Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Crack a Website - XSS, Cookies, Sessions

Posted by ryuzaki0 on from the waste-your-time dept.

twistedmoney45 writes "Informit.com provides an insiders look at a real life XSS attack and how it was used to bypass the authentication scheme of an online web application, leading to "shell" access, an admin account, and more. XSS attacks are often discussed in theory — this walk through illustrates just how dangerous these types of attacks can be in reality."

5 of 167 comments (clear)

  1. Interesting read, but... by mdobossy · · Score: 5, Insightful

    Sure, it is an interesting read.. that being said, nothing here is exactly shocking.

    I may be reading this wrong, but, he gains access to the server by requiring a legitimate user to log on to the site, through a third party server of his (Might be done via phishing, etc..), then he nabs a valid php session id, via some injected javascript code. Why not just grab the users login and password when they submit the form through your server? If you already have them logging in via a proxy, this would be much easier, and more reliable- sessions expire, etc..

    As with most of these articles on security- simply make sure you sterilize any incoming data. Again, its not exactly rocket science.

  2. More Like a Phishing Attack by hagrin · · Score: 4, Insightful

    As if fate wanted to make it challenging, the maximum size of the HTML input field for the email address was 25 characters, and it only accepted POST data, which is somewhat limiting. As a result, I had to "outsource" my cross-site scripting attack to a third server. The end result was that I had to make a user click on a link that first took the victim to my server.

    Sounds more like a phishing victim than anything else to me. I understand that the rest of the article brings you through the process of session hijacking, etc., but to me the real problem here is the phishing "attack" and the misuse by the user. Is a system really insecure if the user is diligent in what links he clicks on in this instance? I mean, if I leave the keys to my car in the ignition it's not going to take a skilled theif or laser cut keys to steal my car and the security implementations taken by the manufacturer won't matter.

    --
    Hagrin.com
    1. Re:More Like a Phishing Attack by Fallus+Shempus · · Score: 5, Insightful

      So you're going to rely on user's intelligence?

      You're not a coder are you.

  3. Human engineering & login code by YeeHaW_Jelte · · Score: 4, Insightful

    While the crack is technically interesting the article doesn't answer two things: first how did he get the code for the login screen and how did he get a user to login via his evilsite.com mockup of the login screen.

    Maybe he could guess that the email variable was printed unfiltered, and thus vunerable to XSS-attack, I dunno how he would get a user to login via a unrelated URL.

    --

    ---
    "The chances of a demonic possession spreading are remote -- relax."
  4. Re:Some simple fixes would be sufficient by FooBarWidget · · Score: 5, Insightful
    limit the session to the IP-address of the visiting user.

    Is this really a good idea? I've heard stories from people on mailing lists who claim that many people are behind routers/proxies that cause IP changes very often, and that's restricting a session to an IP causes more problems than it's worth.