 |
| Send your confidential data along with your order. |
The Tutorial: Basics
The outcome of this tutorial is to inject script into a website (Gruyere's sandboxed site) that will show a pop-up with an alert message. A pop-up isn't the end of the world, but if you can inject code that can trigger a pop-up, you can inject much worse code as well.
File Upload XSS:
This exploit takes advantage of a site's file upload feature. Some sites allow you to upload HTML files (exploit.html). HTML files can contain script. I uploaded the tutorial's example script:
<!DOCTYPE html> <html> <h1>You were hacked!</h1> <script> alert(1) </script> </body> </html>
The idea is to send someone a link
(http://google-gruyere.appspot.com/204181329637/jgeorge0210/exploit2.html)
to the file you uploaded, containing malicious script. Since the file you uploaded is on a trusted site, a user will unknowingly trust the link.
For example if someone sent you a link that looked like:
http://www.amazon.com/9234890324/username/20%_discount.html
You will likely click the link thinking that Amazon sent you a discount coupon.
Fix:
A simple solution to this problem, when creating your own website, is to host the uploaded content on another domain.
For example:
For example:
Instead of http://www.amazon.com/9234890324/username/20%_discount.html
Use http://www.username.amazon.com/9234890324/20%_discount.html
This way unassuming users can see that the content is uploaded by a user and not Amazon itself.
Source:
http://google-gruyere.appspot.com/part2#2__cross_site_scripting
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Source:
http://google-gruyere.appspot.com/part2#2__cross_site_scripting
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
No comments:
Post a Comment