The basics of Cross-site Scripting (XSS) – 10 minute mail

A lot can go wrong on the Internet and XSS is without a doubt one of the most common web security issues we see today. Without going too in-depth, there are three kinds of XSS based on vulnerability impact, starting with the worst kind:

  1. The persistent XSS – This is when an attacker could inject script code onto your site permanently and every user who views the page where the script is injected will execute it. An example of this kind of XSS is the Samy worm that exploited MySpace with a persistent XSS.
  2. The reflected XSS – This is when an attacker could forge a link to inject script code that will execute from your website. This is also the most common type of XSS and is often used by spammers or others with malicious intent. With this an attacker could change the HTML to look like the login page of the vulnerable site, fooling the user to give them their credentials (also known as Phishing).
  3. The Self-XSS – This kind of XSS needs user interaction, which means that the attacker must trick the user to execute the script himself. For example, the attacker could make a link displaying “close page”, and when the user clicks it the script will run. This kind of XSS is very similar to the reflected XSS, but the need of user interaction makes it harder for the attacker to get the user to run his script.

What can we do to protect ourselves against attacks like this?

Some of the popular browsers actually have built-in protection against reflected XSS and to some extent, Self-XSS. Other browsers have plugins to help with XSS issues, like NoScript.

Disposable mail checks your web app for a range of XSS vulnerabilities. Sign up for our 14-day free trial to run a scan and see if your site is vulnerable.

Want to know if your browser has built-in XSS protection? Click here to find out.

Got questions? Tweet us at @detectify or shoot an email to [email protected]! You can also read more XSS articles and updates for examples, explanations, and remediation tips.


By: Mathias Karlsson


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How I hacked Facebook and received a $3,500 USD Bug Bounty – 10 minute mail

Find out how our Security Researcher Frans Rosén hacked Facebook and found a stored XSS for which he received a bug bounty reward. 

I recently found a Stored XSS on Facebook, which resulted in a Bug Bounty Reward. If you want to know how an XSS could be exploited, you can read my colleague Mathias’ blog post about it. Anyway, here’s how it went down.

I was actually working on finding flaws on Dropbox to begin with. I noticed that when using their web interface there were some restrictions on what filenames that were allowed. If you tried to rename a file to for example:

'">.txt

it was not possible. You got this error:

Error message

But, if you instead, connected a local directory, created a file there and synced it, you got it inside Dropbox without any problems. Using this method I was able to find two issues with their notification messages showing unescaped filenames. I reported these issues to Dropbox, they patched it really fast and I was placed on their Special Thanks page for the responsible disclosure.

It didn’t end here. As I was testing out this stuff on Dropbox, I also tried to figure out how this issue could be connected with other services. I noticed their Facebook-connection and got curious on how it worked. It turned out that they had a pretty nice function going on there:

“Dropbox has teamed up with Facebook so that you can do cool things like add files from Dropbox to your Facebook groups or send shared folder invitations to your Facebook friends.”

Nice! I created a group, and found the connection using the “Add File” icon on the Group wall:

FB Add File

I selected the file that I synced to Dropbox, it was called: '">.txt and shared it. Nothing awesome happened except the file being shared.

But then, I clicked the Share-link on the entry.
Shared link stored XSS

BAM! The title of the entry was not escaped correctly and I was able to get the Stored XSS triggered. By using the files in my Dropbox I could inject script code that was executed on Facebook.com.

I reported this to Facebook directly using their Whitehat Vulnerability Reporting system, told them it was an urgent issue and how I managed to get it executed. The issue was at that time only affecting the Share-popup inside the Group page and could only be triggered by user interaction, serious or not, it was clearly not affecting all users on Facebook.

At the same time I started looking on the URL of this Share-popup:
https://www.facebook.com/ajax/sharer/?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first
This URL did not work if you tried it stand-alone. That was good, the XSS issue looked like it could only be triggered by user interaction. But then I started googling and found that you were able to create a Share-URL by using this format: https://www.facebook.com/sharer/sharer.php?

So I changed my URL to that format:
https://www.facebook.com/sharer/sharer.php?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first

BAM again! If you were logged in into Facebook, the code was executed as soon as you visited the link. Bad. Really bad. I emailed Facebook again, explaining that you could actually trigger the XSS by only visiting a link.

I was also trying out if I could get other services to behave in the same way. Dropbox and Facebook had this special connection, so I was curious if this issue was isolated or if I could reproduce it by using another service.

Went to Pinterest. Created a Pin named:

'">

and shared it on Facebook using my test account. I pressed the Share button on it:

Share Button stored XSS

I was amazed – it had the same issue.

Facebook replied to me, asking me how I was able to place the files on Dropbox with that filename. I explained how this was done and also told them that the service that you shared from didn’t matter, it was a general issue with the escaping that created a vulnerable vector on the Share-page.

They responded and said that it was indeed the same issue and they should look into it ASAP.

In the meantime, I tried the link on different devices. My iPhone could not get the XSS executed. As soon as I visited the page, I was redirected to https://m.facebook.com and that page did not have the same issue. But I also realized that you could force Facebook to skip the redirect by using a parameter called m2w, so if I appended that to the URL:
https://www.facebook.com/sharer/sharer.php?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first&m2w
I was able to trigger the URL on both mobile devices and on desktop. Another email to Facebook.

One day after that I noticed that the POC-link did not work anymore, it was finally patched. I told them I could not reproduce it anymore and it looked like it was fixed.

One day later I got this email:
Facebook Frans Rosen

Nice one!

