Donations
User login
Recent comments
- Do we need REGEX?KabonFootPrint (not verified)
- You can do currencyAlex (not verified)
- Looking forwardmariomaric@drupal.org (not verified)
- Er...Arancaytar
- honestyart classes (not verified)
- Thanksmusei bari (not verified)
- restarted and moved!Susannity (not verified)
- I started using it a day after I wrote thisArancaytar
- Have you considered usingAustin (not verified)
- Earendil at the end of his quest.Nightmedic (not verified)
Visitors
Popular content
Today's:
All time:
- PBA Blogroll
- The Perfect Web Form?
- Clean URI schemes using mod_rewrite and PHP (Part one)
- Baghdad Burning newsfeed
- Clean URIs with PHP, part two
- Parse Error: Unexpected FOO_BAR
- How to generate an RSS 2.0 feed
- The von Neumann Computer
- Where is Riverbend?
- Google Suggest + Natural Language Queries = Best Calculator Ever
My site under XSS attack
So I was sifting through my logs and found a well-executed, actual XSS attack on one of my pages in the Ermarian Network.
As XSS attacks go, it was fairly harmless: The attacker injected an HTML link that was displayed after the form field; the HTML link did not go anywhere. Really a proof of concept, and an (intentional?) heads up that I should secure my site better.
The code of this textbook exploit, shown below, shows that even a perfectly valid XHTML page is not proof against such attacks - the attacker merely has to ensure that XML validity is maintained (and even that only in Firefox).
For those unfamiliar with XSS: This is not a danger to the site or my account, but to its users. Anyone who follows this link lying on a (trustworthy) ermarian.net domain will see links to the attacker's website, or execute the attacker's Javascript code, which even NoScript will show as coming from the (trustworthy) ermarian.net website.
Note the text entered by the user:
The quote "closes" the value, then the code completes and closes the tag, then it prints a link. Very neat. The same function could be used to arbitrarily execute Javascript into the ermarian.net scope, which would allow that script to access any (non-existant) sensitive information such as login sessions.
Be right back, fixing my scripts to escape user input.
As XSS attacks go, it was fairly harmless: The attacker injected an HTML link that was displayed after the form field; the HTML link did not go anywhere. Really a proof of concept, and an (intentional?) heads up that I should secure my site better.
The code of this textbook exploit, shown below, shows that even a perfectly valid XHTML page is not proof against such attacks - the attacker merely has to ensure that XML validity is maintained (and even that only in Firefox).
For those unfamiliar with XSS: This is not a danger to the site or my account, but to its users. Anyone who follows this link lying on a (trustworthy) ermarian.net domain will see links to the attacker's website, or execute the attacker's Javascript code, which even NoScript will show as coming from the (trustworthy) ermarian.net website.
Note the text entered by the user:
The quote "closes" the value, then the code completes and closes the tag, then it prints a link. Very neat. The same function could be used to arbitrarily execute Javascript into the ermarian.net scope, which would allow that script to access any (non-existant) sensitive information such as login sessions.
Be right back, fixing my scripts to escape user input.
All content, unless otherwise noted, is the property of Arancaytar. It may be copied and modified with attribution for non-commercial purposes.
This site runs on Drupal 5.3 (2007-10-17).
Did-chat thentagoespyet jumund fori is jus, hat onlime gly nertan ne gethen Firyoubbit 'obio' et coniti: E mare ad astra.
This site runs on Drupal 5.3 (2007-10-17).
Did-chat thentagoespyet jumund fori is jus, hat onlime gly nertan ne gethen Firyoubbit 'obio' et coniti: E mare ad astra.
Syndicate