Paid Advertising
web application security lab

Masking XSS Attacks

One of my favorite stories about my courtship of my girlfriend is how I got XSS on her page. She had a really crappy tag-board thing that she had written in PHP. To this day she gloats that it took me 3 tries to get XSS on the page and that she had made it harder for me than most people had. Last night I finally told her the truth. It had, in fact, taken me four tries, not three. Let me start from scratch.

Her tag board was set up to take standard user input and echo it back to the page. From her perspective she saw a bunch of people tag her page, and then I started tagging her page. Being considerate, I didn’t immediately try to break her security. However after my first (benign) post I realized that there was a possibility for exploitation. From her perspective she saw me post three times total. From her perspective the first two attacks failed (she was escaping quotes and I tried single and double quotes) before moving on to a quote-less vector that worked.

But even though it took me three tries to break in, I was 99% sure it was vulnerable before I even started injecting vectors into her. How? It was actually a previous post I had made. Something utterly benign that had made it’s way on her board. Here’s what it looked like:

You’re hot!!! <3 <3 <3 -RSnake

The < in the "<3" was how I could tell that she was vulnerable, even before I had found the vector that would work. Simply by viewing source, I was able to see that it had not translated the open angle bracket to an HTML entity. The fact that I could inject an open angle bracket is 99% of the way to finding the vector that will fire. The only way it wouldn’t have worked is if I was limited in numbers of characters I could inject (which I knew from previous posts on the tag board I wouldn’t be) or if she had some super tricky method of knowing what was and wasn’t a valid HTML tag (I’ve only seen that type of security twice in all the years I’ve been working on XSS, so that’s pretty unlikely).

So from her perspective, she could see two failed attempts and one successful attempt. The beauty is, she didn’t even know about the one above all of that that had originally tipped me off as to the vulnerability. She was blissfully ignorant of that fact, even though it was staring her right in the face. Think about someone watching an automated IDS watching for anyone transmitting an open angle bracket (a very uncommon thing to see) and then upon closer review it’s someone saying “eye <3 u”. They would chalk it up to a false positive.

I’m sure now that you see what I did you can think of other ways to mask things like SQL injection and additional types of attacks that allow you to know if the site is vulnerable or not without setting off the alarm bells of anyone watching their logs.

And yes, even though it had taken me four tries - I got the girl. <3

14 Responses to “Masking XSS Attacks”

  1. id Says:

    You’re hot!!! <3 <3 <3 -id

  2. RSnake Says:

    Aw shucks. Do you mean that or are you just trying to haX0r me?

  3. Tontonq Says:

    you are really funny :D look here a xss @

  4. RSnake Says:

    Hi, Tontonq - that’s not XSS… the whole purpose of that page is to allow anyone to see their environmental variables. It doesn’t render HTML. I’ve had to explain this to a few people, but XSS doesn’t mean injecting text, it means injecting HTML, which you can’t do on that page. All you’ve shown is that environmental variables CAN cause XSS if the page isn’t set up to protect itself.

  5. Tontonq Says:

    hi RSnake you are right half but when you click to Rsnake Xss it connects to and writez to page Tontonq kisses your ass :P that is half xss too but i dont want you understand as wrong i like your blog i like your holes you may perceive as a joke :P but if you look and click to the link (by ie) you may see log.cgi pringts to the page variables without filter

    thanx :P

  6. Tontonq Says:

    sorry for bad english :(

  7. RSnake Says:

    I assume you’re talking about this:

    HTTP_REFERER =<STYLE>@import’’;</STYLE>

    But that doesn’t run. That just displayes the text on the page. Unless I’m missing something that doesn’t run in Internet Explorer or Firefox, because it’s converted into HTML entities.

  8. Chris Shiflett Says:

    I think Tontonq is confused.

    Tontonq, you should view source and search for your injection. That’s a better way to tell whether it has been escaped. Unless RSnake has changed something since you posted this (which I doubt), I don’t see how you can claim “it connects to and writez to page Tontonq kisses your ass.”

  9. RSnake Says:

    I haven’t changed that script in ages (I haven’t even fixed the HTML since I first built it a few years ago), except add the JavaScript variables because I think that’s interesting to see as well.

    But maybe I’m just not understanding the issue.

  10. RSnake Says:

    Well I appologize. I wasn’t viewing the issue in IE, I was looking in Firefox, and now I see the problem. It’s a DOM based XSS using the JavaScript, not the server side code (which was confusing the issue). It’s not as straight forward for me to do a string replace on the objects, since they aren’t strings, per se, so screw it. I’ve removed the script for the time being.

    Thanks Amit, for showing me what was going on.

  11. Tontonq Says:

    // RSnake PLease Patch that bug of the submiting comment i can submit :S someties but sometimes not :.. //

    hi guys

    look here

    and look here

    we see RSnake’s deleted javascript variables
    but last week log.cgi was printing to page the referrer with html entities not filtered
    but after i post Rsnake must be patched

    please dont understand wrong
    i dont want decry RSnake


  12. RSnake Says:

    Yes, I deleted the offending JavaScript. The world is safe once again.

  13. chilligan Says:

    Does her father know that you’ve been “injecting vectors into her” and does she know that Tontonq “like(s) your holes?”

    Don’t keep secrets… they’ll catch up with you.

    Oh yeah (risking anger from id),
    You’re hot!!!

  14. id Says:

    He’s a slut, I don’t mind.