XSS to newbies. Purpose of XSS Attacks
Welcome, dear visitors of the Portal!
I want to tell you about the purpose of XSS attacks, because XSS vulnerabilities are much more dangerous than just stealing cookies.
Everything in order ...
First about XSS in general. The XSS abbreviation stands for Cross Site Scripting (“cross-site scripting”). It is customary to call it XSS, and not CSS, since CSS is introduced much earlier, and it means Casading Style Sheets - “cascading style sheets” (used in the design of HTML-pages). Sross is a “cross”, so the first letter in “cross-site scripting” is replaced by “X”.
XSS is a server vulnerability that allows embedding an arbitrary code into an HTML page generated by scripts on a server (not a script, unlike РERL or PHP code) by passing it as the value of an unfiltered variable. By “unfiltered” variable is meant a variable that is not checked before using it in a script (for example, PHP) for the presence of forbidden characters, such as: <,>, ', ”and many others. First, the value of the variable is transmitted from the HTML page loaded in the user's browser to the php script (via POST or GET request). The POST request passes variables through an array that is not displayed in the address bar of the browser; A GET request finds itself in the address bar as follows:
http://www.hackzona.ru/hz.php?name=News&file=artiсle&sid=3499&mode=&order=0&thold=0 So, the variables are passed to the hz.php script:
$ name - with the value “News”,
$ file - with the value “artiсle”,
$ sid - with a value of “3499” etc ...
Naturally, it is more convenient to work with GET requests, therefore, the hacker saves the page of the hacked site and in a line like:
FОRМ АСTION="http://www.hackzona.ru/hz.php" METHOD=РOST РOST replaces with GET. Next, the php script, for example, generates a html page in which it displays the value of one of the passed variables without any filtering. BUT! If an attacker, when composing a GET request, instead of the usual value of the variable, substitutes some key tags (for example,
or <ВR>), then they will be executed by the interpreter!
So it was fixed that the majority of computer hooligans use XSS only to steal cookies (cookies - in most cases they store the session, appropriating themselves, the attacker can be on the site under someone else’s account, for example, in the forum where registration is desired. They also store the encrypted the password, deciphering which, the hooligan will be able to seize the account at 100%). But XSS-bugs are not limited to theft of cookies.
Actually, the culminating paragraph .
What allows us to implement XSS vulnerabilities?
1) All sorts of "podloki" associated with the restriction of users in normal activities on the site. For example, the output of an infinite number of windows (example below) or messages (method confirm or alert), as the result of any user action (click, mouse over an object, just go to the site). Or redirect to another node. Try to inject this code (without changes) into the vulnerable site:
<Нtml> *** оdy>Нtml> and open it in any browser.
2) Theft of confidential visitor information. First of all, here I will take the theft of cookies (doсument.cookie) as the most important security attribute of the user (in this section). This section also includes theft of information about the user's system and browser (navigator object), current time, IP address, as well as the history of visited sites (history object as an array; current page history , previous history [-1], total pages history.length) and more. Here is an example of a script that returns the visitor's IP address to the IP variable and the computer name to the host variable (checked in Ora, Mozilla, Mizilla Firefox):
4) Unexpected browser features. There are many browser vulnerabilities that, when processing any code, either cause DoS, or provide access to certain files, or allow to execute arbitrary code on the user's system, or something else that is not very pleasant for the user. Many well-known and frequently used browsers (Internet Explorer, Netscare, Mozilla, Mozilla Firefox, Opara and everything that is created on their engines) are vulnerable. Only some of their versions or patched browsers are invulnerable. Most recently (at the time of this writing), Benjamin Tobias Franz discovered a critical vulnerability of the Internet Explorer browser (v5.5, 6.0), which allows to execute arbitrary code on the user's system. How to execute arbitrary code from a user who went to a site that has an XSS vulnerability? Zalёm exploit, written by Stuart Person (you can take it from here: myphp4.h15.ru/0day-exрlorer.rar or from the website seсuritylab.ru), consisting of four htm- and one html-file, on our server, for example, coolhaсker. yo In the vulnerable site we will implement the following code
That's all that I would like to share with you at the moment. As you can see, the possibilities of XSS attacks are very high. You can make massive jokes and tricks, steal information and confidential data, and even build entire botnets, zombies visitors to sites! XSS-bugs will always be, as they endanger first of all site visitors, but not the server; and the administration has little incentive to correct these errors. Everything, I finished
All the signs “less” and “more” are replaced by “<” and “>”, respectively.