Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Blind Cross-Site Scripting (XSS) attacks in the wild

Tuesday, September 15, 2015 By

One of the recent web application security researches by Gartner mentioned a blind XSS vulnerability, highlighting the importance of web security software to detect such security flaws. Many of us have heard about blind SQL injections, but what is a blind XSS?


One of the recent web application security researches by Gartner mentioned a blind XSS vulnerability, highlighting the importance of web security software to detect such security flaws. Many of us have heard about blind SQL injections, but what is a blind XSS?

Quick search on Bugtraq gives us just one security advisory with such title: Javamelody blind XSS through ‘X-Forwarded-For’ header. The vulnerability in question is a classic stored XSS, however its exploitation technique is a little bit different than the majority of classic Cross-Site Scripting vulnerabilities. Instead of sending the vulnerable URL to website administrator with XSS payload, an attacker needs to wait until website administrator opens his administrator panel and gets the malicious script executed. This is happening because the vulnerable script [that accepts user-supplied input without filtration] is different from the script that displays the input to the victim.

In other words, blind XSS is a classic stored XSS where the attacker doesn’t really know where and when the payload will be executed.

Actually, if we are talking about open source web applications, such as the above-mentioned example, it’s not really appropriate to speak about ‘blind’ XSS, as we already know where the vulnerability will be triggered and can easily trick our victim to open the malicious link.

At High-Tech Bridge, we have discovered numerous Cross-Site Scripting vulnerabilities that have different input and output URLs, for example Stored XSS in WP Photo Album Plus WordPress Plugin or Multiple Vulnerabilities in TheCartPress WordPress plugin. Nevertheless, these vulnerabilities have common exploitation techniques, as the attacker knows in advance the URL with malicious payload.

Authentic blind XSS are pretty difficult to detect, as we never knows if the vulnerability exists and if so where it exists. However, during extensive penetration tests or continuous web security monitoring, blind XSS can be detected pretty quickly – it’s enough to create a payload that will communicate the vulnerable page URL to the attacker with unique ID to confirm that stored XSS vulnerability exists and is exploitable.

Practically speaking, blind XSS are difficult to exploit and do not represent a high-priority risk for majority of web applications. Nevertheless, in case of success, blind XSS can be a pretty dangerous logic bomb that may compromise your system when you don’t expect anything bad. Therefore, when accepting and storing any user-supplied input – make sure you have properly sanitized it.


High-Tech Bridge Security Research Team regularly writes about web and mobile application security, privacy, Machine Learning and AI.

User Comments
Add Comment

High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk