Fontys S4

Cross-site scripting

I will now show you how you could apply XSS to a website.

First I have to check if the website is vulnerable. The easiest way to check this is just to try a simple "Alert" script just like this.

As you can see the script works so that means that the website is vulnerable to XSS. Now I can try something that has some more impact and could actually be useful for me.

This form doesn't allow more than 50 characters, so writing bigger scripts might make this difficult. Luckily they only validate this in the frontend so I can just inspect this page and change the maximum characters in the form. So now I can write some bigger scripts that give me more information.

Like getting the cookie of the user so I can hijack their session.

So now I got the cookie it is my own though, but these scripts get stored inside the comments and the comments are persistent. Therefore I could also write a script that sends the cookie to me instead of displaying it. This way I can make it almost invisible for everyone to see and everyone who loads this page their cookie gets send to me.

Now I can try to use the cookie that I stole in the previous picture to try and login. As you can see my cookie is now different and I'm not logged in.

Now I placed the cookie I stole in my own cookie to hopefully make the website think I'm the person who is logged in that I stole this cookie from.

And now when I try to load the index page the website thinks I'm logged in as the person the cookie belongs to and I hijacked their session. I can now do everything on their account, comment in their name and change their data or steal their data.

And if this person is by any chance an admin I might be able to do some more extreme things as well. Like creating or deleting users or their comments.

Sometimes the programmers try to prevent XSS by filtering out the script tags. But they forget the filter out all the other HTML tags. So I can load my own website in an "Iframe".

This might only sound as good free marketing but you can also do other things. Like redirecting everyone that visits this page to my own website or inject scripts in other html tags, so I can still run my scripts even though they banned the script tags.

These type of attacks can be prevented by sanitizing the input much like SQL injection. Make sure that all the text that users can post to the website's frontend doesn't get converted to straight HTML. In this way they can't exploit other HTML tags as well.