I don't understand the risk of XSS

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

I don't understand the risk of XSS

Post by impulse() »

I've read quite a few documents now and watched a video and I really don't understand how XSS is an issue. What I understand so far is that Javascript is ran on the clients browser to expose their cookies. But it also seems that a site hosting XSS can only reveal cookies for that particular domain, which the domains has access to anyway.

Am I confusing XSS in thinking that it's somehow possible to create a page that when a user visits it sends all of their cookies, including from other domains cookies, to another addresss.

EG:

Visit http://www.example.com/stealCookies.php
stealCookies.php fetches ALL cookies from the users browser
stealCookies.php sends those cookies to the attacker.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: I don't understand the risk of XSS

Post by VladSun »

No, you can't steal cookies this way because you don't have access to cookies which do not belong to example.com domain. You need to inject a javascript code in the target domain, which when executed in the browser sends (usually by GET) the cookie content to a page in another domain (the attacker's domain).
Last edited by VladSun on Thu Jun 05, 2008 3:16 pm, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

Re: I don't understand the risk of XSS

Post by impulse() »

So there's 2 example domains:

example1.com
example2.org

example1.com is an attackers domain and example2.org is the domain an attackers wants to steal a users cookies for. Would an attacker need to gain access to example2.org and host a file on there before XSS would work?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: I don't understand the risk of XSS

Post by VladSun »

Usually the XSS code is injected by not sanitized inputs/outputs in example2.org.
There are 10 types of people in this world, those who understand binary and those who don't
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

Re: I don't understand the risk of XSS

Post by impulse() »

That makes a lot more sense. Before you said that it seemed to me that the attacker had to gain unauthorized access to example2.org and host a rogue file on there.

Thanks,
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: I don't understand the risk of XSS

Post by Mordred »

XSS >> (even >>>>!) cookie stealing
(Hint: ">>" is the math notation for "much much greater")

It is generally an attack on the client. It exploits the trust the client has in the server. Leaking cookies to a 3rd party is only one of the possible concerns. XSS can lead to / be used for defacing, phishing, for a leverage to help CSRF, for a covert communication channel, for (D)DOS, etc. Persistent XSS in a multi-user site means lots of browsers under the control of the attacker, an instant botnet if you will.

It is a serious vulnerability, easy to make, easy to be discovered by the attacker, and potentially damaging to many parties.
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

Re: I don't understand the risk of XSS

Post by impulse() »

So any website that uses cookies and doesn't validate user input is at risk?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: I don't understand the risk of XSS

Post by VladSun »

impulse() wrote:So any website that uses cookies and doesn't validate user input is at risk?
Any website that doesn't validate/filter/sanitize user input is at risk
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply