<|-[___________________________________________________________________________]-|>
- -
- [ Advanced XSS Knowledge ] -
- written by novaca!ne -
- -
<|-[___________________________________________________________________________]-|>
# Author: novaca!ne
# Date: 23.03.2010
.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.
Contact: novacaine@no-trace.cc °
Website: www.novacaine.biz .
°
Artwork by: Vincenzo .
°
Greetz fly out to: .
°
Vincenzo, J0hn.X3r, fred777, .
h0yt3r, Easy Laster, td0s, °
Lorenz, Montaxx, maoshe, Palme .
and free-hack.com °
.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.
.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.
Index: °
--( I ]> Introduction .
°
--( II ]> What exactly is XSS ? .
°
--( III ]> How to execute XSS commands.
°
--( IV ]> Bypass techniques .
°
--( V ]> What can we do with XSS ? .
°
--( VI ]> How to fix XSS leakages .
°
--( VII ]> Cheat Sheets .
°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( I ]> Introduction
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Dear reader, I wrote this Whitepaper to sum up everything I know about XSS.
$ It was written to share knowledge, knowledge should be free and available
$ for everyone.
$ You can post and copy this Whitepaper as much as you want, but respect the
$ author's copyrights.
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( II ]> What exactly is XSS ?
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ "XSS" is a short form for: "Cross Site Scripting" as you can see by the name , XSS
$ deals with scripting. To be more exact: Javascript.
$ It's about injecting (almost) every Javascript (and html/css)
$ command/script in a website.
$ XSS flaws comes up every time a website doesn't filter the attackers input.
$ In other words:
$ the attacker can inject his malicious script into a website, and the browser just
$ run's the code or script.
$ There are 3 types of XSS, I'm going to talk about the 2 most used:
$ Reflected XSS Attack:
$ When a attacker inject his malicious script into a searchquery, a searchbox,
$ or the end of an url, it's called Reflected XSS Attack. It's like throwing a ball
$ against a wall and receive him back.
$ Stored XSS Attack:
$ Is when an injected XSS script is stored permanent on a website, for example in
$ a guestbook or bulletin board. Stored XSS hit's everyone who just reaches the
$ site with the malicious code.
$ DOM based XSS:
$ This is a rare used method, perhaps I'm going to write another Whitepaper about
$ DOM based XSS attack.
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( III ]> How to execute XSS commands
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Actually, injecting a XSS script is very easy. To check if the target website is
$ vulnerable, just look out for a searchbox or something.
$ Let's say this is how a simple, unsecured search function looks like:
content of index.html
Google
content of google.php
# I'm going to use this script as an example for the rest of this paper #
$ Let's say this script is stored on a webspace, when I type in:
$ 123
$ then it leads me to the url:
http://site.ru/google.php?search=123
$ and shows me
123
$ But now, let's try to inject a simple javascript alert message :
$ and send it.
$ You can replace "turtles" with any other word you want, and even use ' ' instead
$ of " " for example:
$ But I'm keep using "turtles" as example for the rest of this paper.
$ The target website let's us know if it's vulnerable when it prints a popup containing
$ |=========| |======|
$ | turtles | or | 1234 |
$ |=========| |======|
$ Instead of the called code, we can even inject every simple html tags e.g.:
I like turtles
$ and send it.
$ Also, you can paste the code at the end of the url, and visit the site like:
www.site.ru/google.php?search=
$ or
www.site.ru/google.php?search=I like turtles
# It's like the attacker is determining the content of the website. #
$ But even if this doesn't work, there's no reason to worry: that means the website
$ uses filter techniques to avoid XSS flaws. But there are also ways to
$ bypass those filters. How this works, you're going to read in the next chapter.
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( IV ]> Bypass techniques
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ There are a lot of ways to bypass XSS filters on websites, I'll number some:
$ 1.) magic_quotes_gpc=ON bypass
$ 2.) HEX encoding
$ 3.) Obfuscation
$ 4.) Trying around
$ 1.) magic_quotes_gpc=ON is a php setting (php.ini).
