The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

N OT E As you saw in Chapter 6, some applications store a persistent cookie

Download 5,76 Mb.

Pdf ko'rish

bet	653/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 649 650 651 652 653 654 655 656 ... 875

Bog'liq
3794 1008 4334

N OT E

As you saw in Chapter 6, some applications store a persistent cookie

which effectively reauthenticates the user on each visit — for example, to

implement a “remember me” function. In this situation, step 1 of the preceding

process is not necessary. The attack will succeed even at times when the target

user is not actively using or logged in to the application. Because of this,

applications that use cookies in this way leave themselves more exposed in

terms of the impact of any XSS flaws that they contain.

380

Chapter 12

■

Attacking Other Users

70779c12.qxd:WileyRed 9/14/07 3:14 PM Page 380

After following all of this, you may be forgiven for wondering why, if the

attacker is able to induce the user to visit a URL of his choosing, he bothers

with the whole rigmarole of transmitting his malicious JavaScript via the XSS

bug in the vulnerable application. Why doesn’t he simply host a malicious

script on

wahh-attacker.com

and feed the user a direct link to this script?

Wouldn’t this script execute in just the same way as it does in the example

described?

In fact, there are two important reasons why the attacker goes to the trouble

of exploiting the XSS vulnerability. The first and most important reason is that

the attacker’s objective is not simply to execute an arbitrary script but to cap-

ture the session token of the user. Browsers do not let just any old script access

a site’s cookies; otherwise, session hijacking would be trivial. Rather, cookies

can be accessed only by the site that issued them: they are submitted in HTTP

requests back to the issuing site only, and they can be accessed via JavaScript

contained within or loaded by a page returned by that site only. Hence, if a

script residing on

wahh-attacker.com

queries

document.cookie

, it will not

obtain the cookies issued by

wahh-app.com

, and the hijacking attack will fail.

The reason why the attack which exploits the XSS vulnerability is successful

is that, as far as the user’s browser is concerned, the attacker’s malicious

JavaScript was sent to it by

wahh-app.com

. When the user requests the attacker’s

URL, the browser makes a request to

https://wahh-app.com/error.php

, and

the application returns a page containing some JavaScript. As with any

JavaScript received from

wahh-app.com

, the browser executes this script within

the security context of the user’s relationship with

wahh-app.com

. This is the

reason why the attacker’s script, although it actually originates elsewhere, is

able to gain access to the cookies issued by

wahh-app.com

. This is also the rea-

son why the vulnerability itself has become known as cross-site scripting.

N OT E

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 649 650 651 652 653 654 655 656 ... 875