Basic XSS injection

[Ras]

Cross-Site Scripting, commonly known as XSS, is a type of attack that gathers malicious information about a user; typically in the form of a specially crafted hyperlink that will save the users credentials. An example of this would be a well known XSS vulnerability in phpBB that allows the attacker to forge his/her credentials to that of the administrative account. One of the simpler ways of preforming an XSS attack is through the use of dynamically generated pages. This relies on the ability to pass information from one page to another, whether valid or malicious. Because a browser will render any valid scripting tag, an attacker is able to pass allowed content to the next page or even stored location to be retrieved at a later time that may result in a popup with the viewers cookie, for example.

Example

In order to test the examples out you are going to need to create a test page, create a normal html page with an input box.

example.html

<html>
<head>
</head>
<body>
<form action="example.php" method="get">
<input type="text" name="xss">
<input type="submit" value="Open">
</form>
</body>
</html>

Now create the php file that the form submits to

example.php

<?php
if(isset($_GET['xss']))
   $file =$_GET['xss'];

echo $file;
?>

Once you have these two files you are ready to test some XSS injections. For our first XSS example we are going to change the background colour of our test webpage. We're going to use a simple <body bgcolor=#000000> to generate a black background. As mentioned earlier, you can pass data from one page to another that will render the html tags the way we want it to. So copy <body bgcolor=#000000>, paste it into input box and click open. Once reloaded the page will turn black, as intended. This alone won't get us anywhere though. We've shown that we can pass html tags to other pages, why not pass some javascript to the browser next. The following snipet, when submited in the test input box, will make an alert box generate a popup on the screen:

<script>alert("Good times with alerts");</script>.

Behind The Scenes

So we know how XSS works, now lets take a look at why it works.

<?php
if(isset($_POST['text']))
$file =$_POST['text'];
echo $file;
?>

<form action="xss.php" method="post">
File: <input name="text" type="text"> <input name="" type="submit" value="Open">
</form>

This is the code used on the test page. We can see that it uses php to echo what ever is held by the text variable that was set by whatever was in the input box when we hit submit. It's very simple and very clean, which means it doesn't clean it's input. Simply prints out whatever it receives.

Conclusion

So this isn't going to help you preform an XSS but now you know how XSS works and how you can use it. In order to take advantage of XSS for the purpose of stealing cookies you would instead have to write a script that would store passed values to it. You would then have to craft a link (with your XSS code in it) and provide it to your victim or get something like javascript to load the intended page with said values. Later you can retrieve that stored data and use it as you need, in this case cookie forging. Well that is all from me. In the mean time try some XSS inject attacks on your own and see if you can work out how to prevent them.