Tuesday, August 08, 2006

(debugging) XSS Locator

XSS, as in Cross Site Scripting, is one hot topic. I've already talked about it in Slow Down! I'm gettin' Dizzy. It has to do with Javascript exploits allowing a malicious user to direct orders to the webserver hosting a site and using it to hide exploit code that will be downloaded by unsuspected visitors. If that sounds too much and impossible to happen, let me inform you that the exploited server may be hosting amazon or ebay or paypal or any other online store/service managing user information.

This is the code (I've replaced '<' and '>' with '#' as my WYSIWYG kept interpreting it. LOL. You shouldn't feel safe even while reading this blog.):
';alert(String.fromCharCode(88,83,83))//\';
alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";
alert(String.fromCharCode(88,83,83))//>#/SCRIPT#
!--#SCRIPT#alert(String.fromCharCode(88,83,83))#/SCRIPT#=&{}


What it does is show an alert box on your browser with the message "XSS". Of course if that shows up while you are trying this code in a third-party website, well... it shouldn't have and you've just discovered a vulnerable location!

If you watch carefully you'll see that it puts itself outside any quotes used to store it as a string. E.g. a script that prompts you with "What is your name?" and expects an answer is a good candidate for testing.

In Detail, let's say you have:
var a = prompt("What is your name?","");


After the user entry, variable 'a' will be (using only the first part of the code to make it easy for someone to notice):
var a = '';alert(String.fromCharCode(88,83,83))//';


As you can see the second quote (right before the first semicolon) closes the string and puts the entire code (after alert) outside the script (so it is runnable). Next, there are some more tricks to fool techniques like using a slash to init variable 'a' so that a single quote won't damage the string etc. Finally the #script#code#/script# does the trick :P

This is just a small demonstration. Imagive that this is too simple compared to other exploit codes. Also, imagive that the code doesn't just pop up an alert box but commands the browser running the script to dump passwords to an e-mail address or send a POST/GET command somewhere else (therefore acting as a bot) or ... or ... the possibilities are endless.


P.S.: The exploit code is presented as four lines while it really is just one. I've split them for indentation reasons only. If you want to try it, put it back together. No spaces.

No comments: