10

Consider the following URL http://mysite.com/form?date=x. Suppose that if x is in an incorrect format, that a page is returned with <p>x is not a valid date</p>, where the page author has forgotten to escape the variable x. Assume that x is properly escaped in all other locations.

It is possible to create a malicious link that could insert arbitrary Javascript with access to the user's credentials. What if the site required a POST rather than a GET? Would there a way to exploit this security hole?

UPDATE: Changed the situation to be more realistic and removed irrelevant references to clickjacking

Casebash
  • 601
  • 1
  • 7
  • 16

3 Answers3

10

Clickjacking is an attack which tricks the user to click on something he is not aware of. It is usually done by loading the attacked page into a transparent iframe. This iframe is scrolled to the correct location and kept below the mouse pointer.

A function that is often attacked by Clickjacking is the Facebook like-button.

While clickjacking does work for POST, a simple attack does not allow the attacker to manipulate the URL or form parameters.

Cross site request forgery is the name for the attack that uses the vulnerable site as target of a form on the attacker site. This form can be totally invisible and submitted via JavaScript automatically. All common browsers will include the session cookie for the target site in the request.

Cross site request forgery attacks are prevented by adding a hidden form field with a random value. Unless there are other vulnerabilities a CSRF attack is done blindly, so the attacker cannot read that hidden value.

In your case, even if the form is protected with a random CSRF prevention-token, you should still fix the cross ite scripting bug because there may be other vulnerabilities. Attacker can be very creative in combining minor vulnerabilities to a full exploit.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
8

You don't need clickjacking. Frankly, I don't understand why you are asking about clickjacking; it doesn't seem relevant.

This is a bog-standard XSS vulnerability, and once a site has a XSS vulnerability like this, the site's security is lost. If the site has a XSS vulnerability, clickjacking is hardly relevant (there is no reason for attackers to bother with clickjacking).

It's still just as vulnerable, if the site requires it to come as a POST. For example, the attacker can construct a form and use Javascript to automatically submit it.

Your best bet is probably to do a little background reading about XSS (cross-site scripting).

D.W.
  • 98,420
  • 30
  • 267
  • 572
4
<form method=POST action=http://vulnerablesite.com/>
  <input type=hidden name=q value=evil-content>
</form>

<script>document.forms[0].submit()</script>

will reload the page to content from a cross-site POST that includes arbitrary POST parameters without any interaction from the user -- the attacker need only be able to get the user to load a page they control.

You asked if "it is possible to create a malicious link that could insert arbitrary Javascript". Yes, in the example you presented the form would look like this:

<form method=POST action=http://mysite.com/form>
  <input type=hidden name=date value="&lt;script&gt;alert(1)&lt;script&gt;">
</form>
<script>document.forms[0].submit()</script>

Creating such a webpage and directing users into this malicious link would send <script>alert(1)</script> as date parameter value. If thas is not escaped properly (like you mentioned in the question), you've just exploited the simplest form of XSS vulnerability.

Krzysztof Kotowicz
  • 4,068
  • 20
  • 30
Mike Samuel
  • 3,873
  • 17
  • 25