Date range:

  • Initial report and the POC-link executing the XSS just by visiting: Dec 22
  • Explained the Dropbox-syncing and extended the scope regarding services and devices: Dec 27
  • Vulnerability fixed: Dec 28
  • Received message about the Bug Bounty: Dec 29

Frans Rosén, Security Advisor

 


Disposable mail is a fully automated web security scanner created by some of the world’s best ethical hackers. Give our free trial a whirl and check your website for vulnerabilities like Cross-site scripting »


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

New vulnerability findings: Joomla, JBoss, Jenkins and others! – 10 minute mail

During the past month, a great deal has happened in the web security landscape, and we have added a ton of new findings to the service. Some of these findings come from other security companies’ public disclosures, whilst others are the results of internal audits of responsible disclosure programs.

 Jenkins & JBoss remote code execution

We have added checks for the Jenkins and JBoss remote code execution vulnerabilities that were disclosed the November 6 . The two vulnerabilities involve the deserialization of arbitrary Java objects, which leads to remote code execution. If you have a vulnerable configuration, an attacker will be able to gain remote access to your system. If you have run either Jenkins or JBoss and have missed these news, we urge you to get another report ASAP.

 Critical SQL injection vulnerability in Joomla!

A check for the Joomla! SQL injection vulnerability (as discovered by Trustwave)has been added to the service. If you have an unpatched version of Joomla! (ranging from version 3.2 through 3.4.4), you are at risk of having your database leaked and disclosed online. If you know you’re affected, upgrade immediately, otherwise grab another report to see if you’re vulnerable.

  Multiple vulnerabilities in Ganglia

Added vulnerabilities for the Ganglia Monitoring System used for clusters and grids. It may be wise not to expose this service to the Internet.

  Source code disclosure for Ruby applications

Added the ability for the service to detect Ruby-based source code disclosures. If your server is configured in such a way that it cannot properly handle Ruby files, the content of the files may leak. The source code for your application contains all the business logic and is hence highly critical.

  Enhanced checks for Git-based projects

Git disclosures are bad. We’ve added further methods to find and analyze the content of publicly accessible git projects. Remember to never add database dumps, config files and pem-files to your Git repositories. A slip-up in your setup may disclose very sensitive data. If that happens and we spot it, we’ll mark the finding as Critical.

  Findings in regards to IDE metadata

New checks for common files generated by the editors Eclipse and IntelliJ IDEA (including PhpStorm). Depending on how you use these tools, they may generate files containing sensitive data. These files should not reach your production environments as they may leak information (such as database credentials, commit messages, code changes and file paths).

  Setting disclosure through /.env

Added check for /.env. If publicly accessible, it may contain system-critical information such as database credentials and API keys.

  New check for the version control system Mercurial

Added Mercurial information disclosure finding (for the few who still use it).

Further findings for PHP misconfigurations
(Notice) It’s not uncommon for devops to configure and tweak PHP. Sometimes mistakes slip through. We have added checks for publicly exposed php.ini and error_log files.

As well as all of the above, new findings for Jetty, TravisCI and a ton of other systems have been added. To summarize, a large number of new vulnerabilities to look out for.

What are you waiting for? Go hack yourself!

Fredrik Nordberg Almroth
Co-Founder Disposable mail
@almroot


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

What is Cross-site Scripting (XSS) and how can you fix it? – 10 minute mail

Cross-site scripting (XSS) is a type of attack that can be carried out to compromise users of a website. The exploitation of a XSS flaw enables attackers to inject client-side scripts into web pages viewed by users. Listed as one of the OWASP Top 10 vulnerabilities, XSS is the most common vulnerability submitted on the Disposable mail Crowdsource platform therefore a security risk our tool continually checks for. 

Image depicting cross-site scripting XSS

Cross-site scripting: What can happen?

The attacker may:

  • gain access to users cookies, session IDs, passwords, private messages, etc
  • read and access the content of a page for any attacked user and therefore all the information displayed to the user
  • compromise the content shown to the user

A notable XSS attack was the Tweetdeck XSS worm published in 2014. It allowed the attacker to spread his malicious payload to all Tweetdeck users via Twitter, hence causing a mass compromise of Twitter accounts.

Example of Cross-site scripting (XSS)

To show how the vulnerability works, let’s look at an example. Say you have a search box on your site. If there is no result, the site should say “Could not find any pages when searching for [what the user searched for].”.

Doing this in PHP it might look something like this:

This would, in other words, output the user supplied data (the search query) straight into the HTML document. If the search query contains HTML, the user’s web browser will render it. Imagine an attacker sends a link like the following to a victim:

http://example.com/search.php?query=

This would make the victim search for:

 

Since there is no validation of the data, the target browser will render:

Could not find any pages when searching for 

The injected HTML will be executed. The HTML contains a script tag which will evaluate JavaScript. The JavaScript will grab the user’s cookie and send it off bounds to a third party domain of the attackers control. The attacker will then be able to set their own cookie to the victim’s stolen one, hence gaining access the victim’s data. This is a common example of a privilege escalation attack by the means of cross-site scripting and session riding.

Cross-site scripting Remediation

The remediation of XSS vulnerabilities is heavily context-dependent and the patches vary. Here are some general tips (where UNTRUSTED is where user supplied data).

HTML Body

Example

UNTRUSTED

Solution
Convert to HTML entities (ie. & to & etc).
See PHP htmlspecialchars()

HTML Attributes

Example


Solution
Convert the untrusted user input to HTML entities to prevent the creation of other attributes and nver let any user data into the “id”, “class” or “name” parameters. Be very cautious when providing user data into DOM event handlers (e.g. onclick), at they are made to execute JavaScript.

Untrusted URL

Example

link

Resources

This article was updated on 7 August 2018.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.