Cross-site scripting (XSS) - What's that and how to identify them?
On my blog are some vulnerabilities called "Cross-site scripting" or "XSS", but what exactly is a Cross-site scripting?
A Cross-site scripting attack is a type of a html injection and the problem is always when a web application accept user input and generates the output without validating or encoding it. This flaw makes it possible for an attacker to inject a malicious script – like javascript – to access cookies, session tokes or some other sensitive information stored in the user’s browser, because it thinks the script came from a trusted source.
They are some different possibilties to identify XSS vulnerabilities:
- use a web security scanner, like xsser, arachni, Nikto …
- test/review the code for places with user input which possibly ends into HTML output (contact forms, search forms …)
A Cross-site scripting attack is a type of a html injection and the problem is always when a web application accept user input and generates the output without validating or encoding it. This flaw makes it possible for an attacker to inject a malicious script – like javascript – to access cookies, session tokes or some other sensitive information stored in the user’s browser, because it thinks the script came from a trusted source.
They are some different possibilties to identify XSS vulnerabilities:
- use a web security scanner, like xsser, arachni, Nikto …
- test/review the code for places with user input which possibly ends into HTML output (contact forms, search forms …)
For an example I use the web application "LightNEasy 3.2.4".
OK, let’s the fun begin and let’s see if there is any contact form or search form which accepts our (malicious) input ;)
The News page
OK, let’s the fun begin and let’s see if there is any contact form or search form which accepts our (malicious) input ;)
The News page
http://<target>/lighteasy/LightNEasy.php?page=news
What happens when we send a comment with a user, e-mail and some javascript in the "Your comment" field ?
Oooppsss, that’s interessting ;)
HTML-Output
So, where is here the problem? Let’s have a look at the code! First we use a fgrep on console about the html value "commentmessage".
root@bt:/var/www/lighteasy# fgrep -r "commentmessage" *
The line "$commentmessage = str_replace($order, "<br />",sanitize($_POST[‘commentmessage’]));" in the file "main.php" looks interessting.
We can see there is also a "sanitize" for "$_POST[‘commentmessage’]" but obviously this is not enough to prevent our injection. (Note: "sanitize" is a function in the file "/var/www/lighteasy/LightNEasy/common.php).
Next we change the line in main.php as follows:
Next we change the line in main.php as follows:
- $commentmessage = str_replace($order, "<br />",sanitize($_POST[‘commentmessage’]))
+ $commentmessage = str_replace($order, "<br />",htmlentities($_POST[‘commentmessage’])) |
HTML-Code
Nice, now this problem seems to be fixed!
For our next try we use a wrong captcha and see what happens
Damn, our fix doesn’t work for a user input with a wrong captcha, but why?
OK, back to the code in the main.php. There are the following if/else statements:
if($_POST[‘commentname’]"" || $_POST['commentmessage']"")
$message=$newsmessage[101]; else { if($_POST[‘secCode’] != $_SESSION[‘operation’]) <— here is the "problem" with the wrong captcha! $message=$newsmessage[139]; else { $order = array("rn", "n", "r"); $commentmessage = str_replace($order, "<br />",htmlentities($_POST[‘commentmessage’])); <- our fix //$commentmessage = str_replace($order, "<br />",sanitize($_POST[‘commentmessage’])); <- old code |
With a wrong captcha our fix is never reached, so there must be a second place in the code where our input/output isn’t properly sanitized. So when we show on the screenshot from the "fgrep" command again, we see a second file "main1.php" with the variable "commentmessage".
In this file we change the following line and test our injection (with a wrong captcha) again.
-if($editar) $out.=sanitize($_POST[‘commentmessage’]);
+if($editar) $out.=htmlentities($_POST[‘commentmessage’]); |
Of course the captcha is wrong, so there is no new comment, but have a look to the HTML-Code!
OK, so we fixed our problems. Possibly there is a better fix for this CMS?! For example, why is the "sanitize" function not enough to prevent our XSS? But I think for this short article the solution with htmlentities it’s OK ;)
Futher information about XSS and the LightNEasy vulnerabilities can be found here:
Comments
Display comments as Linear | Threaded