Zelaron Gaming Forum  
Stats Arcade Portal Forum FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read
Go Back   Zelaron Gaming Forum > The Zelaron Nexus > The Lounge

 
 
Thread Tools Display Modes

 
XSS injections tutorial
Reply
Posted 2011-03-08, 05:41 PM
Contact:
chicnstu012[at]yahoo.com
AIM - chicnstu012


XSS INJECTIONS



1.) Many websites allow users to input data for various reasons. For example, a website with a guestbook allows users to input data into a comment field so that they may sign the it. Other examples include search engines, social websites (Like Myspace), E-commerce websites and forums.

There are three types of Cross Site Scripting vulnerabilities (XSS), but I will only be covering two of them:

Non-persistent
Persistent (Also known as stored)


Non-persistent XSS vulnerabilities are more common, and are usually sent via an obfuscated link which redirects you to a script on a different server, steals your cookie(s) and then redirects you back before you even know what is happening.

Persistent XSS vulnerabilities are usually found in Social networking websites, blogs and guestbooks. They are the most dangerous of the different types because a user is not required to click on a link or visit a different website, the code is automatically executed when the page loads because it is stored on the server.

==========================NON-PERSISTENT XSS=========================

2.) In this section of the tutorial I will be using a live website that provides a search engine for free sound files. (http://www.freesound.org/searchText.php)

When you come across a website, you must first check to see if it's vulnerable to cross site scripting. Lets see what the page displays when we search "XSS".



As you can see, the search engine displayed our input (AKA keyword) in the search box and also offered an alternative word to search.

One of the easiest ways to check and see if a website is vulnerable to XSS is by adding text formatting tags like bold or italics. So for the next search let's enter <b><i>XSS</b></i>

Nope, our search results did not yield anything that we wanted. So, Lets examine the source code and see what's going on.

PHP Code:
<form action="http://www.freesound.org/searchText.php" method="post">
    <
input type="text" size="55" value="&lt;b&gt;&lt;i&gt;XSS&lt;/b&gt;&lt;/i&gt;" name="search" id="searchBox"><input type="submit" value="submit" name="submit"><br

It appears they have some protection against XSS, as you can see our bold and itallic tags were converted into their HTML values.

PHP Code:
"&lt;b&gt"; = <b
and
PHP Code:
"&lt;i&gt;" = <i
Let's try again, this time we'll try to "break out" of the search box. The search box code is:

PHP Code:
<input type="text" size="55" value="" name="search" id="searchBox"
Where
PHP Code:
value="" 
is where our input is placed. If we searched "Hello World!" It would read:

PHP Code:
<input type="text" size="55" value="Hello world!" name="search" id="searchBox"
So what happens when we search ">XSS (the double quote included) ?



Aha! Now something is not right on the page. "XSS" is outside the search box, so let's take a look at the code this time:

PHP Code:
<input type="text" value="" name="search" id="searchBox">XSS" size="55" /&gt; 
So what happened? Well, When we searched "XSS, our quotation mark ended the value field, which caused the code to read:

PHP Code:
<input type="text" size="55" value=""XSS" name="search" id="searchBox"> 
(Notice our quote took the place of the default closing one)

Resulting in what we have now on our search page.

3.)Instead of adding XSS after the quote, let's insert some javascript and see what happens. We'll search "><script>alert("Hai!")</script>

:O



What's happening is when the web application produces the output page based on our input; it inserts our data into the page without filtering it first. So if we enter our own HTML or javascript, the webpage will execute it reading our code as part of the webpage.


Now that we've found a vulnerable website, you may be asking, what can we do with this? If this was a persistent Cross Site Scripting vulnerability, we could deface the page. But being that it's not, the most common use is stealing people's cookie(s) by sending them a link that looks something like:

http://www.freesound.org/searchText.php?search="><script>(Insert evil code here)</script>

I'm not going to go into cookie stealing in this tutorial, that's for another time.


=============================PERSISTENT XSS==================================


4.)I do not have a live website to show you a persistent XSS vulnerability, but I'm still going to discuss them.

