Dude, where’s my XSS protection?
Web application security is a major concern nowadays. You have to make sure your application is secure, especially if you have a lot of users. There are many controls a developer can implement to attempt to make the site safer. Or so they think. The fun of hacking is looking for a different way to get things done. There are many reasons to why these developers are mistaken, in this article we will be talking about a very common XSS (Cross-Site Scripting) "solution" that all it really does is make the game that much more interesting.
To explain a specific XSS prevention method and one of the ways we can bypass this control we will be looking at a really cool challenge from our pals at Halls of Valhalla.
Halls of Valhalla Challenge: XSS4
In this challenge we are presented with an input in which we can submit a message with a title, very much like a forum. The key is that we are also given the source code for the function that displays my message. This function is written in PHP. First we need to go through the source code and understand what it is doing. Once we have done this we can look for possible vulnerabilities.
From the code we see a conditional check. The if statement checks the return value of the method ISSET(param) which determines if the param is set and is not NULL. Inside the conditional check we see three very similar instructions followed by an echo. The three similar instructions all take one of the input fields from the form, pass it through the strip_tags() method and assign the new value to a variable. The echo message then echoes or prints on screen an HTML <div> tag. The tag has some basic attributes and one of the attributes used is the title variable with my input after strip_tags. So the echo instruction displays the message along side the user name.
If we try the basic injection, "<script>alert(1)</script>", we can see that the strip_tags() method removes everything starting at "<" and ending in ">". The echoed message would then be "alert(1)" which is useless without the correct script tags.
We said before that an XSS can occur when data enters a web application through a web request, and that data is included in dynamic content that is sent to a web user without being validated for malicious content. That is pretty much exactly what we have here with one small exception. Our input IS validated for malicious content, strip_tags() is applied to all my input strings. So if we can find a way to bypass that validation, we can then exploit the XSS vulnerability.
OWASP provides very helpful and complete documentation on various security topics. For attacks it provides great cheat sheets that can guide you in the testing process. Here is Their Official Homepage for a look into the many topics and resources OWASP offers.
After further research on filter evasion, we can find that the strip_tags() method has a common and well known vulnerability. Since the method needs to identify the "<" and ">" symbols in order to know what to delete, we need to inject our script without the use of these symbols.
Note that the html tag puts single quotes " ' " before and after the $title input. Hence we need to close the first " ' " in order to be able to add an other attribute. We can’t forget about the closing single quote, when adding the attribute we need to leave the quotes open in order to use the single quote added by the HTML tag and therefore maintain a valid syntax.
Know that we have successfully posted our message containing the injection, all we need to do to test it out is trigger the onmouseover event.
Once we place the mouse pointer over our message we can see we get the alert 1 pop up.
There are many filters you can use to validate your website’s input and reduce the chances of a successful XSS injection. If you only use one filter there is a very high probability that an attacker will be able to find a way around your control. There are many functions in different programming languages which implement not only one but many different filters to validate the user input. If you are passionate about programming, you can easily do some basic research and find different functions you can call in order to make one big and complete XSS filter.
OWASP. (2016, June 04). Cross-Site Scripting (XSS). Retrieved April 26, 2017, from https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Netflix and hack.