AIM - chicnstu012
1.) Many websites allow users to input data for various reasons. For example, a website with a guestbook allows users to input data into a comment field so that they may sign the it. Other examples include search engines, social websites (Like Myspace), E-commerce websites and forums.
There are three types of Cross Site Scripting vulnerabilities (XSS), but I will only be covering two of them:
Persistent (Also known as stored)
Non-persistent XSS vulnerabilities are more common, and are usually sent via an obfuscated link which redirects you to a script on a different server, steals your cookie(s) and then redirects you back before you even know what is happening.
Persistent XSS vulnerabilities are usually found in Social networking websites, blogs and guestbooks. They are the most dangerous of the different types because a user is not required to click on a link or visit a different website, the code is automatically executed when the page loads because it is stored on the server.
2.) In this section of the tutorial I will be using a live website that provides a search engine for free sound files. (http://www.freesound.org/searchText.php
When you come across a website, you must first check to see if it's vulnerable to cross site scripting. Lets see what the page displays when we search "XSS".
As you can see, the search engine displayed our input (AKA keyword) in the search box and also offered an alternative word to search.
One of the easiest ways to check and see if a website is vulnerable to XSS is by adding text formatting tags like bold or italics. So for the next search let's enter <b><i>XSS</b></i>
Nope, our search results did not yield anything that we wanted. So, Lets examine the source code and see what's going on.
<form action="http://www.freesound.org/searchText.php" method="post">
<input type="text" size="55" value="<b><i>XSS</b></i>" name="search" id="searchBox"><input type="submit" value="submit" name="submit"><br>
It appears they have some protection against XSS, as you can see our bold and itallic tags were converted into their HTML values.
"<b>"; = <b>
"<i>" = <i>
Let's try again, this time we'll try to "break out" of the search box. The search box code is:
<input type="text" size="55" value="" name="search" id="searchBox">
is where our input is placed. If we searched "Hello World!" It would read:
<input type="text" size="55" value="Hello world!" name="search" id="searchBox">
So what happens when we search ">XSS (the double quote included) ?
Aha! Now something is not right on the page. "XSS" is outside the search box, so let's take a look at the code this time:
<input type="text" value="" name="search" id="searchBox">XSS" size="55" />
So what happened? Well, When we searched "XSS, our quotation mark ended the value field, which caused the code to read:
<input type="text" size="55" value=""XSS" name="search" id="searchBox">
(Notice our quote took the place of the default closing one)
Resulting in what we have now on our search page.
Now that we've found a vulnerable website, you may be asking, what can we do with this? If this was a persistent Cross Site Scripting vulnerability, we could deface the page. But being that it's not, the most common use is stealing people's cookie(s) by sending them a link that looks something like:
http://www.freesound.org/searchText.php?search="><script>(Insert evil code here)</script>
I'm not going to go into cookie stealing in this tutorial, that's for another time.
4.)I do not have a live website to show you a persistent XSS vulnerability, but I'm still going to discuss them.
XSS can affect ANY form on a webpage that allows user input. In this scenario, I'm creating a profile on a social networking site.
From looking at the picture you can see that I had to input data into many different places to make my L337 profile. Let's go to my account settings and see what forms are available to check for vulnerabilities.
3. Here For
Let's add some html code to make all of the fields italicized and then save the changes.
It appears that 3 out of 4 of our inputs are displayed on the profile page, and ALL of them are un-sanitized.
Since we have found a Persistent XSS vulnerability, we can do whatever our minds can think of. Some possibilities are:
1. Stealing everyone's cookies who views our profile
2. Redirecting someone who views our profile to a different website
it will redirect the unsuspecting victim to meatspin.com
5.)Many people don't think XSS is a big deal, but when it gives you the power to steal a client's cookies or deface a webpage, you come to find out that it can be a lot more dangerous than generally accepted to be. I hope you enjoyed this tutorial and learned something interesting!