How to Crack a Website - XSS, Cookies, Sessions

twistedmoney45 writes "Informit.com provides an insiders look at a real life XSS attack and how it was used to bypass the authentication scheme of an online web application, leading to "shell" access, an admin account, and more. XSS attacks are often discussed in theory — this walk through illustrates just how dangerous these types of attacks can be in reality."

So...

[cp.tar]

... can I crack pr0n sites with it?

(This would have even been a frosty piss if it weren't for a Slow Down Cowboy!)

Re:So...

[mgblst]

Sure, depending on the site. If they let you post information to the site, like having a guest book, then you may be able to exploit a xss.

Also depending on what you want to do to their site, if they let you upload files, but don't handle it well. ie, they may let you upload pictures of your girlfriend/sister, but they don't check to see if it is a jpeg file, or a php/cfm/asp file. Also, they may let you execute that file from that directory or not.

Any site designed badly can be used.

I remember some free pron sites, trying different number at the end of pictures to get extra freebies, or trying different directories based on names. Even a google image search of that particular site would reveal a lot of extra images or movies.

One of my old favourites...

[baadger]

One of my old favourite's oopsies are upload scripts that don't prevent you from uploading PHP or other web script files.

It's amazing how many webmasters leave little scripts in their public directories not stopping to think search engines may find them.

Interesting read, but...

[mdobossy]

Sure, it is an interesting read.. that being said, nothing here is exactly shocking.

I may be reading this wrong, but, he gains access to the server by requiring a legitimate user to log on to the site, through a third party server of his (Might be done via phishing, etc..), then he nabs a valid php session id, via some injected javascript code. Why not just grab the users login and password when they submit the form through your server? If you already have them logging in via a proxy, this would be much easier, and more reliable- sessions expire, etc..

As with most of these articles on security- simply make sure you sterilize any incoming data. Again, its not exactly rocket science.

Re:Interesting read, but...

[mdobossy]

Yes, I am a dumbass, I mis-read the first page.. (as I prefaced- I may be reading this wrong, in my original message)

This still doesn't change the fact that what he is doing relies heavily on phishing/getting a user to go to his server first to gain initial access to the server, which, IMHO, makes this more than just a hack- it relies on social engineering/hacking/whatever you want to call it. It is just another form of playing off a user's lack of knowledge/ignorance, and letting unsterilized (sanitized, whatever you want to call it) data pass to the server. That being said, if you can get a user to fall for a "click here, come to my server to log in to your server", you can probably get a lot more out of them than just a session ID.

As I said- it is an interesting article, but what it really boils down to is what should have been pounded into every web developers head from the start- make sure there is no way to inject melicious code into your POSTS.

Ok?

[Jah-Wren+Ryel]

So, after a quick read, it looks like the attacker has to convince a user to get to the attacked website via his own website - how else would he be able to forcefeed his own code into the $error variable to begin with?

What are the chances that:

1) A user will go to the bad guy's website
2) That the user will have an account on the attacked website
3) That said user will want to log into the attacked website right after going to the badguy website?

Sure, it is possible and a potential risk, but it sure seems to be highly-specific, probably only good if you are targetting known users to begin with.

Re:Ok?

[PowerKe]

1) A user will go to the bad guy's website
Well, that's the hard part, but you could even try using an HTML formatted mail.

2) That the user will have an account on the attacked website
The place to put the code injection was on the login screen, so it's open for anyone. You could hide the login page in an invisable iframe.

3) That said user will want to log into the attacked website right after going to the badguy website?
The important thing is that the target logs on during the timeframe where the cookie is valid. If you're lucky and the site uses a permanent cookie, you could even take over a login session from days ago. If it's a session cookie you could take over a previous session if the user didn't close his browser after previously using the admin application.

Re:Ok?

[Ford+Prefect]

So, after a quick read, it looks like the attacker has to convince a user to get to the attacked website via his own website - how else would he be able to forcefeed his own code into the $error variable to begin with?

