INFO3002 Ethical Hacking Principles and Practice

Lecture 12A: Reflected XSS and XSS Defence

School of Computer, Data and Mathematical Sciences

Western Sydney University
1
Lecture outline

■ Reflected XSS (R-XSS)

■ XSS Defence

2
Recall: Definition of R-XSS
■ Occur when the malicious code contained in URL query
string is used by web server to generate a web page for
the browser.
▬ Exemplar scenario: When you search a term through Google,
Google will echo back your term to your browser in the results page.
▬ Characteristic: The malicious JS code is injected into the URL query
string and get echoed back, and may not be saved in the database.

3
Detailed Steps of R-XSS
1. A hacker composes and distributes a URL pointing to a
vulnerable web server with the query string containing
malicious JS code.
▬ Say, https://bank.com/?y="><img src=https://bad.com/hack.js>

2. When a user clicks such a URL, the user's browser will send
the query string in this URL to the vulnerable web server.
▬ NB: a browser won't execute the JS code in URL

3. The vulnerable web server will echo back the malicious JS

code contained in the query string as web contents to the
user’s browser.
▬ NB: This is how Reflected XSS gets its name.

4. The user's browser will execute the malicious JS code

contained in HTML document.

4
R-XSS Examples
■ Since the R-XSS example in DVWA is hard to experiment
with, we will give examples on R-XSS using the sample
code Lecture12-examples.zip posted on vUWS.

■ To try these examples conveniently, you should configure

Firefox to use No Proxy.

5
Files in Lecture12-examples.zip
■ This zip file consists of two php files:
▬ postback-vuln.php
▬ postback-fixed.php

■ Both PHPs generate a simple web form for entering a 4-

digit postcode, and also process the postcode entered.
■ Both PHPs submit data to themselves for processing.
▬ This way of implementation is called 'postback’, which was discussed
in the prerequisite subject Tech for Web Applications.

6
Files in Lecture12-examples.zip (cntd)
■ postback-vuln.php: contains two places vulnerable to
Reflected XSS attacks
▬ not sanitizing $postcode before echoing it back to browser.
▬ not sanitizing $_SERVER["PHP_SELF"] before echoing it back to
browser.

■ postback-fixed.php: no longer vulnerable by fixing those

two places.
▬ We'll talk about it in the XSS Defence part.

7
Install those two php files under the
Metasploitable2 Apache Web Server
■ In Kali, use Firefox to download this zip file from vUWS.
■ In Metasploitable2, login as 'msfadmin', and you will be under
the home directory of 'msfadmin'.
▬ Note that home directory is indicated by ‘~’ in Linux.

■ Use netcat to transfer the zip file to the home directory of

'msfadmin'.
■ After successful transfer, you should see the following output
with the 'ls -l' command.

8
Install those two php files under the
Metasploitable2 Apache Web Server (cntd)
■ unzip Lecture12-examples.zip

■ 'cd Lecture12-examples', and copy both php files to the /var/www/test

directory, which can be accessed by web server.
▬ Note: You need to add 'sudo' before 'cp' to gain the root privilege for this
copying, during which you will be prompted for the password of 'msfadmin' for
authentication purpose.

9
Install those two php files under the
Metasploitable2 Apache Web Server (cntd)
■ Check whether the copying is successful:

■ Change the owner and group of those two phps from 'root' to 'www-data' by
using the 'chown' command; otherwise, the web server won't have the
rights to read them.

10
Install those two html files provided in the
zip file as well
■ Those two html files contain the URLs with malicious JS
code.
▬ They save you the effort of copying the URLs to a browser.

■ Exactly follow the steps of installing php files to install these

two html files to /var/www/test directory.

11
Access those two php files from Kali Linux
by Firefox
■ Now you can access those two php files by entering a URL like
below:

12
R-XSS Example 1: $postcode
■ Try a valid input for postcode

■ We see the postcode is echoed back to the browser as below. So if no

sanitization is done on the entered postcode, we know that R-XSS attack
will be possible.

13
R-XSS Example 1: $postcode (cntd)
■ In Firefox, allow more characters for the 'postcode' field, so that we can
insert JS code there.
▬ For details on how to do this, refer to last lecture.

14
R-XSS Example 1: $postcode (cntd)
■ Enter the following input into the field:
▬ 2066<script>alert("Attacked!")</script>

■ You will see the attack is successful:

15
R-XSS Example 1: $postcode (cntd)
■ However, the input used in this attack only serves as a query once, and will
not be saved into the database by web server, so it cannot be used to
attack others.

