Friday, 23 May 2014

Think before you include external scripts from other domain

Hello ,
While Penetration Testing I found out one interesting thing . 

If you use external scripts from other domain then you should be careful and cautious about the http cookie access.Certain time it can happen that you need to include scripts from other domain. But if you are not taking  enough  care of security practices, then other users account can be compromised by session hijacking and session fixation even if your website is not vulnerable .

 Confused ? Okay I will make it easy. What will happen if the web server from where you are including the external JS scripts is compromised ? Well you may think that's not a big deal because that's not the server where the developer is hosting the website. But what if I modify that external JS script of the compromised server ? 
 Anyway I wont speak much and will give you a small demo instead.

Here is the source code of the external JS file located at This code return a random quote from an array.The server at this location is hacked and this code will be modified by the attacker later.

This is somehow the source code looks like at

And here is how the application looks like. The function message() basically returns a random quote from an array and once someone logs in a message is displayed on the index page somewhat like this 

So once the attacker found that a external  JS script is used by a secured web site from the compromised location , he decided to inject some malicious code in that  . The code will  steal cookies and send it back to the attacker  at So here is the exploited code.

And now back at the attacker machine at an attacker keep a listener . I am running a simple http server and it will actually log all the requests made to it.

And this is how the login screen looks

Now the actual fun begins. The victim logs into the system with her own username and password . And once she logs , the JS code executes , the cookies are stolen and sent to the attacker . Look at the logs

Now the attacker try to inject the hijacked cookies in his own cookies.

Boom :) :) ... Now the attacker is the admin :) ... Hope you enjoyed reading it .