Helpful knowledge: HTML, Javascript
1. What is XSS?
XSS, or (Cross Site Scripting), in layman's terms, is basically summed up as sending code snippets through URLs, Guest Books, Forums, Message Boards, and other means of web interaction. XSS has become perhaps one of the #1 problems for a lot of major web sites.
2. Why?
One of the main reasons to use XSS is for people to force others to their site. By a simple javascript command, inserted correctly, I can (not here of course, but on exploitable forums) send a user directly to http://www.google.com.
Code: Select all
<script language="javascript">
location.href="http://www.google.com"
</script>
3. How?
XSS is most commonly used in guestbooks. The most vulnerable guestbooks, that contain no filtering, usually don't have any sensitive information that you need a user's cookie for. These unprotected guestbooks are simply practiced on. For example, if I inserted this raw section of javascript into an unfiltered guestbook, I would recieve a popup box saying "XSS".
Code: Select all
<script language="javascript">
alert('XSS');
</script>
4. Real Example
I found an XSS exploit in a quite popular guestbook, the HTML Gear guestbook by Lycos. This guestbook is pretty tightly filtered in the comment section so I tried elsewhere. In the below picture you see a text box that is marked "Homepage URL". Apparently, whatever you type in here is placed into an HTML code for a link: <a href="What you entered in textbox">What you entered in textbox</a>. Now, if I put a single quote ( " ) in my entry, the link would contain whatever I entered before it in the text box, because the single quote would end the value for the <a href> tag. That means, whatever I put after the single quote, could be used a javascript command in the <a href> tag. For this tutorial, I will use the "OnMouseOver" javascript event handler. But, in reality, it's really up to you for what event handler you decide to use. After the OnMouseOver event handler, I'm going to have a simple alert box pop up saying "XSS". For this I would use alert('XSS'). So, for my entire entry, I would put:
Code: Select all
http://www.google.com" OnMouseOver="alert('XSS')
~ fromint (Exploit works as of 6-03-07)