I typically notice this on sites which display a search history. When using search functionality on a site, your past search queries are displayed and rather than storing this content on the server, perhaps in a relational database, it is instead being embedded within a cookie. Let's take a look at the search functionality at Sony.com.
In the image to the left, you will note that my past search queries ('Michael' and 'Sutton') are displayed on the right hand side beneath the 'Your Recent Searches' heading. Now this data has obviously come from past requests and could naturally be stored in a variety of places such as a relational database connected to the web application, within hidden form fields, embedded in the URI, etc. In this particular case however you will see that past searches are actually stored within a cookie, in this case the sonysearch_recent_searches cookie. Now there's certainly nothing wrong with that, after all we're dealing with a relatively small amount of non-critical data which doesn't really need to be stored beyond the current session. However, as you will also note in a later image, the user supplied content accepted in search queries isn't appropriately filtered and thus the site is vulnerable to a rather unique form of persistent XSS. Note: This was reported to Sony in February.
So why is this interesting? It's just another XSS vulnerability - not exactly an elite club to get into. I find it interesting because it has some unique characteristics. In some ways, it's almost a hybrid of reflected and persistent XSS. Let's take a look at what I mean by that.
Storage - This is certainly an example of persistent XSS, as the script is stored. However, it is stored on the client side, within a cookie, not within a relational database on the server side as is typically the case.
Victim - Unlike most persistent XSS vulnerabilities, injected script will not affect anyone that visits a vulnerable page. It will only affect a single user (like reflected XSS) as it is transmitted within a cookie when an individual request is made.
As you can see, while we have persistent XSS, it smells like reflected XSS. This could come in handy, if for example an attacker were looking to target a single individual (reflected) but wanted the attack to repeat (persistent) every time the user accessed a certain resource. Consider for example a situation where the attacker wanted to harvest sensitive data every time the victim viewed it. This situation alleviates the timing challenges associated with a successful reflected XSS attack while remaining more stealthy than typical persistent XSS.
Food for thought.
- michael
Posts
5 comments:
Pretty rare but these are out there. You reminded me of another form of transient XSS that's between reflected and stored. Data that's stored on the server, but only in the session, a form cache, or a wizard of some sort can store transient attacks. You'll see these when you put the attack into one page, then later browse back to that page. Static tools have difficulty tracing these because the taint disappears in bean or hashmap somewhere. Dynamic tools don't see them because they don't get the pageflow right to trigger them.
I've called this kind of xss-vulnerability "semi-persistent". I've written about it in March 2008 where I supposed to be the first who describes this.
http://www.erich-kachel.de/?p=181
Look there for the headline "Semi-Persistent". Unfortunately is it in German, but the picture below shows exactly what you've written here.
Thanks for passing that along Erich. I'm afraid that my German doesn't stretch beyond 'wiener schnitzel' so I likely wouldn't have spotted your post had you not brought it to my attention. Good to see that others are looking into the same issues.
Great feedback Jeff - especially that static/dynamic tools fall short in such situations for different reasons.
persistent attacks are rare now but dangerous as well.Reflected XSS is quite common in websites these days.
Post a Comment