One of my favorite stories about my courtship of my girlfriend is how I got XSS on her page. She had a really crappy tag-board thing that she had written in PHP. To this day she gloats that it took me 3 tries to get XSS on the page and that she had made it harder for me than most people had. Last night I finally told her the truth. It had, in fact, taken me four tries, not three. Let me start from scratch.
Her tag board was set up to take standard user input and echo it back to the page. From her perspective she saw a bunch of people tag her page, and then I started tagging her page. Being considerate, I didn’t immediately try to break her security. However after my first (benign) post I realized that there was a possibility for exploitation. From her perspective she saw me post three times total. From her perspective the first two attacks failed (she was escaping quotes and I tried single and double quotes) before moving on to a quote-less vector that worked.
But even though it took me three tries to break in, I was 99% sure it was vulnerable before I even started injecting vectors into her. How? It was actually a previous post I had made. Something utterly benign that had made it’s way on her board. Here’s what it looked like:
You’re hot!!! <3 <3 <3 -RSnake
The < in the "<3" was how I could tell that she was vulnerable, even before I had found the vector that would work. Simply by viewing source, I was able to see that it had not translated the open angle bracket to an HTML entity. The fact that I could inject an open angle bracket is 99% of the way to finding the vector that will fire. The only way it wouldn’t have worked is if I was limited in numbers of characters I could inject (which I knew from previous posts on the tag board I wouldn’t be) or if she had some super tricky method of knowing what was and wasn’t a valid HTML tag (I’ve only seen that type of security twice in all the years I’ve been working on XSS, so that’s pretty unlikely).
So from her perspective, she could see two failed attempts and one successful attempt. The beauty is, she didn’t even know about the one above all of that that had originally tipped me off as to the vulnerability. She was blissfully ignorant of that fact, even though it was staring her right in the face. Think about someone watching an automated IDS watching for anyone transmitting an open angle bracket (a very uncommon thing to see) and then upon closer review it’s someone saying “eye <3 u”. They would chalk it up to a false positive.
I’m sure now that you see what I did you can think of other ways to mask things like SQL injection and additional types of attacks that allow you to know if the site is vulnerable or not without setting off the alarm bells of anyone watching their logs.
And yes, even though it had taken me four tries - I got the girl. <3