Search This Blog

Saturday, June 9, 2012

Cross-site Scripting (xss) part -2


Introduction

As you already know , from the previous article "XSS tutorial part-1" that XSS has three types are Stored XSS , Reflected XSS and DOM based XSS , we've dicussed stored and reflected xss, so we will discuss today DOM based xss.
DOM based XSS
         Wikipedia definition is DOM-based vulnerabilities occur in the content processing stages performed by the client, typically in client-side JavaScript. The name refers to the standard model for representing HTML or XML contents which is called the Document Object Model (DOM) JavaScript programs manipulate the state of a web page and populate it with dynamically-computed data primarily by acting upon the DOM.
          simply that type occurs on the javascript code itself that the developer use in client side for example
"A typical example is a piece of JavaScript accessing and extracting data from the URL via the location.* DOM, or receiving raw non-HTML data from the server via XMLHttpRequest, and then using this information to write dynamic HTML without proper escaping,entirely on client side."

DOM based XSS Demo           Suppose the following code is used to create a form to let the user choose his/her preferred language. A default language is also provided in the query string, as the parameter “default”. we will use the following code for demonstration purposes:

<select>
<script>
document.write("<OPTION value=1>"+document.location.href.substring
(document.location.href.indexOf("default=")+8)+"</OPTION>");
document.write("<OPTION value=2>English</OPTION>");
</script>
</select>

         The page is invoked with a URL such as: http://www.some.site/page.html?default=French A DOM Based XSS attack against this page can be accomplished by sending the following URL to a victim:

http://www.some.site/page.html?default=<script>alert(document.cookie)</script>

The original Javascript code in the page does not expect the default parameter to contain HTML markup, and as such it simply echoes it into the page (DOM) at runtime. The browser then renders the resulting page and executes the attacker’s script:

alert(document.cookie)

Now we've discussed all types of XSS , so lets talk about some advanced techniques.

Advanced Techniques            there are some avoidance Techniques can be taken to protect a against XSS exploits but they are not implementing well for example :

Tons of sites may seem vulnerable but not executing the code that occurs because some kind of filtration methods and those may can be bypassed ,we will demonstrate most of them.

METHOD 1 : replace <script> with null string ""
            here is the vulnerable code that suffers from reflected xss , that has a filtration :

<?php
if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
$isempty = true;
} else {
echo '<pre>';
echo 'Hello ' . str_replace('<script>', '', $_GET['name']);
echo '</pre>';
}
?>

as you can see, in the previous code, the developer replace the string that called "<script>" with a Null string ""
Some common methods to bypass filteration is that you just have to replace the string "<script>" with "<SCRIPT>" because the developer search for lowercase of "<script>" , so we bypass it by change our script to <SCRIPT>.......</SCRIPT>
Here is an other way to bypass the previous filteration

<script /javascript>alert("Vishal")</script>

Please note its bad practice to use alert("Vishal") to test for XSS because most of known sites block the keyword XSS before.

METHOD 2 : magic quotes filtration
          in this Technique , the developer uses technique that called magic quotes filtration ,by using a PHP function called "addslashes()" that add slash before any special chars. So Our traditional JavaScript code doesn't work there are many ways to bypass that filter , we will discuss two of them

1- the easiest way to bypass it is Just DONT USE magic quotes simple is that , for example declaring a variable and assigned, it to a number, then alert that variable.

AS you can see here: <script>var val= 1; alert(val)</script>

2- this way is some what tricky , in this way we use a built-in Function that convert Decimal values into ASCII values , you can find a complete table of ASCII here http://www.asciitable.com/ this will help you write what you want OR you can use hackbar firfox add-ons to help you on converting ASCII to decimal In my examples ill be writing "XSS" this is the following code "120 115 115", Ok we now got the Decimal value of our string,we need to know what function In javascript converts this to ASCII this function called "String.fromCharCode()",and to use this with alert as example, you dont need to use quotes any more.

<script>alert(String.fromCharCode(120, 115, 115)</script>

Ok now this will display or message in this case "XSS", this method is very useful for bypassing magic quotes.

Add To Google BookmarksStumble ThisFav This With TechnoratiAdd To Del.icio.usDigg ThisAdd To RedditTwit ThisAdd To FacebookAdd To Yahoo

0 comments:

Post a Comment