Skip to content

Cross-site scripting (XSS) - What's that and how to identify them?

On my blog are some vulnerabilities called "Cross-site scripting" or "XSS", but what exactly is a Cross-site scripting?

A Cross-site scripting attack is a type of a html injection and the problem is always when a web application accept user input and generates the output without validating or encoding it. This flaw makes it possible for an attacker to inject a malicious script – like javascript – to access cookies, session tokes or some other sensitive information stored in the user’s browser, because it thinks the script came from a trusted source.  

They are some different possibilties to identify XSS vulnerabilities:

- use a web security scanner, like xsser, arachni, Nikto
- test/review the code for places with user input which possibly ends into HTML output
(contact forms, search forms …)
For an example I use the web application "LightNEasy 3.2.4".

OK, let’s the fun begin and let’s see if there is any contact form or search form which accepts our (malicious) input ;)

The News page
 What happens when we send a comment with a user, e-mail and some javascript in the "Your comment" field ?

Oooppsss, that’s interessting ;)

So, where is here the problem? Let’s have a look at the code! First we use a fgrep on console about the html value "commentmessage".
root@bt:/var/www/lighteasy# fgrep -r "commentmessage" *

The line "$commentmessage = str_replace($order, "<br />",sanitize($_POST[‘commentmessage’]));" in the file "main.php" looks interessting.
We can see there is also a "sanitize" for "$_POST[‘commentmessage’]" but obviously this is not enough to prevent our injection. (Note: "sanitize" is a function in the file "/var/www/lighteasy/LightNEasy/common.php).

Next we change the line in main.php as follows:
- $commentmessage = str_replace($order, "<br />",sanitize($_POST[‘commentmessage’]))
+ $commentmessage = str_replace($order, "<br />",htmlentities($_POST[‘commentmessage’]))
Now, let’s test the XSS attack again

Nice, now this problem seems to be fixed!
For our next try we use a wrong captcha and see what happens

Damn, our fix doesn’t work for a user input with a wrong captcha, but why?

OK, back to the code in the main.php. There are the following if/else statements:
if($_POST[‘commentname’]"" || $_POST['commentmessage']"")
        else {
                if($_POST[‘secCode’] != $_SESSION[‘operation’]) <— here is the "problem" with the wrong captcha!
                else {
                        $order   =
array("rn", "n", "r");
                        $commentmessage =  
str_replace($order, "<br />",htmlentities($_POST[‘commentmessage’])); <- our fix
                        //$commentmessage =  str_replace($order, "<br />",sanitize($_POST[‘commentmessage’])); <- old code
With a wrong captcha our fix is never reached, so there must be a second place in the code where our input/output isn’t properly sanitized. So when we show on the screenshot from the "fgrep" command again, we see a second file "main1.php" with the variable "commentmessage".
In this file we change the following line and test our injection (with a wrong captcha) again.

-if($editar) $out.=sanitize($_POST[‘commentmessage’]);
+if($editar) $out.=
Of course the captcha is wrong, so there is no new comment, but have a look to the HTML-Code!
OK, so we fixed our problems. Possibly there is a better fix for this CMS?! For example, why is the "sanitize" function not enough to prevent our XSS? But I think for this short article the solution with htmlentities it’s OK ;)
Futher information about XSS and the LightNEasy vulnerabilities can be found here:


No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Textile-formatting allowed
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Form options
Imprint | Contact | Privacy Statement