Page 55 - Cyber Warnings
P. 55
For non-persistent attacks, the user doesn’t need to make a change to the site’s content.
Search engines are frequently used as an example for describing non-persistent XSS attacks,
but it can happen with all sort of sites. When data is submitted to a search engine, it’s usually
passed to the server via the URL query string.
Look at this URL from Flickr:
http://www.flickr.com/search/?q=sad%20puppy
The part following “?” is the query string. If you click it, you’ll notice that Flickr fills in the search
box with the search query. You can probably see where I’m going with this.
In the same way that it was possible to inject JavaScript in the blog’s comment section, with our
hypothetical search engine, we’d be able to do the same thing by crafting a URL with our script
embedded into it.
Of course, that won’t work with Flickr, because it sanitizes its inputs. Many sites do not, or do
not do it properly.
Once an attacker has crafted their URL, they can simply email it to their victims, share it on
social media, or send an instant message.
The target clicks the link, goes to the page, their browser runs the injected code, and will then
happily send whatever information the attacker has requested.
As you can see, XSS attacks are, in theory, fairly simple to avoid by sanitizing inputs, but it’s not
quite so simple in practice.
In order to let users enter content, they have to be given some degree of latitude.
Hackers can be fiendishly smart, and they are dedicated to exploiting every chink in the armor. It
only takes a small bug or oversight in the sanitization code to give them the access they need.
About the Author
Matthew works as an inbound marketer and blogger for Future Hosting, a leading provider of
VPS hosting. Follow Future Hosting on Twitter at @fhsales, Like them on Facebook and check
out their tech/hosting blog,https://www.futurehosting.com/blog/.
55 Cyber Warnings E-Magazine – September 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
