt;)
and right angle bracket (&gt;) in a website.
If I type with the left and right bracket on my keyboard,
things will indeed <b>show up bold</b>.
</pre>
<p>Notice how all visible left angle brackets used an <codeclass="highlighter-rouge">&lt;</code> to show them?</p>
<p>This is the core of an XSS exploit.</p>
<p>If when a site takes in input it does not convert all <s and >s to &lt; and &gt;,
then when this data is returned to the user the browser will interpret the user input being displayed <em>as HTML code</em>.</p>
<h2id="todo-write-intro">TODO write intro</h2>
<h2id="how-i-found-this-exploit">How I Found This Exploit</h2>
@ -170,7 +108,7 @@ How can this be done?</p>
</div>
<footer>
This page is mirrored on <ahref="https://beta.tait.tech/2020/04/22/quiz-your-friends.html">beta.tait.tech</a>.
This page is mirrored on <ahref="https://beta.tait.tech/2020-04-27-quiz-your-friends-xss.html">beta.tait.tech</a>.
<h4class="post-date line-under">Saturday, April 25 2020</h4>
<divclass="article">
<p>I found a cross-site scripting (XSS) attack
in a well-known quiz hosting website.
I disclosed the vulnerability to them years ago, so I thought
now might be a good time to write about it.</p>
<p>In this first article I will explain what XSS is.</p>
<p>In the next article I will explain how I found this attack.</p>
<h2id="what-is-cross-site-scripting-xss">What is cross-site scripting (XSS)</h2>
<p>Cross-site scripting, XSS for short,
is a technique to execute arbitrary Javascript code on a user visiting a website
by linking to Javascript code stored on another server.</p>
<p>So for example:</p>
<p>I have a file on my website called <ahref="/assets/js/hacked.js">hacked.js</a>.
If I was able to run this javascript file on anybody visiting a certain website <em>that is not mine</em>, this would be called cross-site scripting.</p>
<p>Click the above <codeclass="highlighter-rouge">hacked.js</code> link to view the code I use to “hack” this website.
It’s safe, I promise ;)</p>
<p>Now, how can we get this code to execute when a user visits this site?
To explain, I will start with some of the underlying technologies.</p>
<h3id="escape-characters">Escape Characters!</h3>
<p>No, this is not a Sherlock Holmes novel!</p>
<p>If we suppose that a website is built with sequences like these (called “tags”):
<codeclass="highlighter-rouge"><body></code>, <codeclass="highlighter-rouge"><p></code> (for paragraph), <codeclass="highlighter-rouge"><link></code> and <codeclass="highlighter-rouge"><b></code> for bold,
then why can you <em>see</em> the left and right angle bracket characters?
Don’t they mean something? Shouldn’t they be telling the browser:
<em>“Hey! Make me bold!”?</em>
Why <em>doesn’t</em> everything after me typing <codeclass="highlighter-rouge"><b></code> turn bold?</p>
<p>The answer is:</p>
<p>There are special characters in HTML to type a visible left (<)
and visible right angle bracket (>) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed <b>show up bold</b>.</p>
<p>This is the code for the sentence I wrote above:</p>
<preclass="terminal">
There are special characters in HTML to type a visible left (&lt;)
and visible right angle bracket (&gt;) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed <b>show up bold</b>.
</pre>
<p>Notice how all visible left angle brackets use an <codeclass="highlighter-rouge">&lt;</code> to show them?</p>
<p>These are called <ahref="https://en.wikipedia.org/wiki/Escape_character">escape characters</a>.
They tell a system, in this case your web browser:
<em>“Hello! Please show me off! I don’t want to be hidden.”</em></p>
<h4id="sanitization">Sanitization</h4>
<p>Most of the time XSS attacks are done using poorly sanitized HTML <codeclass="highlighter-rouge"><input></code> elements.</p>
<p>Sanitization is when a program (usually on the server side),
will remove characters like <codeclass="highlighter-rouge"><</code> and replace them with the aforementioned “escape characters”.
Internally this would be something like <codeclass="highlighter-rouge">&lt;</code>,
but they would show up to a user as <codeclass="highlighter-rouge"><</code>.</p>
<p>When inputs are not properly sanitized <em>and</em> the input is shown to the user in another part of the website,
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.</p>
<p>HTML, by itself is not very dangerous.
The worst thing you could do is probably put a link on your name,
and then point it to a porn site.
Make your name bold, italic. Maybe make the background a funny color.