■ But with a careful observation of the URL in the previous screenshot:

■ We know that it is possible to construct a link like this, and then lure others
to click such a link.
▬ '%2F' above means '/'. In URL, characters can be represented with their
encodings instead. For details, see
https://www.w3schools.com/tags/ref_urlencode.asp
▬ The above URL also means that the web form submission is using the 'GET'
method in postback-vuln.php, which makes it possible to insert JS code into URL
query strings. (see: https://www.w3schools.com/tags/ref_httpmethods.asp )

16
R-XSS Example 1: $postcode (cntd)
■ Then, hackers can construct a link below, disguising the link with attractive
text “You win!” and encoded URL.

<a href="http://192.168.153.128/test/postback-
vuln.php?pcode=2066%3Cscript%3Ealert%28%22Attacked%21%22%29%3C
%2Fscript%3E&submit=Submit+Query"> You win! </a>

Notes:
▬ In the above link: '%3C' is '<', '%3E' is '>', '%28' is '(', '%29' is ')', etc.
▬ In ‘GET’ form submission, name=value pairs are separated by ‘&’ symbol.
▬ The part submit=Submit+Query is necessary; otherwise, the query won't be processed by
the postback-vuln.php.

■ Finally, Hackers will email this link or use some other means to lure victims
to click this link.

17
R-XSS Example 1: $postcode (cntd)
■ For instance, the trigger-vuln.html you just installed at Metasploitable
contains this link for your convenience.

http://192.168.137.129/test/postback-
vuln.php?pcode=2066%3Cscript%3Ealert%28%22Attacked%21%22%29%3C%2Fsc
ript%3E&submit=Submit+Query

If you visit this page from Win7, you'll see the above.

18
R-XSS Example 1: $postcode (cntd)
■ If you click the 'You Win!' link, you'll see the attack happens.

19
R-XSS Example 1: $postcode (cntd)
■ Hackers can replace the JS code in the previous slide with
anything harmful. For instance:
▬ Stealing cookies (we have given JS code for this on Stored XSS in the
previous lecture)
▬ Modifying page contents
▬ Redirecting browsers to a malicious website
▬ And so on …

■ We'll leave these to yourself to experiment with.

20
R-XSS Example 2:
$_SERVER["PHP_SELF"]
■ The $_SERVER["PHP_SELF"] is a global PHP variable which
stores the full path of the php file currently executed by web
server.
▬ See: http://php.net/manual/en/reserved.variables.server.php

■ For example, if the URL to request a php is:

http://www.example.com/test/experiment.php, then when this
php is run, the $_SERVER["PHP_SELF"] has the value of
/test/experiment.php

21
R-XSS Example 2:
$_SERVER["PHP_SELF"]
■ A standard practice of implementing postback is to echo this
variable into the 'action' attribute of the web form:
<form action="<?php echo $_SERVER["PHP_SELF"] ?>" method="get">
▬ This allows a developer to freely change the name of the php file later.

■ However, if it is not sanitized before being echoed, it will allow

R-XSS attacks.

22
R-XSS Example 2:
$_SERVER["PHP_SELF"] (cntd)
■ Hackers can construct a link like below and send it to victims.
http://192.168.153.128/test/postback-
vuln.php/%22%3E%3Cscript%3Ealert('Hacked')%3C/script%3E

That is,
http://192.168.153.128/test/postback-
vuln.php/"><script>alert('Hacked')</script>

23
R-XSS Example 2:
$_SERVER["PHP_SELF"] (cntd)
■ Then, the web server will take $_SERVER["PHP_SELF"] =
/test/postback-
vuln.php/%22%3E%3Cscript%3Ealert('Hacked')%3C/script%3E
i.e.,
/test/postback-vuln.php"><script>alert('Hacked')</script>
▬ Note: the "> after the postback-vuln.php is used to close the action
attribute and the form tag.

■ When the above is echoed to the browser, it will end up with:

<form action="/test/postback-vuln.php"> <script>alert(‘hacked’)</script>

■ So the JS code gets executed by the browser.

24
R-XSS Example 2:
$_SERVER["PHP_SELF"] (cntd)
■ For instance, if we enter the following link into IE at Win7 VM:
http://192.168.153.128/test/postback-
vuln.php/%22%3E%3Cscript%3Ealert('Hacked')%3C/script%3E

We'll see a successful attack:

25
R-XSS Example 2:
$_SERVER["PHP_SELF"] (cntd)
■ Similar to the Example 1 on $postcode, hackers can replace
the JS code in the previous slide with anything harmful. For
instance:
▬ Stealing cookies
▬ Modifying page contents
▬ Redirecting browsers to a malicious website
▬ And so on …

■ We'll leave these to yourself to experiment with.

26
Lecture outline
■ Reflected XSS (R-XSS)

■ XSS Defence

27
Guidelines of XSS Defence

The guidelines below apply to both S-XSS and R-XSS:

■ Sanitize user inputs.

■ Protect cookies.

28
Sanitize user inputs
■ Methods for sanitization against XSS include (in the order of
increasing strength):
▬ Calling the PHP htmlspecialchars() function.
▬ Calling the test_input() function provided in the w3schools site.
▬ Using the open source HTML Purifier library

29
 The htmlspecialchars( ) function
■ This function converts the following characters with special meanings in
HTML syntax to a form of encodings starting with the '&' symbol.

Character Replacement
& (ampersand) &amp;
" (double quote) &quot;
' (single quote) &apos;
< (less than) &lt;
> (greater than) &gt;

■ These encodings will be displayed as the characters that they represent

in browsers, but lose their syntactic meanings.
▬ Enable those special characters to be displayed, otherwise browsers won't
display them.
▬ Using these encodings can also prevent XSS attacks.

30
An example of using htmlspecialchars( )
■ Suppose the PHP variable $str_x contains:

<script>alert('Hacked')</script>

The output of htmlspecialchars($str_x) will be:

&lt;script&gt;alert(&apos;Hacked&apos;)&lt;/script&gt;

31
The htmlspecialchars( ) function (cntd)
■ Since the htmlspecialchars() makes the special characters
in user input lose their syntax meanings, there will be no
html tags in the input.
■ Especially, there will be no <script> tag, thus thwarting the
XSS attacks.

32
The test_input( ) function
function test_input($data) {
$data = trim($data);
$data = stripslashes($data); // remove backslash
$data = htmlspecialchars($data);
return $data;
}

■ Notes:
▬ The PHP function trim() removes spaces, tabs, \n, \r, \0 and \x0B in the
beginning and the end of a string. For details, see
http://php.net/manual/en/function.trim.php
▬ For the details and an example of test_input(), see the end of the
following w3schools page:
http://www.w3schools.com/php/php_form_validation.asp
33
An example of using trim( )
■ Suppose the PHP variable $str_x=" How are you? \n "

and $str_y = trim($str_x), then

$str_y="How are you?"

34
The HTML Purifier Library
■ An open source HTML filter library written in PHP.
■ It will remove malicious JS code, and also make sure your
HTML documents are compliant with W3C's
specifications.
▬ Much more powerful!

■ Its website (including download and docs) is at:

http://htmlpurifier.org/

35
The 'high.php' for S-XSS in DVWA

■ The following four functions are called in the code above:

trim(), stripslashes(), htmlspecialchars(), and
mysql_real_escape_string() to address both XSS and SQLI.

36
The 'postback-fixed.php' for R-XSS in
the provided sample code
■ Open and examine the source code in this file with a text
editor.
■ You will notice that the test_input() function recommended
by w3schools is defined first.
■ Then, it is used to sanitize the following two inputs:
▬ echo test_input($postcode);
▬ echo test_input($_SERVER["PHP_SELF"]);

37
Protect Cookies
■ Add the 'Secure' attribute to cookies and use HTTPS to
transfer cookies if the cookies are used in an
authenticated session.

■ Add the 'HttpOnly' attribute to cookies if the cookies don’t

need to be accessed by JS.

38
Protect Cookies (cntd)
■ You can add these two attributes by web server
configuration.
▬ For Apache: https://www.tunetheweb.com/security/http-security-
headers/secure-cookies/
▬ For IIS: https://msdn.microsoft.com/en-
us/library/ms228262(v=VS.80).aspx

■ Or by programming.
▬ PHP: http://php.net/manual/en/function.session-set-cookie-
params.php

The above is not required in this subject.

39
Example Short Answer Question:
■ Explain what is Reflected XSS attack.

40
Lecture Summary
■ Reflected XSS attacks inject malicious JS code into the
query string part of a URL, and can harm any user who
clicks this URL.
■ Both Stored and Reflected XSS attacks can be prevented
by sanitizing users’ input properly.

41
References
■ XSS attacks: https://en.wikipedia.org/wiki/Cross-
site_scripting
■ The web links mentioned in the slides of this lecture

Big reminders:
• There is an online quiz for this lecture as
well, which will be due next week.
o There will be no tutorial classes for discussing
this quiz. If you have questions regarding it, pls
email your lecturer or tutor.
• The project is due this Friday.

42