Friday, 14 March 2014

Well Known Hacks II: XSS (JavaScript Injection)

In this topic I am going to talk about a new (and pretty exciting in fact), type security breach, namely XSS attacks. For your information, XSS stands for Cross Site Scripting (so the 'X' in XSS is not actually an 'x' but a cross!).

First of all, I divided the whole thing into two sub-types: JavaScript injection (client-side vulnerability), and server-side vulnerability. In this post specifically I talk about client-side vulnerability. In the next post, I give some AMAZING examples, and in later posts I will talk about server-side vulnerability as well.

The main idea before JavaScript injection is that you write a JavaScript code and then you can use various tricks to execute you code along the code sent to your browser by a website. At first glance this may seem quite normal and safe, however, IT IS NOT! Accoring to Symantec Security Threat Report, XSS attacks included more than 84% of all security threats in year 2007. You can view the article here.

By executing your own code along with the script sent to your browser by the server, you can manipulate the webpage the way that YOU want. It may be partially safe in a sense that this only changes the client-side view of the webpage and have no effect on the server (and this is in fact true). But there are other vulnerabilities that are important concerns:

1) Self-XSS Attacks: This basically means that by injecting code into a webpage you can access user's private data, where user is anyone who uses the browser. For example: A few months ago, I wrote a JavaScript code that stores usernames, and password of users who use my own computer to login into popular websites such as: Facebook, Gmail, etc (If you are a friend of mine, you don`t want to use my computer to browse the web). This is probably one of the most prevalent (and quite annoying) type of XSS attack. Facebook itself was a target of Self-XSS attacks long time ago. Remember it or not, there was type when you received links from your friends like: "99% of people can't watch this video for more than 10 seconds". And once you clicked on the link, the same link got sent to all your friends (Quite annoying and embarrassing huh?). Facebook itself has a page that talks about such attacks:  
Matt Jones - Self-XSS attack explained | Facebook 
But There are also useful types of JavaScript injections, example? AdBlock is one of them!.But again, even in this case you should be very careful! Such applications can access not only all your browsing data, but also they can keep track of your many other activites (including login into webpages using user/password)! To see what information each of these applications can access in your browser you should ALWAYS look at their permissions. For example, if using Chrome, you can look at permissions of your applications by going to Tools->Extensions

2) Brute-Force Guessing: Using this technique you can inject different values into online forms and submit them automatically over many iterations. For example, I have may have an online homework that requires putting numbers or words and clicking on 'submit' (or something similar) button. If there are no limited number of trials, and considering that the whole page does not refresh after each submit, you can write a JavaScript code that injects many different values into the form and automatically clicks on 'submit' button until you get the correct answer!




Changing the design of a webpage (in these cases FB, and Google) using JavaScript injection. In these examples some images are changed by entering my username, and a specific password into the login form (In the FB image above) or by adding 'u=behnam' in the URL field (The modified Google above).
Image Source: My computer screenshot

No comments:

Post a Comment