FT.COM Cross Site Scripting Example

I have been working with a number of client web applications, and it surprised me how many of them are/have been open to XSS to the point I'm actually worried.

My guess is that testers don't really understand what XSS is, how to exploit it and what risk it poses to the business, so I will try and give you a working example using the ft.com. They are not a client of mine but I did find their search was open to the XSS exploit. Don't worry I have contacted and reported the issue to them, so by the time you read this the site will be patched and immune to any sort of XSS bug.

Lets get started:

1. First lets find an input into the webserver, ft.com has a search form field we may be able to exploit.

2. We want to enter some malicious text into the search field, for example script tags to see if they break the page. First lets do a normal search and analyse how the page is returned, type 'Lenovo' into the search field and click search, after a short wait the results are returned:

A few things happen, the most obvious is that results are displayed, we can remove the search term and the page is not broken in anyway. Also look at the url you can see that there is a url parameter "http://search.ft.com/search?queryText=lenovo". Now lets see how the XSS exploit works.

3. The easiest way to see if the site is open to XSS is to enter a script tag into the search field. This normally takes trial and error to get the result you want, you may need to enter part of a tag  like "script>", or encoded text "%3C%2Fscript%3E" its just about having a play and learning how the application responds. For the ft.com search box I found a closing script tag </script> broke the page:

You can see some JavaScript being output just above the search results. A quick look at the markup in firebug and we can see where the script tag has been inserted, escaping some JavaScript code. Lets now do something really simple and say hello to the world using this code:

http://search.ft.com/search?queryText=)</script><a href="http://www.pablotesterbar.com">hello from pablo testerbar</a><script>

With a little more effort we can modify the page further, include some css and javascript on another server, add more mark-up, this really depends on how creative/malicious the attacker/hacker wants to be. Look at the url in the address bar, the attacker could now send this modified url out to unsuspecting victims (hiding the verboseness via something like tinyurl), and as its hosted by a reputable organisation the user maybe duped into thinking the content is legitimate.

I hope this gives you a quick and simple example of how an XSS attack works. My recommendation is that all testers should include this type of testing as part of their standard testing routine.

Useful links:

  • Url Encoder - Does exactly what it says on the tin, quick way to encode/decode your text
  • Another XSS example - An excellent write up on XSS using the Gaurdian website, gives you another example and well worth a read.


Popular posts from this blog

Android Device Automation with Calabash

Starting a Teams Transformation

Breaking the Rules, Pushing the Limits