4

I am just wondering about XSS attacks. Lets say I have a normal website, but it displays a few things based on $_GET variables. The website has no login system, all users can do is browse different pages which are dynamic. In this scenario, what is the worse someone can do?

A more important question to me though is this. Say my website is in my public_html folder, within its own folder. So the url might look something like this

www.mysite.com/siteA/index.php

Lets say that siteA is vunerable to XSS. Now in public_html folder, I have different sites and forms within their own folder. So I might have

www.mysite.com/siteB/index.php

If Site A is vunerable, can they do anything with Site B?

Thanks

Nick Price
  • 151
  • 3
  • In one word: **very**. An exploit on one well-known, massively deployed router was done with XSS during 2014. Which basically defeated all security measures and made a router that was completely blocked for external access by the firewall controllable by an attacker on the internet. – Damon Feb 10 '16 at 19:15

3 Answers3

7

XSS is not an attack on your application; it is an attack on your application's users. As a rule, there is no specific threat to the server itself from XSS.

As you have a fairly simple application, you don't suffer from some of the more prominent issues XSS generally creates, like stealing authentication tokens and executing site functionality maliciously, however, that doesn't mean that you aren't at risk at all.

The biggest remaining threat is that of a watering hole attack. That is, your site can now be used as a vector to attack users who trust it. If your site is susceptible to reflective XSS, then an attacker can craft links that are legitimately for your site, that your users will trust, but when they use them to access your site, the XSS will inject malware into their systems.

This isn't as much of an issue any more, with the introduction of XSS protection in major browsers, but I wouldn't rely on this alone to protect your users. Escape user input that is reflected back in order to prevent XSS in the first place.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • 1
    If it's persistence-XSS. The attacker is able to deface/edit your website. Ain't that an attack on your application then? – O'Niel Feb 10 '16 at 17:12
  • 2
    @O'Niel No, because it still wouldn't harm the application. It's still an attack on the users, albeit an attack that *uses* the application. Persistent or reflective, it could potentially be escalated to an attack on the application if you can use the attack to say, steal an administrators authentication cookie, but that is a secondary effect. – Xander Feb 10 '16 at 17:18
2

If you're vulnerable to XSS. The attacker can execute any code you could. He could steal (session-)cookies, edit the DOM and craft a phishing-page, hook the BeEF-framework on victims,... And because you're using GET, he could craft the URL and it's parameters to include the malicious payload and send it to anyone. Anyone opening that link then executes the malicious script.

Read this doc for a lot of info and examples.

Also note there are different kinds of XSS.

  • Persistent: Occurs when you for example store user-input in a database, to display it later (chats, forums,...). This way the attacker can inject his payload and it stays there until found by the webmaster.
  • Non-persistent: Not saved. Only executed in that session. Often by putting the payload into URL-parameters. Loading URL with those parameters = triggering payload.

If Site A is vunerable, can they do anything with Site B?

Because it's under the same domain, I guess the browser sees your 'different' websites as one. So via A cookies of B can be stolen. But don't pin me on that.

O'Niel
  • 2,740
  • 3
  • 17
  • 28
2

There is an XSS explotation framework called BeEF which allows for a number of different types of attacks once a "hook" can be placed using XSS (or other means). It displays a list of hooked browsers and then gives an attacker a number of different ways to attack them.

Some of these attacks including phishing for gmail usernames/passwords using very convincing (but fake) login screens, prompting users to download what would appear to be legitimate software updates that are really malware payloads, and number of other attacks. So while there might not be a lot of attacks against your particular site, your site could potentially be used to launch attacks against your users other accounts and personal machines.

You can see an interesting demonstration video here.

Abe Miessler
  • 8,155
  • 10
  • 44
  • 72