8 ways to abuse your XSS vulnerabilities

December 18th, 2006 by Stefan Juhl

You’ve most likely heard of XSS (Cross Site Scripting) and you might even know how it works. But have you given any deeper thoughts to how many ways your XSS vulnerabilities can be abused? From the top of my head, here’s 8 ways to abuse websites where html / javascript injection is possible.

  1. Steal logins and other info in cookies
    With a simple javascript it’s possible to dump all the cookies a user has for your website. So the attacker just needs to inject the javascript on your site, and have you and your users activate it, to gain logins etc. stored in cookies.
  2. Use your brand for phishing
    If your brand is well known then people probably trust you. An attacker could then inject a form for phishing data from your users who won’t know that it isn’t you they’re giving the information to.
  3. Make users install malicious software
    As with #2, the trust users have in you can be abused to make them install malicious software. If they’re prompted to install a plugin or another kind of software, they’ll most likely do it since they’re on your site and trust you.
  4. Put copyright infringing material on your site
    It’s easy to inject html for hot linked images as well as inject copyrighted text. Then by linking to it, crawlers will quickly notice it, and so will the crawlers used to find copyright infringements.
  5. Make you link to illegal content
    By injecting links to illegal stuff like pirated software, music downloads or something even worse, an attacker can give you a lot of trouble. Suddenly you and your ISP will begin to receive complaints from the BSA, RIAA or even government agencies. If your ISP receives a lot of complaints it’s likely that they’ll unplug your server.
  6. Bad mouth you or others on your website
    Imagine URL’s on your website ranking well in search engines for your name, employees names, competitors names etc. And the content on these URL’s talking very badly about you, or containing false accusations of competitors for doing bad stuff. That’s probably not the image you’d like to have.
  7. Make you link excessively to bad neighborhoods
    Search engines tend to dislike sites linking excessively to bad neighborhoods. So by making 100’s or even 1000’s of URL’s on your website containing links to sites like “buy-cheap-viagra-12.blogspot.com” an attacker might be able to hurt your rankings or just get a good bunch of links to his black hat SEO.
  8. Steal your search traffic
    If you’re ranking well in search engines for keywords an attacker would like the search traffic from, then he could inject a redirect and some content with the keyword. Then by doing some decent link dumping the attacker can make the XSS’ed URL rank instead of your current URL.

I’d say that the more well known you are and the more popular your website is, the bigger risk of getting abused. But even though you’re just a small fish in the pond you might still want to find and fix your XSS vulnerabilities.

Share and Enjoy:

  • digg
  • del.icio.us
  • YahooMyWeb
  • Furl
  • Reddit
  • BlinkList
  • Spurl
  • NewsVine
  • blinkbits

Posted in Black Hat SEO, Hacking / XSS |

2 Responses to “8 ways to abuse your XSS vulnerabilities”

  1. Alex Ponebshek Says:
    May 18th, 2008 at 8:32 pm

    A few of these abuses (4, 7, and maybe 5) rely on crawlers picking up the attacks. Isn’t this moot, since almost no web crawlers execute javascript?

  2. Stefan Juhl Says:
    May 19th, 2008 at 10:59 am

    Alex, it’s correct that they rely on crawlers picking them up, but they shouldn’t be done with JavaScript. Instead they’d be done by injecting HTML that’ll get outputted in the HTML of the page. An example for this could be a search form where the input isn’t being validated and stripped before being outputted again, so you could basically output anything you’d want in the HTML of the page.

Leave a Reply

Stefan Juhl