$ It causes that every ' (single-quote), " (double quote) and \ (backslash)
$ are escaped with a backslash automatically. It's also a well known method
$ to avoid XSS flaws, although it's exploitable.
$ How to bypass it when it's ON? - use the javascript function called
$ String.fromCharCode(), just convert your text in decimal characters
$ (e.g. here: http://www.asciizeichen.de/tabelle.html) and put them in the handling.
$ Using "turtles" (without quote sign) will look like this:
String.fromCharCode(116, 117, 114, 116, 108, 101, 115)
$ now insert this in your alert script:
www.site.ru/google.php?search=
$ 2.) HEX encoding is a useful bypass method, too. Using this step will encode
$ your script, so you can't see clearly on the first look what the code will cause.
$ This is how
$ looks like encrypted in HEX:
www.site.ru/google.php?search=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E
$ 3.) Obfuscation - sometimes website administrator simply put words like
$ "script","alert()","''" on the "badwords list", that means, when you
$ search for "script" on the website, it just shows you an error, like
$ "you are not allowed to search for this word" or something.
$ but this is a weak protection, you can bypass it using obfuscation.
$ your javascript code like:
$ There are like unlimited possibilities, but that leads us to the
$ next chapter...
$ 4.) Trying around: sometimes you just got to try around, because every website
$ is secured/unsecured in a different, unique way. Some doesn't even use
$ cookies for example. Alway's keep a look at the website's source code!
$ Sometimes you need to adjust your XSS script, like:
">
$ This you need sometimes if you injected your code into a searchbox e.g. and
$ interrupt a html tag, so you first need to close him, then start a new
$ tag (
$ or
www.site.ru/google.php?search=
$ 4.) Cookie stealing: One of the feared things in XSS flaws is the cookie stealing
$ attack. In this method you need to do following:
$ Place this cookiestealer.php in your hoster, and then inject a javascript
$ with your cookie stealer script embedded on your target website.
content of cookiestealer.php (found it somewhere with google)
$ Save it as cookiestealer.php and create a 'log.txt' and upload both files
$ on your own webspace, in the same directory and set "chmod 777".
$ Inject the following code in your target website:
http://www.site.ru/google.php?search=
$ Then the victim's cookie (target's website user who visited the url above) should
$ appear in the log.txt.
$ Now you simply need to insert the cookie (with e.g. live http headers firefox addon)
$ and use it.
$ Obviously you need to replace
http://www.yourphishingsite.ru
$ With the url of your phishingsite.
# PROTIP: rename your 'cookiestealer.php' to something like 'turtles.php', #
# this looks less suspicous. #
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( VI ]> How to fix XSS leakages
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ XSS flaws can be very dangerous for your website, even though you can easily
$ secure your own website using the following functions.
##########################################################
# #
# htmlspecialchars() #
# http://php.net/manual/de/function.htmlspecialchars.php #
# #
##########################################################
Example usage:
google.php:
$ OR
##########################################################
# #
# htmlentities() #
# http://php.net/manual/de/function.htmlentities.php #
# #
##########################################################
Example usage:
google.php:
$ What happened? - the function simply replaced every specialchar to a harmless html char.
$ For example when I enter
$ it appears
$ But without any popup, because the <,>,',"
$ turned into <,>,',"
$ The attackers input has become a harmless, unexecutable html code.
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( VII ]> Cheat Sheets
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Here is the XSS cheat sheet, where I got most of them from http://ha.ckers.org/xss.html.
$ Enjoy.
'';!--"=&{()}
;)
)
![](javascript:alert("XSS"))
![](`javascript:alert("RSnake)
![]()
">
))
;)
;)
;)
#############################################################
# #
# PROTIP FOR EVERY XSS INJECTION: #
# use url shortener services such as tinyurl.com or bit.ly #
# to 'hide' your injection, so the victim won't know what's #
# behind that url. #
# #
#############################################################
END OF FILE