There are lots of exploits that live under the general umbrella of cross site scripting. Some work on the principle of phishing, where you follow a link to a page that looks like your bank or whatnot, but is actually the hacker's site. You enter your username/password, and he uses a XSS hole at the bank to feed them your info (obviously storing it for his own nefarious usage), so that to your eyes, you just logged in to your bank normally.
posted by nomisxid at 6:18 PM on May 22, 2007

Hey, follow this link: linky.

Now, notice that you've followed a link that I gave you. On the resulting page, there is some content that *I* generated: the phrase "metafilter post content" appears in at least three different places, echoed by Google back to the screen but specified by me in my link. I have modified the search results page through the contents of my link. Now, Google (being smart) will filter out nasty stuff, but suppose I had some Javascript instead of "metafilter post content", and your website echoed it back to the screen unaltered. It would execute on your web page, on your website, and it would do nasty things to any of your readers who followed the link that the bad-guy gave them.
posted by jellicle at 6:19 PM on May 22, 2007

Your question is kind of confused and unclear. Are you asking for examples of how a malicious attacker might leverage an XSS vulnerability in order to compromise either the site or other users? There are many possibilities, i.e. rewriting the page to look like a legitimate login to capture credentials, rewriting links to force session pinning, leaking cookies, etc.

On the other hand, if you're writing your own forum software and you're asking if forum posts are the only way to inject XSS, the answer is a most definite "No!" Injection can done anywhere content that is under control of the attacker is displayed without proper processing.
posted by RichardP at 6:31 PM on May 22, 2007

The reason Matt doesn't permit inline img tags any more is because someone here demonstrated a security vulnerability associated with them. He was able to use an embedded img tag to execute javascript code.

In that particular case all he was doing was to make readers "favorite" another post, without actually clicking anything, but in principle that javascript code could have done much else that was far more harmful.
posted by Steven C. Den Beste at 6:49 PM on May 22, 2007

Steven, the "self-favoriting" post was a CSRF exploit, not an XSS exploit. It used a simple IMG tag to invoke a semi-malicious GET request, no javascript was involved.
posted by RichardP at 6:54 PM on May 22, 2007

Jellicle has it well-summarized. The thing to remember is it's not just "don't allow HTML to pass in the query string", because of character encodings; your best bet is to vet ANY user input through a whitelist of allowable characters before echoing it to the screen in any way. A blacklist will inevitably miss something.
posted by davejay at 9:47 PM on May 22, 2007

This thread is closed to new comments.