BlogXSS for Lunch - Yum!
Jun 14
2

XSS for Lunch - Yum!

Posted by Jaimie Sirovich on Jun. 14th, 2006. 2 comments — voice your opinion.

NEED A GREAT WEB SITE? NEED IT TO BE SEARCH-ENGINE-FRIENDLY?

SEO Egghead is a web development firm dedicated to creating custom, search engine optimized web site applications. We specialize in eCommerce and content management web sites that not only render information beautifully to the human, but also satisfy the "third browser" — the search engine. To us, search engines are people too. Click here to talk to us. We'd love to help! 		X

I was reading SEO Black Hat during my lunch break, and it pointed me to RSnake's article on using GreaseMonkey to sniff out XSS attack vulnerabilities.  Since I'm a white hat SEO, I'll pretend I'm only interested in this stuff to the extent of attack prevention, so I added a few things to his proof of concept to make it more usable for that purpose (or any purpose, really).

First, we create a script that utilizes the last code-snippet I posted here that parses out the response codes from a HTTP document (LinkChecker.php), located here.

<?
  include('LinkChecker.php');    
      
  $header_result LinkChecker::getHeader($_REQUEST['text']);
  $code = (int) LinkChecker::parseResponseCode($header_result);    
  
  if (!$code) {
      $code 'UNKNOWN';
  }
  
  header("Location: http://www.seoegghead.com/HTTP_codes/HTTP_$code.gif");
?>

We name the file "xss_detect.php."  Then we modify RSnake's script with a few little features that make it much more usable casually.  We insert an image for various response codes, and a bright yellow one for a 301.  If you see a 301, you know it's an oppor … nerability.

Here is the modified script:

// ==UserScript==
// @name    redirect_seo_egghead
// @namespace    http://www.seoegghead.com/
// @description    Looks for things in the page that look like redirects and reports them - By RSnake, SEO Egghead
// @include    *
// ==/UserScript==

(function() {
  window.addEventListener("load", function(e) {
    for (i=0; i <= document.links.length; i++) {
      if (document.links[i].href.match(/http:\/\/.*http(:|%3A)(\/|%2F)(\/|%2F)/i)) {
    red_xss = new Image();
    red_xss.src = "http://YOUR_PHP_WEB_SITE_HERE.com/xss_detect.php?text=" + document.links[i];
        //alert(document.links[i]);
    document.links[i].appendChild(red_xss);
      }
    }
    return;
  }, false);
})();

Here's one example of a big fat vulnerability:


Here's a link to my site from theirs:
http://www.iol.co.za/outgoing.php3?URL_to=http://www.seoegghead.com

I left this script activated in greasemonkey, and I will be auditing all my sites this way. 

Tell an amigo:
  • Sphinn
  • Digg
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Facebook



Related posts:
Checking for Dead Links Automatically This neat little class can return the HTTP status code...
Auditing for HTML Tainting Note: the code for the auditing script is located here....



"2 Wise Comments Banged Out Somewhere On The Internet ..."


itchy

banged out 6/17/2006

hi jamie,
been reading your blog all day fantastic work bruv. just wondered if you could give us the heads up on how to instal this script and drop links when you find vunerabilities.
thanx itchy

ha.ckers.org security lab - Archive » SEO redirects continued

[...] Jaimie Sirovich just posted an ammendment to my post about SEO redirection on his blog. His post expounds on my crappy SEO redirection explanation by adding in the loggin script, making it more customizable and in general less lame. His is better, check it out. I think this really is a huge problem that will stay around for quite a while. I started finding these in Google a while back, and then they came fast and furious. [...]



Care To Bang On The Keys ... ?

BECOME AN EGGHEAD. SUBSCRIBE TO OUR RSS FEED!

Learn to be as nerdy as we are by never missing our latest blog entries. Receive great tips, tricks, and ideas on improving your web site every day! Subscribe via our RSS Feed or use the chicklets in the sidebar.