Clever Full-Site Tracking with XSS-Track

Cross-site Scripting (or XSS) is a common web application vulnerability with varying levels of severity. Generally the capabilities of a XSS are limited to the locations of vulnerable inputs and outputs, and crafting complex XSS payloads can be a time-consuming process.

XSS-Track (cached) helps simplify cross-site scripting by allowing the attacker to silently track the user across the entire site, using a single embedded XSS. It does this by cleverly creating a full-window invisible iFrame, and maintaining control of that window as the user browses the site. This also allows the attacker to look for valuable pieces of information, such as passwords or credit card numbers.

Combining XSS-Track with the older XSS-Shell script, which turns the browser into a zombie of sorts, could give an attacker a significant amount of power over infected sites and their users.

Firefox users may want to consider using the NoScript extension to protect themselves from unknowingly running malicious scripts. Despite having some limited XSS protection, and a JavaScript Blacklist extension, Safari unfortunately does not afford nearly the same protection as the whitelist-style Firefox+NoScript combination. If someone releases a NoScript-style JS Whitelist for Safari then it’ll be a big step forward.