So how can a seemingly small coding oversight lead to any real security issues? Well let's take a closer look.
Let's imagine a scenario...
There is a fairly popular site called TakeTwoApps.com (This is also my site, and this is only a demo for educational purposes!) Now, a lot of people have an account there, and as it so happens, so do you. One day I was just looking around at TakeTwoApps.com, and reading through the site's source code, just seeing how it's put together. TakeTwoApps.com has many interesting features, but I noticed something while looking over the source code of a routine homepage customization form. This form is located here.
Now, before I begin to explain how to exploit this vulnerability, I want to make it clear that you don't have to use this form in order for your account to become compromised. In fact, you don't even have to know it exists. What matters is that I know it's there, and I'm going to try and use it to steal your TakeTwoApps.com cookie data and possibly obtain information that will help me gain access to your TakeTwoApps account.
alert() function. This function was placed into the page's
<body> tag using
onLoad. This simply tells the page to run the alert function when the page loads.
So how can we exploit this further? Well, what else can we do when the page loads? We also saw previously that we can use this vulnerability to force the compromised form to redirect to a site of our choosing.
Let's now take another look at the
Now click here to see what cookie data TPCS has set on your computer. Actually, we don't set cookies so you will just see an empty alert box. But if you want, you can click here and we'll place a small cookie. Then click here to see what the cookie data is. OK, now we know how to get a site to read it's own cookie data. Any site can read it's own cookie data, so a script running on TakeTwoApps.com can easily access the cookie data set by TakeTwoApps.com - So how can we exploit this further?
Let's put these different ideas together. I'm going to inject some code that will force the compromised page at TakeTwoApps to read it's own cookie data, then force a redirect. Where to? It just so happens that I wrote some PHP code to help me grab the cookie data. This program can be found here. So I'm going to force the compromised form at TakeTwoApps to redirect to my cookie monster program. Here is the actual code I will use:
By entering this code into the color form, instead of just a color, we can force TakeTwoApps.com to actually inject this code into it's
So now that this is all in place, how will I use this vulnerability to steal your data? I will try to trick you into loading this code into this compromised form at TakeTwoApps.com without you knowing it.
Once again, you do NOT have to even know this form exists to be vulnerable. So let's break down the actual web request into it's two parts:
- This is the actual web address (URL) of the compromised form at TakeTwoApps.com:
Now, not many people would click on a link that looked like:
But most people, when approached carefully, would click on:
So let's get back to our imagined scenario. You have an account at TakeTwoApps.com. I found a vulnerability at that site that you know nothing about. I'm going to try and exploit this to steal your TakeTwoApps cookie data. So, click here for a really funny picture, I had to LOL when I saw it!