In association with heise online

On the rebound

The attacker's trick is to make the browser believe that the JavaScript comes from a trustworthy page. On any web server or in an HTML document he has embedded a hyperlink with JavaScript. The link points to a server that the attacker assumes the victim will deem trustworthy, for example a bank's. Apart from this, the attacker knows that this server has an XSS weakness. If the victim clicks on the link, he will be directed to this page, and the JavaScript will be executed in the browser without any user prompt.


One click on a trusted hyperlink leads to a supposedly secure web site. Normally, JavaScript is allowed to touch only cookies on the user's hard disk, provided the script comes from the same server (origin) as the cookie. Cookies can contain session numbers (sessionID) or authentication data and are loaded to and queried on the client by web servers. Many web pages and internet shops use cookies, for example Amazon and eBay. With cross-site scripting, an attacker is able to view, tamper with and delete cookies.

Session Hacking

This helping from the cookie box seems harmless at first, but it is not. The session IDs that are used to identify a connection between web server and client after a successful authentication are stored, among other things, in cookies. If an attacker succeeds in stealing such a cookie, he can extract the ID and build a valid connection with the server without having to log in with name and password. The ID must, however, be valid. This means the attack must be carried out while the victim is logged in. After logoff, the session ID is invalid. David Endler, security expert with iDefense, shows in [2] how user data are extracted from cookies which have been stolen or copied with the help of automated XSS attacks [1]. The script samples he gives send HTML emails containing JavaScript embedded in URLs and collect stolen cookies.

One concrete example that no longer works, but still illustrates an important principle is this. The search engine Overture did not properly filter arguments passed in a URL. So it was possible to embed JavaScript such as the following:

alert("Achtung XSS Attacke"); alert(document.domain); alert(document.cookie);
<iframe src="">

The script opens three windows showing an alert, the origin of the HTML page, and the corresponding cookie, respectively. In addition, the heise Security homepage opens in a frame. The smuggling of arbitrary HTML code into viewed documents is called HTML injection.

Web applications that generate output need to representsymbols like <>"; byescape sequences – and this is what Overture finally did: see here.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit