This post is the final part of the cross site scripting series. If you have missed the first part for some reason, you can read it here.
Please note that, all the information provided in this article is solely meant for educational purposes only.
What We Will Be Creating
We will create two pages; a post creation and post listing page.
Screen shot of post listing page is shown below.
Screen shot of post creation page is shown below.
In order to follow along with this article, you need to create a post table in your database using php myadmin.
The table structure for the post table is as follows.
Following screen shot is the code for the db.php file that contains database connectivity codes.
Visit the github repository for the entire project by clicking here.
Explanation of posts.php:
In the posts.php file, the post title and description is saved into post table. Before saving post, we make sure that our application is safe from sql injection. In order to do so, we used mysqli_real_escape_string() function. If you don't know anything about sql injection, you can read it here.
Exploiting The Application By Stored Cross Site Scripting
We finished adding post creation functionality for this application. Let's see how to exploit this application so that when anyone visits this page, his or her session cookie will be stolen and send to the attacker.
We can see from the above screen shot that, after adding jquery cdn link, reference to a file known as evil.js is added. For getting this example to work successfully, you need to create a file evil.js in the js folder of the root directory of the current project.
Explanation of evil.js:
The evil.js file collects cookies that is stored in the browser, and then it sends that in getCookiedata.php file.
Explanation of getCookiedata.php:
Stolen cookie information is stored in "cookie_data.txt" file. If the code executes for the first time, then that file will be created in root directory of the application. If already this file exists, then new content will be appended to the file.
To make sure that you understand the stored xss attack, we stored the cookie_data.txt file in the root of the application. But, generally, attacker stores the information to his or her own server.
Getting Session Cookie Value
But, if we open the "cookie_data.txt" file, we can see the session cookie content is present there!
Preventing Cross-Site Scripting Attack
We saw, how an attacker can make use of xss to steal session cookie in previous screen shot. Now, we will stop the attacker from doing that.
Make the changes in "save_post.php" file that are highlighted in red as shown below.
We used, htmlspecialchars() function, that will convert some special characters to HTML entities so that xss will no longer work. For example, ">" will be converted to ">".
After pressing Save Post button, if we open the post table, we will see something similar to the screen shot below.
Now, if we open the "cookie_data.txt" file, we will no longer see any content inside of it. It is completely empty.
If you find this article helpful, please share it among others.