Saturday, April 6, 2019

Cross Site Scripting (XSS)

Sagar Panta April 06, 2019 Ethical Hacking , Hacking , programming , technology 1 comment :

What is Cross Site Scripting (XSS)?

Introduction

Cross site scripting is the number one vulnerability on the web today. If you are writing any kind of web software, and you don't know about this, you should know this! And if you are the kind of person who likes to play about with websites, and break them, in a definitely legal manner, you should know this.

Concept

To explain it, we have to go back to the early days of the internet. We have to go back to Tim Berners-Lee sitting at CERN, making up how the web will work. The web is based on something called HTML, Hyper Text Markup Language. Most people who are reading this, I think, will know how this works, but just very quickly, it means that you have tags. An HTML document starts with angle brackets like this <, and closes with angle brackets like this >. Anything between angle brackets is read as an instruction. So if I want to put some text in bold, I put a <b> tag and a close </b> tag, and I put some text in the middle, and that becomes bold. Those angle brackets, wherever they are in the document, mean "an instruction is coming here." So, what do you do if you want to put an angle bracket, which is basically a less-than sign, into your document? Well, you do something called escaping. Instead of sending the angle bracket, you send an ampersand, and then "lt" for less than, and then a semicolon. And that means, when the user actually reads it, it will become an angle bracket. Wonderful. And that works fine. It means in the old days of the World Wide Web, you could send a request, and the document would come back, and the angle brackets would not mess everything up.

Then we move on a bit, and we start coming back with more interactive things. Someone comes along and invents JavaScript. And JavaScript is a programming language that sits in the middle of web pages. You start with a tag in the middle of your document. So you've already got your HTML. You start with a <script> tag. And then everything stops. You've got a closing </script> tag down here. Nothing in this section will actually appear on the user's screen. What you have here is a completely separate programming language. You can declare variables. You can do calculations. That's vaguely sensible. You can create an entire language there, and that language can affect the document. So you can take the output from that, and you can put it into the rest of the text. It's really really powerful. It's the way that everything big, everything interactive, works on the web now. You can design entire games in JavaScript. And all its doing is creating a web page, and then just moving bits about. The trouble is that JavaScript is dangerous. It can do anything to the web page. And rightly so - that's how Gmail works. But imagine if you could get whatever JavaScript you wanted to do anything with, say, the login page of an online bank.

Working

You could tell it that, instead of just taking the username and password and sending them to the bank's servers, first, it should send them to someone else. And when they've got them, and the user won't know that's happened, then it should log people into the bank. Or you could, say, instead of sending the words people are actually typing to the web, ignore them. Just send John instead. This is how MySpace worms spread, because you would type in the code, and it would appear, because MySpace hadn't quite filtered JavaScript properly, and that's the cross site scripting bug I'll get to in a minute. You could write anything you wanted in there, and every time someone looked at that MySpace page, the code would run! And it would say, hey, go do stuff with their profile instead. And it would.

JavaScript is dangerous because it lets you do anything on a web page. So, how do you get it in there? Let's go to, say, Google. Whatever I type in here, appears on this web page. That's fine. What happens if, instead, I type in an italic tag? Well, what won't happen is that Google will send the whole page in italics. Because what they have done is they have converted it into less-than. Which is great. Let's imagine that instead of typing "test", or instead of typing that, instead I type in <script> and then some code. And as long as I write valid code there, and as long as the box is big enough, and there's a few other hacks you can do to make that work, if, as a web developer, you forget to do that little trick that changes them from less-than signs to that code that means "put a less-than sign in there," your web server puts the page out, and the web browser looks at that and goes, "That is JavaScript code! I'm gonna run that!" And it does. And you can use that for entertainment.

Conclusion

But the more sinister stuff you can do with JavaScript, quietly stealing passwords and user information and letting you log in as other people, all of these things are entirely possible by just letting unescaped JavaScript get into your web page. And here's the thing. Here's the really important thing. All you need to do is mess up once, anywhere on your site, with any user input. Something that you think is completely innocuous because someone is just typing in their age. If you forget to escape that, and someone types in a little bit of code there instead, well, congratulations, your web site is now completely vulnerable. And this has happened regularly, in Google, in Facebook, in every single big site, because it's so easy to forget. Even when every single framework out there, every single tool to help web developers, has something that goes, "Guys! You've missed this!" "You've missed this! Do you really mean to do that? Are you sure you really mean to do that?" You can still mess it up. Even the big guys mess this up. And they have what are known as "bug bounties." They will pay you money if you find something like this and then responsibly tell them. You don't go and tell the world. If you can do that, I think someone earned something like $12,000 for finding a bug in Facebook that let people do this. So, rather than try and break things, try and mend them. Try and find something like this. If this is your thing, if this is your, something that you look at and go, "Oh, I can try and break things with this!", do it. And then look at the big guys, and try and earn some money with it instead. Cause they will thank you, they will put your name in lights on your site, on their site, and they will pay you money.