Remember „semi-persistent“ XSS-attacks?

It was in March of 2008 when I was writing about a third kind of Cross-Site-Scripting attacks, the so called „semi-persistent“ ones. One may prove this at my university’s public library ;-). But here I also have the digital version of it: http://www.erich-kachel.de/?p=181.

The chapter „Semi-Persistent“ explains a type of Cross-Site-Scripting attack which is neither persistent, nor reflexive. It is kind of both of these. Here is the picture with some Step-by-Step-explanation:

1. The user uses an hyperlink (or an redirect or an form) with XSS-payload.
2. He is redirected to his banking web application.
3. The XSS-payload modifies the web page, so that malicious code infects a cookie.
4. When this cookie is sent back to the user it contains malicious code.
5. Some times later the user revisits the banking website.
6. He now uses an official hyperlink or types in the URL. A safe way, isn’t it?
7. The malicious cookie is automatically sent back and infects the website (a keylogger for example).
8. Now the infected website is reaching the users client.
9. Malicious code is now running at the users client.
10. Captivated data is sent to attacker.

Today I am happy to see that this kind of attack is discussed in some more places. Hopefully more developers will keep this on mind and even encode cookie data safely before using it in direct output or even (*scary!*) in SQL queries.