Creating a Cross-site Scripting (XSS) Attack. Understanding How XSS Attacks Work & Identifying Web Vulnerabilities
Part two of our Cross-site scripting (XSS) series shows how easy it is to create & execute a XSS attack, helping readers & network security engineers understand how XSS attacks work and how to identify web application vulnerabilities. Part one explained the concept of XSS attacks while also analyzing the different type of XSS attacks.
XSS exploits can be incredibly simple. The simplest attack grabs the user’s cookie contents and sends it to another server. When this happens, the attacker can extrapolate the user’s session information from what he receives, spoof his cookies to appear as if he is the victimized user, and gain unauthorized access to that user’s account. Obviously, if the user is privileged, like a moderator or administrator, this can have serious ramifications.
As an example, think of an error message page where the message itself is part of the website address (known as a Uniform Resource Identifier, or URI), and is directly presented to the user. For this example, say that web page acts as follows:
Request URI: /error.page?message=404 Error – Content Not Found
2. An error occurred:<br />
3. 404 Error – Content Not Found
In line 3, you can see the idea behind the page: the error message provided via the query string variable message is printed to the user. If this URI does not sanitize anything, namely such as stripping HTML tags out, an attacker can inject anything.
They can also mask that inject a little by substituting values with URL encoded values. If they wanted to steal cookies off a user using this error page, they could do so as follows: