Page 1 of 1

XSS exploit example?

Posted: Tue Dec 04, 2007 12:47 pm
by alex.barylski
Particular the type two variety...URL injection style I guess.

As I understand it, href can be exploited inside an anchor like so:

Code: Select all

<a href="?idx=<?php echo $idx; ?>&key=<?php echo $key; ?>">This is a safe link click me</a>
The $idx variable has been secured having been cast to an integer somewhere in the system. The $key however is a plaintext string representing first or last names. Because of names like O'Brien we do not addslashes (this is done already in the model to prevent SQLi) and so the server side is secured, however this opens a potential hole on the client side (XSS2) - or so I believed.

By not escaping/htmlspecialchars the the $key and allowing characters like single quote it's possible an attacker might try to hault normal href sequence.

Code: Select all

$key = "O'Brien"; // Expected input

Code: Select all

<a href="?index=<?php echo $idx; ?>&<?php echo $key; ?>">Safe Url Click Me</a>
I have tried to change the URL to inject javascript, but have not been successful with the above url starting with '?'

The worst I can see happening is the attacker being able to add other GET name=value pairs which should have no ill-effect on my the client. As for getting any javascript to execute...nothing.

So I ask, can someone show me how XSS exploits occur if the href is prefixed with a '?'

I can see in situations like below causing potential problems:

Code: Select all

<a href="<?php echo $_SERVER['PHP_SELF'] ?>?idx=$idx">Potential Problems</a>
But once a expected character sets the tone for the URL I fail to see any exploits...so are URL's safe from XSS exploit if prefixed with a '?'

Cheers :)

Posted: Tue Dec 04, 2007 1:40 pm
by arjan.top
I hope I understood you :)


Example:

Code: Select all

$key = "\">Safe Url Click Me</a><script>alert('XSS')</script><a style=\"display:none\" href=\"hidden";
[/syntax]

Posted: Tue Dec 04, 2007 1:50 pm
by alex.barylski
I'm not sure if you understoond...

Where did the <script> tag come in??? :?

Posted: Tue Dec 04, 2007 1:53 pm
by arjan.top
I thought that $key if form input (Expected input), so what is it?

Posted: Tue Dec 04, 2007 2:25 pm
by alex.barylski
EDIT: Ok thanks I got it figured out. Indeed XSS can be carried out even if the URL is prefixed with '?'...Cheers and thanks :D

Yes $key is unfiltered form data so it can be *anything* for the sake of this example.

Code: Select all

<a href="?index=<?php echo $idx; ?>&<?php echo $key; ?>">Safe Url Click Me</a> 
Given the above anchor...how would you inject an XSS attack?

Code: Select all

$key = "\">Safe Url Click Me</a><script>alert('XSS')</script>
Ok I"m starting to see how <script> could be injected into the output...I'll try it and be right back :)

Posted: Wed Dec 05, 2007 7:29 am
by matthijs
This guy writes a lot about XSS, I'm sure there's a lot of good info there

Posted: Wed Dec 05, 2007 8:08 am
by superdezign
You know, harmful links that are examples of XSS are probably ot going to be on your website, but on a malicious user's. As long as you filter and validate all user input and avoid printing any unfiltered input to the screen, you'll successfully evade XSS attacks.