XSS can affect ANY form on a webpage that allows user input. In this scenario, I'm creating a profile on a social networking site.




From looking at the picture you can see that I had to input data into many different places to make my L337 profile. Let's go to my account settings and see what forms are available to check for vulnerabilities.



In this section, we have 4 places that we can check for XSS vulnerabilities.(Technically more if you know how to edit forms with javascript or have the right add-ons and can edit website content in real-time.)

1. Occupation
2. Zip
3. Here For
4. Interests

Let's add some html code to make all of the fields italicized and then save the changes.




It appears that 3 out of 4 of our inputs are displayed on the profile page, and ALL of them are un-sanitized.



This time I'm going to add some javascript to make a pop-up box into my "Interests" section and see what happens..




As you can see, the javascript code was parsed, and anyone who views my profile page will see that pop-up.


Since we have found a Persistent XSS vulnerability, we can do whatever our minds can think of. Some possibilities are:

1. Stealing everyone's cookies who views our profile
2. Redirecting someone who views our profile to a different website
3. Defacing the page with basic javascript like document.write
4. Etc..

If instead of adding javascript that makes a pop-up alert, I add

PHP Code:
<script>document.location="http://www.meatspin.com"</script> 
it will redirect the unsuspecting victim to meatspin.com (NSFW!!!)


5.)Many people don't think XSS is a big deal, but when it gives you the power to steal a client's cookies or deface a webpage, you come to find out that it can be a lot more dangerous than generally accepted to be. I hope you enjoyed this tutorial and learned something interesting!
Old
Profile PM WWW Search
-Spector- is the result of 14 billion years of hydrogen atom evolution-Spector- is the result of 14 billion years of hydrogen atom evolution-Spector- is the result of 14 billion years of hydrogen atom evolution-Spector- is the result of 14 billion years of hydrogen atom evolution-Spector- is the result of 14 billion years of hydrogen atom evolution-Spector- is the result of 14 billion years of hydrogen atom evolution
 
 
-Spector-
 



 
Reply
Posted 2011-03-08, 06:45 PM in reply to -Spector-'s post "XSS injections tutorial"
noscript
Old
Profile PM WWW Search
!King_Amazon! simplifies with no grasp of the basics!King_Amazon! simplifies with no grasp of the basics!King_Amazon! simplifies with no grasp of the basics!King_Amazon! simplifies with no grasp of the basics!King_Amazon! simplifies with no grasp of the basics!King_Amazon! simplifies with no grasp of the basics!King_Amazon! simplifies with no grasp of the basics
 
 
!King_Amazon!
 



 
Reply
Posted 2011-03-08, 07:14 PM in reply to !King_Amazon!'s post starting "noscript"
mmm <plaintext>
Old
Profile PM WWW Search
-Spector- is the result of 14 billion years of hydrogen atom evolution-Spector- is the result of 14 billion years of hydrogen atom evolution-Spector- is the result of 14 billion years of hydrogen atom evolution-Spector- is the result of 14 billion years of hydrogen atom evolution-Spector- is the result of 14 billion years of hydrogen atom evolution-Spector- is the result of 14 billion years of hydrogen atom evolution
 
 
-Spector-
 



 

Bookmarks

Tags
cross site scripting, xss

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules [Forum Rules]
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Day/Night System Tutorial link_master96 RPGMaker 2 2007-12-16 07:39 PM
Tutorials List!~~ Bezier Science and Art 32 2007-11-28 02:54 PM
C tutorial Demosthenes Tech Help 4 2004-12-24 06:46 PM
Easiest Switch Tutorial Ever Aurvian RPGMaker 1 2004-06-05 12:43 AM
Tutorial: Photorealistic planet creation in Photoshop Chruser Science and Art 26 2003-07-01 03:04 PM


All times are GMT -6. The time now is 09:09 AM.
'Synthesis 2' vBulletin 3.x styles and 'x79' derivative
by WetWired the Unbound and Chruser
Copyright ©2002-2008 zelaron.com
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
This site is best seen with your eyes open.