Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Crack a Website - XSS, Cookies, Sessions

Posted by ryuzaki0 on from the waste-your-time dept.

twistedmoney45 writes "Informit.com provides an insiders look at a real life XSS attack and how it was used to bypass the authentication scheme of an online web application, leading to "shell" access, an admin account, and more. XSS attacks are often discussed in theory — this walk through illustrates just how dangerous these types of attacks can be in reality."

5 of 167 comments (clear)

  1. news for nerds? by Anonymous Coward · · Score: -1, Troll

    More like education for script-kiddies...

    [yes yes the rest of us can learn smthing too]

  2. JavaScript Must Be Eradicated From The Web by Anonymous Coward · · Score: -1, Troll
    The root cause of all of these exploits is one thing: JavaScript. JavaScript is a programming language that is embedded in web pages and interpreted by popular web browsers like Mozilla Firefox, and Microsoft Internet Explorer.

    I think that JavaScript is an incredibly insecure and inadvisable technology and should never have been deployed on the Internet in the systems it is most commonly used in. It should be removed from all web browers, and removed from all web pages throughout the Internet.

    Why?

    My argument for the apparently extreme position on JavaScript is as follows:
    1. Apple Mac OS X and Microsoft Windows XP are both insecure.

      Most of the computers in use on the Internet today are running operating systems that do not protect the system as a whole from any misbehaving application program. System crashes are one manifestation of this problem.

      More insidiously, this insecure OS architecture allows viruses and other malevolent programs free reign once they're running.
    2. Don't take programs from strangers!

      No user should be running any program on a computer that he did not explicitly install himself; to do otherwise invites attack and misuse of the computer by others. Do you know where that JavaScript came from, or what it is supposed to do?

      JavaScript comes over the Internet, embedded in otherwise innocuous HTML documents on the World Wide Web, and is immediately executed by the web browser without prior explicit user permission. This is just wrong.
    3. It is impossible, as a practical matter, to make JavaScript 100% safe.

      The claim is made by Mozilla.org that JavaScript is a "safe" programming language, in that it is not permitted to perform "dangerous" operations. This claim rests on the JavaScript language specification which is open to public inspection, and the implementation of the language interpreters in web browsers by Mozilla.org and Microsoft which are not open to public inspection.

      It is prohibitively expensive for a JavaScript implementor to do a full and complete combinatorical test of all JavaScript functions and operations. Given this, is it unlikely that any JavaScript implementation has been exhaustively tested to prove its correctness, so there are very likely to be very dangerous bugs lurking in the code, waiting for some nefarious person to discover them.

      In short, if any JavaScript implementer makes a mistake, the computers running that JavaScript implementation are vulnerable to attack. Given the state of computer operating systems as noted above, this is an intolerably dangerous situation.

    What Does This All Mean?

    Take all of this together and you have a situation very like a nuclear power plant: very useful, but the consequences of a failure are very, very dangerous. This is why nuclear power is (supposedly) a very tightly regulated industry.

    Unfortunately, there are no such regulators looking over the shoulders of those who implement JavaScript; it's all Caveat Emptor and devil take the hindmost, because there is no legal liability for software bugs.

    OK, What Can We Do About It?

    1. Educate everyone about this issue - forewarned is forearmed.

      It is possible for every user to turn off JavaScript support in their web browser; it's a check-box in the Preferences or Properties.
    2. Petition Mozilla.org and Microsoft to remove the JavaScript interpreters from their web browsers.
    3. Petition web site developers not to use JavaScript, or, at minimum, to produce sites that are fully functional when JavaScript is turned off in the user's web browser.

      This is known in the industry as making a site that "gracefully degrades" to match the capabilities of the user's web browser, and when properly done, this design discipline makes the web site's content accessible to the widest audience.
  3. Slow news day? by Fusen · · Score: 0, Troll

    While first of all, none of this is actually new in any way or form. I thought most of the normal /. readers would know most of this, including at least anyone who actually codes in PHP the real crux is that half of what was done, was only accomplished from a VERY poorly written site, such as not checking the user's id against the user who created the "update list". Stuff like being able to change a id variable and being able to see other users data is just basic poor php coding. Then you have the create admin page, which didn't seem to check the user's id or auth level. It's the sort of article you would expect on "hackinpr0z.com"

  4. mysql lol (n/t) by Anonymous Coward · · Score: -1, Troll

    piece. of. shit.

  5. Re:Some simple fixes would be sufficient by Goaway · · Score: 0, Troll

    Your "most important" section could better be stated as "don't use PHP, it's broken by design".