Cross-site scripting (XSS) demo

The following example demonstrates a cross-site scripting attack that manipulates a website to display the content of a stored cookie. Instead of just displaying the cookie (which isn’t very harmful by itself), the approach could be used to send the cookie to some third-party server. Here, the stolen cookie could be used, for instance, to impersonate the original owner.

Imagine that the page being attacked is a simple login page: On the first visit, it requests the user to enter a credential that is maintained in a cookie. Upon loading the page, it checks whether the cookie is present; if the cookie is not found, the user is prompted to enter the credential, which is then stored as the cookie’s value. When the user presses the button “Login”, the secret value from the cookie is submitted to a target page for login (the target page is omitted in this demo, the value is just sent to the login page itself).

Try out the login page and inspect its source code: Login

The goal of the attacker is to access the cookie which stores the secret value. To do this, the attacker must be able to insert JavaScript code into a webpage that is hosted on the same domain as the login page. Because JavaScript’s security model is based on a same-origin policy, the inserted code is executed with the same privileges that the user has granted to the attacked site.

In this scenario, the attacker succeeds in manipulating another page to include a link to the login page, and some additional JavaScript code which mounts the actual attack. Such code injections become feasible, for instance, when web pages allow to post messages that are not properly checked for contained code.

Here, clicking on the manipulated link will activate a JavaScript function that loads the actual login page in a separate window. At the same time, it binds another function (here: “displaybox”) to the event that is triggered when the user presses the “login” button. For the user, the login page reached through the manipulated links appears unaltered (and it is, check out its source code!).

Try out the “attacked” page and open the login page through the embedded link (to see what’s going on, inspect its source code): XSSed site.

When the login page is reached through the manipulated link, clicking the login button will trigger an alert box showing the secret stored in the cookie. While this is just for fun, it is easy to replace the alert box by some other function that sends the obtained secret to another server where it is picked up by the attacker.

 

Credits: