A friend’s blog was recently hit with a bug that caused some trouble for her. In her comments a reader asked how this could be possible. This page is for them and anyone else interested in the fun that can be had with Cross Site Scripting or XSS.
Consider this link:
When viewed in the browser it looks like this: Google
There’s all kinds of things we can put inside href=”HERE ” that can do fun things and…well…not so fun things.
We’ve all received the emails telling us that our bank wants to update certain information about us and requests that we go to their website. They are kind enough to include a link to the bank that might look like this:
But the real link sends you someplace else. By hovering your mouse over the link, right clicking, and selecting VIEW SOURCE or PROPERTIES or LINK PROPERTIES or whatever the equivalent is in your browser you would see something like this:
By clicking on the link you would end up on my site and not your bank. Typically this isn’t what you would want to happen but in this case it’s relatively safe. For those who are paranoid, we always check the source before we click unsolicited links…and most solicited links…and we would see that the actual target site isn’t the site where we want to go. There are ways around this as well. We’ll continue on with the NationalBank.com example:
Looks the same but…where are you going this time. Here’s the source:
It’s the same thing just encoded as hexidecimal.
Again…looks fine in the browser but what about the source:
Same link but encoded in hex: http://www.NationalBank.com/
I don’t know for certain as I didn’t do any analysis of the machine but I’m guessing a comment or trackback was left on the site that forced a malicious script on her blog. When people loaded the page the script was executed which forced some stuff to the readers computers…that stuff being a Compiled Windows Helpfile(*.CHM) which then executed beginning a big long nasty string of events ranging from antivirus programs being triggered to outright infections.
If you think you have been attacked by the bloodhound.exploit.6 exploit then you can find “cleanup” instructions here.
If you want to learn more about this exploit, the DShield list has a great writeup by Peter Stendahl-Juvonen.