<|-[___________________________________________________________________________]-|> - - - [ Advanced XSS Knowledge ] - - written by novaca!ne - - - <|-[___________________________________________________________________________]-|> # Author: novaca!ne # Date: 23.03.2010 .°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°. Contact: novacaine@no-trace.cc ° Website: www.novacaine.biz . ° Artwork by: Vincenzo . ° Greetz fly out to: . ° Vincenzo, J0hn.X3r, fred777, . h0yt3r, Easy Laster, td0s, ° Lorenz, Montaxx, maoshe, Palme . and free-hack.com ° .°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°. .°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°. Index: ° --( I ]> Introduction . ° --( II ]> What exactly is XSS ? . ° --( III ]> How to execute XSS commands. ° --( IV ]> Bypass techniques . ° --( V ]> What can we do with XSS ? . ° --( VI ]> How to fix XSS leakages . ° --( VII ]> Cheat Sheets . °.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.° <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> |--( I ]> Introduction <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> $ Dear reader, I wrote this Whitepaper to sum up everything I know about XSS. $ It was written to share knowledge, knowledge should be free and available $ for everyone. $ You can post and copy this Whitepaper as much as you want, but respect the $ author's copyrights. <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> |--( II ]> What exactly is XSS ? <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> $ "XSS" is a short form for: "Cross Site Scripting" as you can see by the name , XSS $ deals with scripting. To be more exact: Javascript. $ It's about injecting (almost) every Javascript (and html/css) $ command/script in a website. $ XSS flaws comes up every time a website doesn't filter the attackers input. $ In other words: $ the attacker can inject his malicious script into a website, and the browser just $ run's the code or script. $ There are 3 types of XSS, I'm going to talk about the 2 most used: $ Reflected XSS Attack: $ When a attacker inject his malicious script into a searchquery, a searchbox, $ or the end of an url, it's called Reflected XSS Attack. It's like throwing a ball $ against a wall and receive him back. $ Stored XSS Attack: $ Is when an injected XSS script is stored permanent on a website, for example in $ a guestbook or bulletin board. Stored XSS hit's everyone who just reaches the $ site with the malicious code. $ DOM based XSS: $ This is a rare used method, perhaps I'm going to write another Whitepaper about $ DOM based XSS attack. <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> |--( III ]> How to execute XSS commands <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> $ Actually, injecting a XSS script is very easy. To check if the target website is $ vulnerable, just look out for a searchbox or something. $ Let's say this is how a simple, unsecured search function looks like: content of index.html Google
Google: 
content of google.php # I'm going to use this script as an example for the rest of this paper # $ Let's say this script is stored on a webspace, when I type in: $ 123 $ then it leads me to the url: http://site.ru/google.php?search=123 $ and shows me 123 $ But now, let's try to inject a simple javascript alert message : $ and send it. $ You can replace "turtles" with any other word you want, and even use ' ' instead $ of " " for example: $ But I'm keep using "turtles" as example for the rest of this paper. $ The target website let's us know if it's vulnerable when it prints a popup containing $ |=========| |======| $ | turtles | or | 1234 | $ |=========| |======| $ Instead of the called code, we can even inject every simple html tags e.g.:

I like turtles

$ and send it. $ Also, you can paste the code at the end of the url, and visit the site like: www.site.ru/google.php?search= $ or www.site.ru/google.php?search=

I like turtles

# It's like the attacker is determining the content of the website. # $ But even if this doesn't work, there's no reason to worry: that means the website $ uses filter techniques to avoid XSS flaws. But there are also ways to $ bypass those filters. How this works, you're going to read in the next chapter. <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> |--( IV ]> Bypass techniques <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> $ There are a lot of ways to bypass XSS filters on websites, I'll number some: $ 1.) magic_quotes_gpc=ON bypass $ 2.) HEX encoding $ 3.) Obfuscation $ 4.) Trying around $ 1.) magic_quotes_gpc=ON is a php setting (php.ini). $ It causes that every ' (single-quote), " (double quote) and \ (backslash) $ are escaped with a backslash automatically. It's also a well known method $ to avoid XSS flaws, although it's exploitable. $ How to bypass it when it's ON? - use the javascript function called $ String.fromCharCode(), just convert your text in decimal characters $ (e.g. here: http://www.asciizeichen.de/tabelle.html) and put them in the handling. $ Using "turtles" (without quote sign) will look like this: String.fromCharCode(116, 117, 114, 116, 108, 101, 115) $ now insert this in your alert script: www.site.ru/google.php?search= $ 2.) HEX encoding is a useful bypass method, too. Using this step will encode $ your script, so you can't see clearly on the first look what the code will cause. $ This is how $ looks like encrypted in HEX: www.site.ru/google.php?search=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E $ 3.) Obfuscation - sometimes website administrator simply put words like $ "script","alert()","''" on the "badwords list", that means, when you $ search for "script" on the website, it just shows you an error, like $ "you are not allowed to search for this word" or something. $ but this is a weak protection, you can bypass it using obfuscation. $ your javascript code like: $ There are like unlimited possibilities, but that leads us to the $ next chapter... $ 4.) Trying around: sometimes you just got to try around, because every website $ is secured/unsecured in a different, unique way. Some doesn't even use $ cookies for example. Alway's keep a look at the website's source code! $ Sometimes you need to adjust your XSS script, like: "> $ This you need sometimes if you injected your code into a searchbox e.g. and $ interrupt a html tag, so you first need to close him, then start a new $ tag ( $ or www.site.ru/google.php?search= $ 4.) Cookie stealing: One of the feared things in XSS flaws is the cookie stealing $ attack. In this method you need to do following: $ Place this cookiestealer.php in your hoster, and then inject a javascript $ with your cookie stealer script embedded on your target website. content of cookiestealer.php (found it somewhere with google) $ Save it as cookiestealer.php and create a 'log.txt' and upload both files $ on your own webspace, in the same directory and set "chmod 777". $ Inject the following code in your target website: http://www.site.ru/google.php?search= $ Then the victim's cookie (target's website user who visited the url above) should $ appear in the log.txt. $ Now you simply need to insert the cookie (with e.g. live http headers firefox addon) $ and use it. $ Obviously you need to replace http://www.yourphishingsite.ru $ With the url of your phishingsite. # PROTIP: rename your 'cookiestealer.php' to something like 'turtles.php', # # this looks less suspicous. # <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> |--( VI ]> How to fix XSS leakages <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> $ XSS flaws can be very dangerous for your website, even though you can easily $ secure your own website using the following functions. ########################################################## # # # htmlspecialchars() # # http://php.net/manual/de/function.htmlspecialchars.php # # # ########################################################## Example usage: google.php: $ OR ########################################################## # # # htmlentities() # # http://php.net/manual/de/function.htmlentities.php # # # ########################################################## Example usage: google.php: $ What happened? - the function simply replaced every specialchar to a harmless html char. $ For example when I enter $ it appears $ But without any popup, because the <,>,'," $ turned into <,>,'," $ The attackers input has become a harmless, unexecutable html code. <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> |--( VII ]> Cheat Sheets <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~> $ Here is the XSS cheat sheet, where I got most of them from http://ha.ckers.org/xss.html. $ Enjoy. '';!--"=&{()} "> ############################################################# # # # PROTIP FOR EVERY XSS INJECTION: # # use url shortener services such as tinyurl.com or bit.ly # # to 'hide' your injection, so the victim won't know what's # # behind that url. # # # ############################################################# END OF FILE