[thelist] how does cross site scripting work?

Wed Jul 23 15:07:54 CDT 2003

> Hi.
>
> I was just reading abut cross site scripting (and how it's bad) but the
> text didn't explain exactly what it is.
>
> Anyone want to share an exploit/proof of concept? (or you can just
> explain it :)
>
>
> Thanks,
> Chris.

since you say you've been reading why it's bad I wont go into that, but
here's an example of an XSS/proof of concept.
try this:

create the following php file (between lines of dashes)
-------------------------
<html><head><title>A XSS Sample</title></head>
<body><?php

//Assuming this is from some kind of form,
//then this could be some kind of error message.
if (!empty($_GET['message']))  {
	echo("<div style=\"background-color: #F00\">");
	echo($_GET['message']);
	echo("</div>");
}

?>

Did you see a message? if not click <a
href="XSSSample.php?message=</div><script>alert('hello
there');</script><div>&nbsp;">here.</a>
</body>
</html>
----------------------------

Make sure you save as a PHP file and view it through a browser.

Idea: The output from the PHP script allows the direct usage of any text
in it. Including HTML tags. Allows insertion of scripts without much
effort. Just change "alert('hello there');" for the script of your
choice... maybe steal cookies for exampe? and what if it's an
authenticated site that's vulnerable? like hotmail? or maybe webshots?...
could lead to being able to access a victims inbox or using somebody elses
"premium" access account to sites...

Protection: in php, at least use the following code sample on all
untrusted output...
(and I do a transform on inputs, when about to store into db, into html
entities for all characters inputed except for "regular" characters as a
first stage protection against XSS and sql injection).

$output = ereg_replace("<", "&lt;", ereg_replace(">", "&gt;", $output));

similar can be used in similar languages.

Hope this makes things clearer for you,
Andrew