Although this may annoy your victim it is not dangerous security wise.</p>
<p>There is one tag however, that <em>is</em> scary…</p>
<p>The <codeclass="highlighter-rouge"><script></code> tag allows you to write code that can:</p>
<ol>
<li>Change the page contents.</li>
<li>Redirect the user to a new page automatically.</li>
<li>Get a user’s location.</li>
<li>Open a user’s microphone/webcam.</li>
<li>With the <codeclass="highlighter-rouge">src</code><ahref="https://www.w3schools.com/htmL/html_attributes.asp">attribute</a> you can also load a script from another site. (This is XSS)</li>
</ol>
<p>Those last two will ask for permission from the user (if their browser isn’t insanely insecure).</p>
<p>In my next article I’ll talk about a website I found which is vulnerable to this attack.
And, show you how you can run your own XSS attack.</p>
</div>
<footer>
This page is mirrored on <ahref="https://beta.tait.tech/2020/04/25/xss.html">beta.tait.tech</a>.
<?xml version="1.0" encoding="utf-8"?><feedxmlns="http://www.w3.org/2005/Atom"><generatoruri="https://jekyllrb.com/"version="4.0.0">Jekyll</generator><linkhref="http://localhost:4000/feed.xml"rel="self"type="application/atom+xml"/><linkhref="http://localhost:4000/"rel="alternate"type="text/html"/><updated>2020-04-25T11:45:14+00:00</updated><id>http://localhost:4000/feed.xml</id><entry><titletype="html">The “Quiz Your Friends” Cross-Site Scripting Vulnerability</title><linkhref="http://localhost:4000/2020/04/22/quiz-your-friends.html" rel="alternate"type="text/html"title="The "Quiz Your Friends" Cross-Site Scripting Vulnerability" /><published>2020-04-22T00:00:00+00:00</published><updated>2020-04-22T00:00:00+00:00</updated><id>http://localhost:4000/2020/04/22/quiz-your-friends</id><contenttype="html"xml:base="http://localhost:4000/2020/04/22/quiz-your-friends.html"><p>This was fun to write! I found a cross-site scripting (XSS) attack
<?xml version="1.0" encoding="utf-8"?><feedxmlns="http://www.w3.org/2005/Atom"><generatoruri="https://jekyllrb.com/"version="4.0.0">Jekyll</generator><linkhref="http://localhost:4000/feed.xml"rel="self"type="application/atom+xml"/><linkhref="http://localhost:4000/"rel="alternate"type="text/html"/><updated>2020-04-25T12:49:41+00:00</updated><id>http://localhost:4000/feed.xml</id><entry><titletype="html">What is XSS?</title><linkhref="http://localhost:4000/2020/04/25/xss.html" rel="alternate"type="text/html"title="What is XSS?" /><published>2020-04-25T00:00:00+00:00</published><updated>2020-04-25T00:00:00+00:00</updated><id>http://localhost:4000/2020/04/25/xss</id><contenttype="html"xml:base="http://localhost:4000/2020/04/25/xss.html"><p>I found a cross-site scripting (XSS) attack
in a well-known quiz hosting website.
I disclosed the vulnerability to them years ago, so I thought
now might be a good time to write about it.</p>
<p>In this first section I will explain what XSS is.</p>
<p>In this first article I will explain what XSS is.</p>
<p>In the <a href="#executing-an-exploit">second section</a> I will show you how I found this exploit and how to reproduce it yourself.</p>
<p>In the next article I will explain how I found this attack.</p>
<h2 id="what-is-cross-site-scripting-xss">What is cross-site scripting (XSS)</h2>
<p>Cross-site scripting, XSS for short,
is a technique to execute arbitrary Javascript code on a user visitng a website
by linking to Javascript code stored on another website.</p>
is a technique to execute arbitrary Javascript code on a user visiting a website
by linking to Javascript code stored on another server.</p>
<p>So for example:</p>
@ -21,118 +21,77 @@ If I was able to run this javascript file on anybody visiting a certain website
<p>Click the above <code class="highlighter-rouge">hacked.js</code> link to view the code I use to “hack” this website.
It’s safe, I promise ;)</p>
<p>Now, how can we get this code to execute when a user visits this site?</p>
<p>Now, how can we get this code to execute when a user visits this site?
To explain, I will start with some of the underlying technologies.</p>
<h3 id="how-do-these-happen">How Do These Happen?</h3>
<p>Most of the time, these attacks are done using poorly sanatized <code class="highlighter-rouge">&lt;input&gt;</code> elements.
