API – A. P.otentially I.diotic Threat

Follow us on Twitter

Happy Hanukkah and Marry Christmas to you all!

The end of the year is always a great time to wrap things up and set goals for the next year. And also to get super-drunk, of course.

In today’s holiday-special case-study we’ll examine a case where attacker from one website can affect an entire other website, without accessing the second one at all. But before that, we need to talk a bit about Self XSS.

Basically, Self XSS is a stupid vulnerability. Ideally, to be attacked, victims need to paste ‘malicious’ JS code into their browser’s Developer Console (F12), which will cause the code to execute on the context of the page the Developer Console is active on.
When Self XSS attacks started, users were persuaded to paste the JS code in order to get a certain ‘hack’ on a website.
To deal with that, until this day Facebook prints an alert on every page’s Developer Console, in order to:

Because websites can’t avoid users to paste malicious JS code to the DC (developers console), Self XSS (SXSS) vulnerabilities are not considered high leveled vulnerabilities.

But today we’ll approach SXSS from a different angle. We are about to see how websites can innocently mislead victims into pasting ‘malicious’ JS code planted by an attacker.
Some websites allow users to plant HTML or other kind of code into their own websites or personal blogs. This HTML code is often generated by the websites themselves and being handed to the users as-is in a text box. All the users have to do is simply copy the code and paste it in their desired location.
Now, I know this is not the exact definition of an API, but this is my definition to it – a 3rd-party website is giving another website a code which provides a certain service. To my opinion – this is what API is about. If you think I’m wrong, comment down, and I will silently ignore it 😉

Some very known company which hasn’t allowed us to disclose it name yet, allowed users to get an HTML code containing data from a group the users were part of – owned or participated.
When pasted in a website, the HTML represented the last top messages in the group – their title and starting of the body.

When ‘malicious’ code was placed in the title, like: "/><img src=x onerror=alert(1)/> – nothing happen on the company’s website – they correctly sanitized and escaped the whole malicious payload.

BUT! When the HTML was representing the last messages, there was no escaping at all, and suddenly, attackers could have run malicious JS code from website A onto the context of website B! Just by planting the code in the title of the group topic.

So who’s fault is this? Who was a naughty boy and needs to be spanked?
Both websites should get a no-no talk.
Website A is the one who supplied an ‘API’ – HTML code that shows last messages from a group hosted in itself, but the API does not escapes malicious payloads correctly.
But website B violated the number one rule – never trust a 3rd-party website to do your job. Website B added an unknown code (not as an iframe, but as a script) and didn’t stated any ground rules – it blindly executed the code it was given.

A certain client asked me regarding this a few weeks ago. She said:
I must use a 3rd party code which is not an iframe, what can I do to keep my website safe?
Executing 3rd-party JS code on your website is always a bad-practice (and I’m not talking of course on code like jQuery or javascript dependencies, although I am writing these days a very interesting article addressing this exact topic. Stay tuned).
My suggested solution is: Simply plant this code in a sandboxed page, and then open an iframe to that page. ITS THAT SIMPLE!

That way, even if website A will not escape its content as expected, the sandbox, Website C will be the one who gets punished.
This, of course, does not apply for scenarios where website B’s context is a must for website A, but it will work 95% of the time.

Why I classified this case-study’s vulnerability as a Self-XSS?
Simply because I believe that when you put a 3rd-party code on your website you are doing a Self-XSS to yourself, and to all of your users.
The way I see it, Self-XSS is not just a stupid ‘paste-in-the-console’ vulnerability. Self XSS is simply using a 3rd-party code in a safe environment.

This article was the last one of 2016.
I want to thank you all for a great year. Please don’t drink too much, and if you do – don’t drink and bug hunt!
Happy holidays, and of course – happy & successful new year!

22 thoughts on “API – A. P.otentially I.diotic Threat

  1. Nice post. I used to be checking constantly this
    blog and I’m impressed! Extremely useful info specifically the final section 🙂 I
    take care of such information a lot. I was looking for this certain info for a very lengthy time.

    Thanks and best of luck.

  2. 86832 938858Hello super schner Webblog den ihr da habt. Bin gerade ber die Google Suche darber gestolpert. Gefllt mir echt super gut. macht weiter so. MFG Martina 191669

  3. 935930 195656Soon after I initially commented I clicked the -Notify me when new feedback are added- checkbox and now each time a remark is added I get four emails with exactly the same comment. Is there any method you will be able to take away me from that service? Thanks! 427790

  4. 437733 813429Possible need all types of led tourdates with some other fancy car applications. Numerous also offer historic packs and other requires to order take into your lending center, and for a holiday in upstate New York. ??? 813667

  5. 713862 325528Incredibly best man toasts, nicely toasts. is directed building your own by way of the wedding celebration as a result are supposed to try to be witty, amusing and consequently unusual as well as. best mans speech 326305

  6. 393835 523361Spot up for this write-up, I in fact feel this exceptional internet site requirements a good deal far more consideration. Ill far more likely be once once again to read considerably far more, thank you that data. 391323

  7. 571220 37173Aw, this became an incredibly nice post. In concept I would like to set up writing like that moreover – taking time and actual effort to create an excellent article but what / issues I say I procrastinate alot via no means appear to get something completed. 280682

  8. Hey there this is kinda of off topic but I was wanting
    to know if blogs use WYSIWYG editors or if you have to manually code with HTML.
    I’m starting a blog soon but have no coding expertise so I wanted to get guidance from someone with
    experience. Any help would be greatly appreciated!

  9. I have seen this little town go through a great deal of alterations before 30 years,
    from the Canadian organization planning to develop 11-narrative organization towers, to Watt Marketplace attempting
    to produce 360 miles directly into a master planned beach area, to a collection from Detroit attempting to produce six
    square blocks down in the beach.

  10. Heya i’m for the primary time here. I came across
    this board and I in finding It really useful & it helped me out a lot.
    I am hoping to give something back and help others such as you helped me.

  11. Rien de mes sentiments ne sauroit approcher 930 Comme alors qu’au theatre on nous fait voir Melite, Le discours de Cloris, quand Philandre la quitte1443:
    Ce qu’elle dit de lui, je le dis de ta soeur, Et je la veux traiter avec meme douceur.

  12. 934451 454870Very good day. Quite cool weblog!! Man .. Exceptional .. Remarkable .. Ill bookmark your internet site and take the feeds additionallyI am glad to locate numerous beneficial information appropriate here within the post. Thank you for sharing.. 599931

Leave a Reply

Your email address will not be published. Required fields are marked *