Tags

Daily Weblog 8/31/17

Today, I researched and performed an XSS (Cross-Site Scripting) attack on the Physics server. Using the comment system and the post system, I created a weblog entry entitled "XSS test", tagged under "attack", as all of my weblog entries directly referencing exploit attempts will be. I tried six different methods of attack, with the goal of inserting a JavaScript alert on interacting with the page saying "success!":
  • First, I attempted the simplest method of attack, of simply using a quote to terminate the input string and inserting a script tag, using the standard weblog text editor. This failed, as the script tag was removed by the editor and the quotes I attempted to use to terminate the string were converted to an HTML encoding ("""). From this, I can conclude that script tags are removed by the editor, and that quotes (and possibly all punctuation) are converted to HTML encodings to prevent being parsed.
  • Secondly, I attempted the same type of attack in the comment section. This failed for similar reasons. From this, I can conclude that the comment section is not parsed as HTML, as the <a> that I wrote appears as plaintext.
  • Next, I tried a JavaScript-enabled links using the direct HTML editor. I started by setting the link destination (href) to a javascript function using the "javascript:code" format. This was censored by the editor.
  • I then tried two alternate versions of the JavaScript-enabled link attack, using alternate capitalization and using encoding to avoid writing the actual letters, in case it was a simple regular expression. None of these worked. From this, I think it is likely that the site uses a whitelist of allowed HTML, rather than a blacklist of disallowed HTML - as is the recommended policy.
  • Next, I tried an attack using HTML5's keyword "onmousewheel", in case the editor had not been updated recently with new definitions. This also failed, as the server is up to date with its definitions.
  • Finally, I attacked the tag system itself, tagging the post with a JavaScript command, which was also defeated via text encoding.
I used this site to research XSS attacks and to source the different types of attack that I used in this experiment (a real link this time, I promise). I also researched on here for the last attack with the tag system, because that was more of a url parameter attack and not an XSS attack.

Comments