tags:

views:

89

answers:

4
+2  Q: 

Is it possible to be attacked with XSS on a static page (i.e. without PHP)?

A client I'm working for has mysteriously ended up with some malicious scripting going on on their site. I'm a little baffled however because the site is static and not dynamically generated - no PHP, Rails, etc. At the bottom of the page though, somebody opened a new tag and a script. When I opened the file on the webserver and stripped the malicious stuff and re-uploaded, it was still there. How is this possible? And more importantly, how can I combat this?

EDIT: To make it weirder, I just noticed the script only shows up in the source if the page is accessed directly as 'domain.com/index.html' but not as just 'domain.com'.

EDIT2: At any rate, I found some php file (x76x09.php) sitting on the web server that must have been updating the html file despite my attempts to strip it of the script. I'm currently in the clear but I do have to do some work to make sure rogue files don't just appear again and cause problems. If anyone has any suggestions on this feel free to leave a comment, otherwise thanks for the help everyone! It was very much appreciated!

+2  A: 

No it's not possible unless someone has access to your files. So in your case someone has access to your files.

Edit: It's best if you ask in serverfault.com regarding what to do in case the server is compromised, but:

  • change your shell passwords
  • have a look at /var/log/messages for login attempts
  • finger root
  • have a look at last modification time of those files

There is also a high propability that the files where altered via http by using a vulnerability of a software component you use together with the static files.

cherouvim  2010-07-05 20:22:12
Certainly not what I was hoping to hear. Any way I could check this? Should I just change passwords and hope for the best?
JKB  2010-07-05 20:24:16
@JKB: Definitely change the password. Look at the files in the sites directories for anything suspicious (ie, something you didn't put there). Also you might want to contact the hosting company, if one account was compromised, others could be too - it could be a server-wide problem.
FrustratedWithFormsDesigner  2010-07-05 20:27:58
A: 

You should probably talk to your hosting company about this. Also, check that your file permissions aren't more lenient than they should be for your particular environment.

John McCollum  2010-07-05 20:24:43
A: 

That's happened to me before - this happens if they get your ftp details. So, whoever did it, obviously got ahold of your ftp details somehow.

Best thing to do is change your password and contact your webhosting company to figure out a better solution.

Unfortunately, FTP isn't the most secure...

xil3  2010-07-05 20:30:55
A: 

To the point about the site not having pages executing on the server, XSS is absolutely still possible using a DOM based attack. Usually this will relate to JavaScript execution outputting content to the page. Just last week WhiteHat Security had an XSS vulnerability identified on a purely “static” page.

It may well be that the attack vector relates to file level access but I suggest it’s also worthwhile taking a look at what’s going on JS wise.

Troy Hunt  2010-07-07 02:39:48

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests