Cross Site Scripting

By Phantasm66
Apr 29, 2007
  1. My new thing I'm into is Cross Site Scripting (XSS). This is how you manipulate URLs and user input into Web Applications in order to exploit security holes. Even the websites of major banks have these kinds of problems.

    A forum like this is a prime example, where some kind of malicious code could be injected into the page - say in a post - and executed by everyone who visits the page.

    Watch the movie !!! :
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    The article, while a bit deep to me (I'm not very experienced in web programming), was interesting. So would an XSS hole result if somebody would type malicious HTML code into a message on TS? Or would the forum have to support HTML code for it to work?
  3. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 5,734   +7

    Software like this forum has these kinds of flaws, yes.

    I don't know what they specifically are for this software, or the version, but doubtless there will be all sorts of things you can do.

    One example would be a SQL query injected which could query the metadata tables. From there you could work out the table that held the usernames and passwords. If you could somehow read this table by further injecting SQL then you could find all the members passwords and log in as someone else.

    SQL injection is just one possible technique, though. Another might be to have javascript embedded in this page that, when ran on YOUR machine, does something malicious like calls a active X control to change something in your registry, or turn your firewall off.
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    but how could a user inject that code into the page? It seems that vBulletin automatically changes < and > signs into the & lt; and & gt; (omit spaces) so that they aren't mistaken by the browser for HTML code.

    Wouldn't it be dangerous to have a vB forum with HTML allowed, though?

  5. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 5,734   +7

    I'm no expert (at this stage), but I'd say that if the software properly sanitized user input to prevent scripting or sql from being injected ( vBulletin automatically changing < and > signs sounds like a good start ), then it would be safe. But then again, I'm just starting to learn about this myself.

    If anyone else has any insights I'd love to hear them.
  6. Phantasm66

    Phantasm66 TS Rookie Topic Starter Posts: 5,734   +7

  7. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Well, as a test, I'll give the < and > symbols and check the page source to see whether or not vB changes them to the & gt; and & lt.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...