Cross-site scripting attacks are possible through many different vectors - sometimes you can include it in a GET address (e.g. 'image.php?name=foo.jpg&caption=<script goes here>'), sometimes in text submitted to the website (one I saw wasn't escaping private, inter-user messages - so I promptly sent Javascript to the administrator), or whatever.

Essentially, if you can get the website to output your own text in an unescaped form (i.e. '>' and friends aren't converted into '&gt;' etc.), you can print raw Javascript, which the user's browser promptly executes. Javascript is quite a helpful language, so has functions for getting the values of cookies, etc. - which you can then send off to a third-party server under your control.

I had to do a rough security audit about a year ago on a website. From knowing absolutely nothing about the specifics of cross-site-scripting and SQL injection attacks, in a couple of hours I was hijacking administrator sessions or getting the website to dump passwords, private data, you name it. It was embarrassingly easy. So, some tips for web programmers on the receiving end of all this:

• 
     
• ALWAYS escape your output, whether it's user-provided or not. Be it a simple htmlspecialchars() in PHP, or a fancy {$your_variable|escape:'html':'UTF-8'} in Smarty, or whatever your templating or programming language provides, never forget.
     
• Be suspicious of all user-provided content. If it's a URL, make sure it's not a javascript: one - and if it's an email address or subject, make sure it's not got mail()-mangling newlines in it. You can send spam by adding extra headers that way, you know.
     
• Make sure all your database queries are clean. If it's supposed to be an integer, enforce that it's an integer. If it's a string, make sure it's properly escaped. Regardless of where it came from. Bound queries, or whatever they're called, are very useful for this - in my own stuff, I've been doing (integer )$id, ... '".mysql_real_escape_string( $text )."' ... when creating the queries.
     
• Read up on anything potentially hazardous, or on anything you don't quite understand. When something goes in a header, make sure it's got appropriate content - both email and HTTP headers can easily be abused through the judicious addition of newlines...
  

Requires social engineering

[cras]

The most problematic part from the article:

The end result was that I had to make a user click on a link that first took the victim to my server

I think this is the reason why people aren't that concerned about XSS. This requires that the attacker knows someone who has access to the web site and a way to get him to click on the link. I would certainly never click on a suspicious looking link. But sure, not everyone does that and if there are other post-login holes to get yourself into an admin, that's a problem for you too.

One thing that annoys me when discussing XSS problems and such is that people always just suggest to validate input. I've built perfectly secure PHP applications that don't validate input at all, they just don't print the output using "print" but another function that properly escapes the output. So much more easier that way than having to think about input validation for every single new field you add.

Re:Requires social engineering

[Corbets]

I'm not sure that validating output (escaping it) will be any easier than validating the input. Really, you just need to write a function that does generic parsing of the input in the same way you have a special function that escapes it. get_safe_input($string) could be a function that reads in from the user, fixes it up, and returns the safe string. Bam, done, use that every time instead of your read_string or whatever the php function is.

More Like a Phishing Attack

[hagrin]

As if fate wanted to make it challenging, the maximum size of the HTML input field for the email address was 25 characters, and it only accepted POST data, which is somewhat limiting. As a result, I had to "outsource" my cross-site scripting attack to a third server. The end result was that I had to make a user click on a link that first took the victim to my server.

Sounds more like a phishing victim than anything else to me. I understand that the rest of the article brings you through the process of session hijacking, etc., but to me the real problem here is the phishing "attack" and the misuse by the user. Is a system really insecure if the user is diligent in what links he clicks on in this instance? I mean, if I leave the keys to my car in the ignition it's not going to take a skilled theif or laser cut keys to steal my car and the security implementations taken by the manufacturer won't matter.

Re:More Like a Phishing Attack

[Fallus+Shempus]

So you're going to rely on user's intelligence?

You're not a coder are you.

With all due respect

[rehashed]

This is a perfect example of a shoddily developed website.
Additionally, it is, in certain respects, a retarded piece of journalism.

