Sunday, April 12, 2009

Cross Site Scripting – How can you stop that

Recently Cross Site Scripting has taken a big toll across internet. It is really alarming that something that was so much ignored over the past few years is now becoming so much common and devastating. In this post we shall discuss at least one case study of Cross Site Scripting. This post will also remind you one very common and simple thought -  the benefit of technology is on the hands of the people who use it. Whether it is good or bad depends on the user.

Lets revisit the Cross Site Scripting as well as server compromisation attack I faced recently.

26 March 2009 – 10:45 AM

I had built a website for one of my clients which had a content management system(CMS) built in it. For editing HTML content in some of the pages, we had used FCK Editor,  a very popular editor available in the market. Suddenly the client let us know that somehow, Google has black listed our website.

Malware warning

While searching the name of the website, something like the picture was getting displayed in the Google Search results, clicking on which was taking to the page shown in bottom picture. From our account in Google for the website’s traffic, we came to know that our website was distributing malwares, Trojans and backdoors for a couple of days. What the…

Malware warning page

The client was really upset, as numerous customers were complaining about this incident and were afraid about their security and computer. They immediately called the Server Support and made the website go down, while putting up and emergency landing web page. We were perplexed: McAfee was showing that the website was 100% secure and PCI Compliant.

26 March 2009 – 12:31 PM 

The first thing that occurred to me was some kind of malware was getting downloaded, so there must be some XSS in our website and I randomly opened some of the WebPages in notepad. What I found was a small script tag at the bottom of the body tag of some of the WebPages. Something like:

<script src=”” ></script>

So Mister Ken.gif was the culprit. I thought. So I did a simple search on the Website’s root folder to find if there were anymore Mr. ken out there. The search returned a few JavaScript files e.g. jQuery and ThickBox etc. I cleaned them up. I was still not sure how this happened. The root folder has write permission of only asp net machine account. So if someone has to do something he/she has to have that permission.

Suddenly I found out there was another file named “con.aspx”, I opened the files in notepad and soon realized there was no code in it which was written by me. This was an alien. I downloaded that, and took a small risk. I put the file in my local development environment and executed it. It needed some password which I overrode with the code. Then there was some beautiful scene on my screen. The file was a Gem. It was soon displaying all the files on my wwwroot folder along with there permissions. It was displaying the running processes in my machine. It was displaying all opened and closed ports in the machine. It was displaying some registry values which indicated the name of my machine. --- I could not take anymore. Soon I found out the original project name was AspxSpy 1.0 which was an open source project which was even hosted in CodePlex. You can grab the file there.

Following are some pictures I took:

aspxspy_showing_my_iis imageimage

19 March 2009 – time unknown

So this was like the atom bomb, the evil or good is the user, not the software itself. The hacker had uploaded this file in the server using the vulnerabilities of the file upload system of FCK Editor and then using the permission of the machine account it had copied itself to the root directory. So the hacker had now access to command prompt, the IIS and also the registry.

Using this opportunity, the hacker had uploaded a file named open.bat along with a svchost.exe in the C:\WINDOWS\addins folder. the open.bat file was written so that it should enter the script tag in the pages. The svchost was manipulated as the server administrator later found out. It was found out soon that there was a root level compromisation on the server.

From the IIS log it was found that the hack was done on 19th March, and we had absolutely NO clue at all unless Google had pointed it out.
So, this was the modus operandi of the hack of the server.

Present Day

After a few days when we found out what the hacking attack was all about and how much damage it actually did in the process, we started thinking about the preventive measures. Around the web, Cross Site Scripting had only one preventive measure, check user input for malicious code before displaying them in WebPages. But as I told you before, the website that we are talking about has a CMS section, so already some java scripts are getting saved through the HTML Editor. This way we can not check for malicious code.

  • However, we revised the folder permission of the web server and took a very stern approach of giving only write permission to very specific folder which actually needed it. On the process I found out that there was a common tendency of some of the developers – to give write permission to “Everyone” in the root folder. It was really really dangerous.
  • We have used JavaScript source as relative links all over our website, so using a regex to find any url after the src element of a script tag can be a probable solution, though we did not try that one.
  • We upgraded the FCK Editor to the recent 2.6.4 version with FCKEditor.NET 2.6.3 which had some authentication check before letting the user upload some files and view uploaded files in the server.


This hack attack was an eye opener to me, as there were some common negligence that developers do and hackers exploit that small loop holes. No doubt today’s hacking is also coined as "Social Engineering”.

Recently I am doing a lot more study on Cross Site Scripting. So, it will be better if you consider this small article as the episode one. Soon I will be back with more information. If you have any information that you want to share with me, please leave a comment. Lets make our websites digital fortresses.




1 comment:

ben said...

Did you found any information about to prevent aspxspy?