Blind cross-site scripting is a subtype of stored/persistent XSS, where a web application stores a payload sent by an attacker and executes it later, at another time or place, perhaps even in another web application.
Example of Blind XSS
In this example, the developer allows a user to register with the web application by choosing an arbitrary username. The application’s register.php page contains the following form:
<form action="/registered.php" method="post" id="comment">
<label for="username">Choose a username:</label>
<input type="text" id="username" name="username">
<label for "password">Choose a password:</label>
<input type="password" id="password" name="password">
<button type="submit" form="register" value="register">Register</button>
</form>The registered.php file contains the following code:
// Add the new user to the database using PDO to avoid SQL injection
(...)
$username=$_POST["username"];
$password=password_hash($_POST["password"], PASSWORD_DEFAULT);
$sql = "INSERT INTO users (username, password) VALUES (?,?)";
$statement = $pdo->prepare($sql);
$statement->execute([$username, $password]);
(...)The application adds the username to the database without any validation or cleanup.
Below is an example of another application that allows an authenticated administrator to display a list of the 50 newest users. The newusers.php page displays them in a table:
(...)
$sql = "SELECT * FROM users ORDER BY id DESC LIMIT 50";
$statement = $pdo->query($sql);
while ($row = $statement->fetch()) {
echo "<tr><td>".$row['id']."</td><td>".$row['username']."</td></tr>";
}
(...)This application assumes that the content in the database is secure, and does not perform any validation or sanitization before displaying it.
Blind XSS Attack
Important: The information is provided solely for educational purposes for security engineers to understand the specifics of such attacks and protect against them, and in no way encourages illegal actions.
The attacker enters the following username into the form:
<script>alert("YOUR ADMINISTRATIVE INTERFACE IS HACKED!");</script>The attack payload is then stored in the database as a new username.
After that, the administrator calls a function (page newusers.php) that contains a list of the last 50 users. If there is an attacker among them, the browser receives and interprets the following code when it encounters a malicious username:
<td><script>alert("YOUR ADMINISTRATIVE INTERFACE IS HACKED!");</script></td>The browser finds the <script> tag and executes the JavaScript code in it. As a result, it displays a pop-up window.
Fix
The developer decides to use HTMLPurifier filtering to protect the code and, in addition, HTML character escaping.
They import the HTMLPurifier library and modify the registered.php file as follows:
// Add a new comment into the database using PDO to avoid SQL injection
// and HTMLPurifier with HTML escaping to avoid XSS
(...)
$username=$_POST["username"];
$password=password_hash($_POST["password"], PASSWORD_DEFAULT);
// Purify user data using HTMLPurifier
(...)
$purifier = new HTMLPurifier($config);
$purified_username = $purifier->purify($username);
// Just to be sure, HTML-escape special characters
$safe_username = htmlspecialchars($purified_username, ENT_QUOTES);
// Save safe data in the database
$sql = "INSERT INTO users (username, password) VALUES (?,?)";
$statement = $pdo->prepare($sql);
$statement->execute([$safe_username, $password]);
(...)Impact of Blind XSS
Here are some actions that malicious hackers can take:
- They can redirect the administrator to a malicious page that mimics the original application and ask them to log in, thus obtaining their credentials.
- Criminals can steal the administrator’s session cookies to impersonate a privileged user.
- They can trick the administrator into downloading and installing malware on their computer.
This can allow the criminals to escalate the attack and possibly gain access to other computer systems in the organization.
How to Detect Blind XSS
To detect this vulnerability, you should use a security testing tool (scanner) that can find blind/out-of-band vulnerabilities using a dedicated external service.
An example is the Invicti solution (based on Acunetix and Netsparker). Conventional web vulnerability scanners, which only analyze direct responses from the application, are unable to detect such flaws.
If you would like to test this solution for free, leave your contact details in the form below and we will contact you:
