I found a cross-site scripting (XSS) attack in a well-known quiz hosting website. I disclosed the vulnerability to them years ago, so I thought now might be a good time to write about it.
In this first article I will explain what XSS is.
In the next article I will explain how I found this attack.
What is cross-site scripting (XSS)
So for example:
Click the above
hacked.js link to view the code I use to “hack” this website.
It’s safe, I promise ;)
Now, how can we get this code to execute when a user visits this site? To explain, I will start with some of the underlying technologies.
No, this is not a Sherlock Holmes novel!
If we suppose that a website is built with sequences like these (called “tags”):
<p> (for paragraph),
<b> for bold,
then why can you see the left and right angle bracket characters?
Don’t they mean something? Shouldn’t they be telling the browser:
“Hey! Make me bold!”?
Why doesn’t everything after me typing
<b> turn bold?
The answer is:
There are special characters in HTML to type a visible left (<) and visible right angle bracket (>) in a website. If I use the left and right brackets on my keyboard however, things will indeed show up bold.
This is the code for the sentence I wrote above:
There are special characters in HTML to type a visible left (<) and visible right angle bracket (>) in a website. If I use the left and right brackets on my keyboard however, things will indeed <b>show up bold</b>.
Notice how all visible left angle brackets use an
< to show them?
These are called escape characters. They tell a system, in this case your web browser: “Hello! Please show me off! I don’t want to be hidden.”
Most of the time XSS attacks are done using poorly sanitized HTML
Sanitization is when a program (usually on the server side),
will remove characters like
< and replace them with the aforementioned “escape characters”.
Internally this would be something like
but they would show up to a user as
When inputs are not properly sanitized and the input is shown to the user in another part of the website, then a malicous user can type in HTML that will run whenever anybody tries to look at what they typed. For example: a name for a quiz website (input) and the leaderboard for said quiz (display).
HTML, by itself is not very dangerous. The worst thing you could do is probably put a link on your name, and then point it to a porn site. Make your name bold, italic. Maybe make the background a funny color. Although this may annoy your victim it is not dangerous security wise.
There is one tag however, that is scary…
<script> tag allows you to write code that can:
- Change the page contents.
- Redirect the user to a new page automatically.
- Get a user’s location.
- Open a user’s microphone/webcam.
- With the
srcattribute you can also load a script from another site. (This is XSS)
Those last two will ask for permission from the user (if their browser isn’t insanely insecure).
In my next article I’ll talk about a website I found which is vulnerable to this attack. And, show you how you can run your own XSS attack.