Sanitization is when an input box of some type does not <a href="">escape</a> html characters like <code class="highlighter-rouge">&lt;</code> or <code class="highlighter-rouge">&gt;</code>.</p>
<p>No, this is not a Sherlock Holmes novel!</p>
<p>Sanitization is when a program (usually on the server side),
will remove characters like <code class="highlighter-rouge">&lt;</code> and replace them with <a href="">escape characters</a>
which internally would be something like <code class="highlighter-rouge">&amp;lt;</code>,
but your browser would interpret that as “show me the character ‘less than sign’”.</p>
<h3 id="a-thought-experiment">A Thought Experiment</h3>
<p>The question is:</p>
<p>If we suppose that a website is built with sequenses like these: <code class="highlighter-rouge">&lt;body&gt;</code>, <code class="highlighter-rouge">&lt;p&gt;</code> (for paragraph), <code class="highlighter-rouge">&lt;link&gt;</code> and <code class="highlighter-rouge">&lt;b&gt;</code> for bold, then why can you also <em>see</em> the left and right angle bracket characters?
Why doesn’t everything after me typing <code class="highlighter-rouge">&lt;b&gt;</code> turn bold?</p>
<p>If we suppose that a website is built with sequences like these (called “tags”):
<code class="highlighter-rouge">&lt;body&gt;</code>, <code class="highlighter-rouge">&lt;p&gt;</code> (for paragraph), <code class="highlighter-rouge">&lt;link&gt;</code> and <code class="highlighter-rouge">&lt;b&gt;</code> for bold,
then why can you <em>see</em> the left and right angle bracket characters?
Don’t they mean something? Shouldn’t they be telling the browser:
<em>“Hey! Make me bold!”?</em>
Why <em>doesn’t</em> everything after me typing <code class="highlighter-rouge">&lt;b&gt;</code> turn bold?</p>
<p>The answer is:</p>
<p>There are special characters to type a visible left (&lt;)
and right angle bracket (&gt;) in a website.
If I type with the left and right bracket on my keyboard,
<p>There are special characters in HTML to type a visible left (&lt;)
and visible right angle bracket (&gt;) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed <b>show up bold</b>.</p>
<p>This is the code for the sentence I wrote above:</p>
<pre class="terminal">
There are special characters to type a visible left (&amp;lt;)
and right angle bracket (&amp;gt;) in a website.
If I type with the left and right bracket on my keyboard,
There are special characters in HTML to type a visible left (&amp;lt;)
and visible right angle bracket (&amp;gt;) in a website.
If I use the left and right brackets on my keyboard however,
things will indeed &lt;b&gt;show up bold&lt;/b&gt;.
</pre>
<p>Notice how all visible left angle brackets used an <code class="highlighter-rouge">&amp;lt;</code> to show them?</p>
<p>This is the core of an XSS exploit.</p>
<p>If when a site takes in input it does not convert all &lt;s and &gt;s to &amp;lt; and &amp;gt;,
then when this data is returned to the user the browser will interpret the user input being displayed <em>as HTML code</em>.</p>
<h2 id="how-i-found-this-exploit">How I Found This Exploit</h2>
<p>While filling in one of my friend’s surveys I thought it would be
funny for them to know it is me without anyone else knowing.
We were young and had <code class="highlighter-rouge">Inspect Element</code>ed a few things together,
so it was a safe bet that an HTML joke would let them know.</p>
<p>The text “Bold Steve” showed up <strong>in bold</strong> on the leaderboard.
This told me all I needed to know. To add a <code class="highlighter-rouge">&lt;script&gt;</code> tag was next.</p>
<p>Notice how all visible left angle brackets use an <code class="highlighter-rouge">&amp;lt;</code> to show them?</p>
<p>These are called <a href="https://en.wikipedia.org/wiki/Escape_character">escape characters</a>.
They tell a system, in this case your web browser:
<em>“Hello! Please show me off! I don’t want to be hidden.”</em></p>
<p>So I went on my merry way thinking about ways to use malicious javascript.
Then, I thought that might be mean, so I decided to warn users instead.
I filled in the name with a script tag and a call to <code class="highlighter-rouge">alert()</code> to warn the user about this site.</p>
<p>Most of the time XSS attacks are done using poorly sanitized HTML <code class="highlighter-rouge">&lt;input&gt;</code> elements.</p>
<p>I ran out of room before I could finish it. Hmmm.
What if I do “Inspect Element” and manually override the max-length attribute?</p>
<p>The unfortunate truth is: this worked as well!</p>
<p>Not only could I manually set the max-length by changing it in the HTML,
but there were no client-side OR server-side checks to make sure the name I was sending was less than or equal to 20 characters.</p>
<p>If Javascript checked it, it would have stopped me (although maybe not a professional).
If the server checked it, it could have stopped almost anyone.</p>
<p>There’s your 20 characters! No more! Good luck trying to do anything useful with this!</p>
<p>The Quiz My Friends server has <em>no such checks in place</em>.
Therefore, I can send an almost arbitrary load to them.
Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own.
Imagine being able to send entire executable progrmas as your “name” in one of these quizes?</p>
<p>Sanitization is when a program (usually on the server side),
will remove characters like <code class="highlighter-rouge">&lt;</code> and replace them with the aforementioned “escape characters”.
Internally this would be something like <code class="highlighter-rouge">&amp;lt;</code>,
but they would show up to a user as <code class="highlighter-rouge">&lt;</code>.</p>
<h2 id="executing-an-exploit">Executing An Exploit</h2>
<p>When inputs are not properly sanitized <em>and</em> the input is shown to the user in another part of the website,
then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed.</p>
<p>Suppose we’re on a vulnerable site like <a href="https://www.quizyourfriends.com/">Quiz Your Friends</a>
and you decide you want to hack your friend’s quiz!
How can this be done?</p>
<p>HTML, by itself is not very dangerous.
The worst thing you could do is probably put a link on your name,
and then point it to a porn site.
Make your name bold, italic. Maybe make the background a funny color.
Although this may annoy your victim it is not dangerous security wise.</p>
<h4 id="creating-a-quiz">Creating A Quiz</h4>
<p>There is one tag however, that <em>is</em> scary…</p>
<p>The <code class="highlighter-rouge">&lt;script&gt;</code> tag allows you to write code that can:</p>
<h4 id="setting-a-name-with-an-html-tag">Setting A Name With an HTML Tag</h4>
<ol>
<li>Change the page contents.</li>
<li>Redirect the user to a new page automatically.</li>
<li>Get a user’s location.</li>
<li>Open a user’s microphone/webcam.</li>
<li>With the <code class="highlighter-rouge">src</code><a href="https://www.w3schools.com/htmL/html_attributes.asp">attribute</a> you can also load a script from another site. (This is XSS)</li>
</ol>
<p>Just like the image above, about how I found out about this vulnerability: go ahead and use an HTML tag in your name to test this out.</p>
<p>Those last two will ask for permission from the user (if their browser isn’t insanely insecure).</p>
<p><code class="highlighter-rouge">BOLD_ITALIC_STEVE.JPG</code></p></content><author><name></name></author><summarytype="html">This was fun to write! I found a cross-site scripting (XSS) attack in a well-known quiz hosting website. I disclosed the vulnerability to them years ago, so I thought now might be a good time to write about it.</summary></entry><entry><titletype="html">rfi: A Simple Linux utility to get a random file from a directory</title><linkhref="http://localhost:4000/2020/04/21/rfi.html"rel="alternate"type="text/html"title="rfi: A Simple Linux utility to get a random file from a directory"/><published>2020-04-21T00:00:00+00:00</published><updated>2020-04-21T00:00:00+00:00</updated><id>http://localhost:4000/2020/04/21/rfi</id><contenttype="html"xml:base="http://localhost:4000/2020/04/21/rfi.html"><p>I made a <a href="https://lbry.tv/@tait:7/rfi:5">little video</a> about this script I wrote:</p>
<p>In my next article I’ll talk about a website I found which is vulnerable to this attack.
And, show you how you can run your own XSS attack.</p></content><author><name></name></author><summarytype="html">I found a cross-site scripting (XSS) attack in a well-known quiz hosting website. I disclosed the vulnerability to them years ago, so I thought now might be a good time to write about it.</summary></entry><entry><titletype="html">rfi: A Simple Linux utility to get a random file from a directory</title><linkhref="http://localhost:4000/2020/04/21/rfi.html"rel="alternate"type="text/html"title="rfi: A Simple Linux utility to get a random file from a directory"/><published>2020-04-21T00:00:00+00:00</published><updated>2020-04-21T00:00:00+00:00</updated><id>http://localhost:4000/2020/04/21/rfi</id><contenttype="html"xml:base="http://localhost:4000/2020/04/21/rfi.html"><p>I made a <a href="https://lbry.tv/@tait:7/rfi:5">little video</a> about this script I wrote:</p>
Tait Hoyem
4 years ago