Web Vulnerabilities and There Risks - Part 1 - the Basics of XSS (Cross Site Scripting)

Today everyone shouts: “Owww no, watch out for security flaws in your website!”. Everybody knows websites are a great danger for companies nowadays. But websites are are a part of modern businesses which can’t be ignored. Lots of core businesses are processed by websites and a lot of companies offer most of their feedback through their website. Whether if you admit it or not: when a company launches a website, this will create a great risk for the company. Especially if the website is designed and developed by an unskilled or untrained web developer in (website) security. So as web-developer it’s important to know where security flaws can exist and how to prevent abuse.

In the upcoming articles I will describe several common security flaws in websites and what their risks are. Also I will describe some solutions to prevent successful attacks. Ill describe a small (self made) selection of the “OWASP Top-10”. Checkout the complete project at http://www.owasp.org/index.php/Main_Page. The “OWASP Top-10” is a list with the most common security flaws in web applications.

This is the first post of this series which is about Cross Site Scripting also known as XSS.

XSS – Cross Site Scripting ‘Cross Site Scripting’ also known as ‘XSS’ is (simply said) a vulnerability in a web application that makes it possible to execute your own malicious JavaScript.

An example: I have a website with a search form. If you execute a search, the following PHP code will be executed:

$searchInput = $_POST['input'];
echo "The following results are found using the following input: " . $searchInput;
echo "Results: .....";

This looks like a common script right? The only problem with this script is, that the input isn’t validated. So the server doesn’t know what the input contains. So if the input is:

<script type="text/javascript"><!--mce:0--></script>

This code will directly be executed if you reach the line:

echo "The following results are found using the following input: " . $searchInput;

This means that if I create a hyperlink to the vulnerable site, the victim will execute the “alert”. But an alert is not such a big deal. But stealing complete sessions or cookies can be quite a problem, mainly because sessions or cookies are used to assist in an/a websites identification procedure.

An example of an evil script in javascript:

<script type="text/javascript"><!--mce:1--></script>

Now it’s possible to get the interesting variable in “evilscript.php”.

So, how can you fix this? Luckily this problem is very easy to fix. In PHP the simple solution to this problem is to execute the following method for every input you are using:

$input = "text with javascript <script type="text/javascript"><!--mce:2--></script>";
$input = addslashes($input);

Now all the characters have no extra function other than just being a character. The output will look like this:

text with javascript alert('XSS');</script>

Well that was it. Now you know the basics of XSS and how it is used. In the future i will comeback with some more interesting use of XSS. For now I’ll stop with XSS and write some more about the following vulnerabilities:

  • SQL Injection

  • Malicious File Execution

I hope you enjoyed this post and that you find it useful. Any comments or questions about this post? Please leave a reply.

Greetz, Ruben.