The XSS mentioned requires the use of phishing techniques - why not simply capture username and password and this point of the exercise, it will allow you to regain entry once the session expires, and will allow you to overcome and further validation that the session handler may require.
The XSS technique itself, printing the value of the cookie data via javascript to perform a get request to the evil server should not occur in the first place. That is simply shoddy website development. Sanitize input, escape output. Its not more difficult than that. Any developer who fails to grasp this most basic concept should not be in that line of work.

Secondly is the ability to transfer a session. In the example, the attacker utilizes a third party utility to modify the request data. Why he has done this is beyond me - much easier to simply edit the cookie itself, or even pass the session id back as a 'get' request, a tehnique accepted by default on many PHP installs. It is rather basic to overcome this kind of attack by utilizing a more sophisticated session handler, although this is rarely done as it is taken as a given that the attacker is not going to easily obtain a session ID.

Thirdly, is simple abuse of a poorly designed web application. There is no validation in place to ensure that the user has permission to perform a task on a designated object. In this case, there is no validation to ensure that user 42 has permission to modify data related to user 36. This is simply poorly designed, and again would not happen where a developer has half a clue about what he is doing.

Finally, is the mother of all attacks - the ability to upload and run abitrary code. This is a combination of two blatantly obvious (to those who are not clueless) issues that should not arise in a professional web application. Firstly, is the ability to upload files of a certain type. Apache, for example, doesnt require PHP files to be marked as executable, it will simply run anything with a .php extension (or others depending on configuration) through the PHP parser. If there is no reason for a user to be able to upload files of this type, basic sanitization should be in place to prevent the upload of these file types, or, more easily only allow files with permissable extensions to be uploaded. The second issue is related to basic site administration, unless there is need for direct access to the files, uploads should be located in a directory outside of the webroot, preventing direct access to (and possible execution of) these documents. If direct access is require, all external handlers should be disabled for that directory by the simple usage of a .htaccess file. This would mean that any uploaded scripts/executables would be treated in the same manner as a regular file, and be downloaded as opposed to 'run'.

In short, this was a very poorly designed web application. It didnt take into consideration any secure web development practices, such as Sanitization, Validation, Authorization and Limitation.
Unfortunately, in todays climate, every man and his dog is a web developer, and 99% of them are complete and utter idiots.

Human engineering & login code

[YeeHaW_Jelte]

While the crack is technically interesting the article doesn't answer two things: first how did he get the code for the login screen and how did he get a user to login via his evilsite.com mockup of the login screen.

Maybe he could guess that the email variable was printed unfiltered, and thus vunerable to XSS-attack, I dunno how he would get a user to login via a unrelated URL.

Some simple fixes would be sufficient

[vdboor]

As short summary, what every (PHP) developer should do is:

• limit the session to the IP-address of the visiting user.
• use htmlentities() on all outputted HTML
• secure file uploads to avoid uploading PHP code

And most important (but not relevant for TFA):

• use mysql_real_escape_string() on all database input, or better: the variable binding feature of PEAR::DB
• disable register_globals, use $_GET, $_POST and $_COOKIE instead.
• Use preg_replace( '/[^a-zA-Z0-9\-_]', '', $input ) on all input used in file names.
  Things like require_once("files/" + $input + ".html") actually read php files when it's called as ?input=file.php%00

Re:Some simple fixes would be sufficient

[FooBarWidget]

limit the session to the IP-address of the visiting user.

Is this really a good idea? I've heard stories from people on mailing lists who claim that many people are behind routers/proxies that cause IP changes very often, and that's restricting a session to an IP causes more problems than it's worth.

Additionally, checks for MSIE

[vdboor]

Most forums are vulnerable to simple JavaScript insertion attacks. One reason is MSIE is able to execute code like this:

<a href="java
script:alert('test')">

MSIE also allows developers to execute JavaScript in CSS code. A forum which translates

[color=blue]

to

<span style="color: blue">;

is vulnerable when you can enter

[color=expression(alert('test'))]

.