Thursday, July 5, 2012
Tuesday, July 3, 2012
Cross Site Scripting (XSS)
So far when developing a web app, Firefox has been my default browser. However some clients only have Internet Explorer installed on their machine, IE 6 to be precise, no update/patch from the first time Windows XP was installed. No, I was joking, but it's true that for some reason some people don't want to update their browser. Anyway, since IE 6 is quite old, it is vulnerable to Cross Site Scripting (XSS) attack.
Suppose I have a URL address shown above. When user change any of parameters with <script>a, some scenarios occur. As we can see, there are two parameters passed in URL, method and tab. Some scenarios that may occur are:
- Changing method parameter with any string including <script>a. This will throw Servlet NoSuchMethodException since method parameter is used by Struts to choose what action method to fire, so this is not XSS case.
- Changing tab parameter with any value including <script>a. This one will make the script be executed and an alert with message a is displayed so it is an XSS case.
- Adding any parameter. This will not cause any harm since the parameter will not be processed.
So basically the problem is with tab parameter. What does tab do? It is used to choose which element to be decorated.
The value of tab parameter is assigned to activeTab and then the activeTab is used to get element by id. Since value of tab is changed to <script>a, it will be executed first and make the alert popped up.
We can overcome this by replacing any character "that is not supposed to be passed" as shown above. Here is the complete code:
Subscribe to:
Posts (Atom)