Follow us on Twitter!
The measure of a mans life is not how well he dies, but how well he lives.
Friday, April 25, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 25
Guests Online: 23
Members Online: 2

Registered Members: 82909
Newest Member: awais
Latest Articles

XSS That some people forget about

Arrow Image This article describes a few types of XSS methods that you can use, which a lot of sites forget about.



Ok, if you don't already know what XSS is, then google it and learn the basics, because I am not going to reinvent the wheel, because that would be just another article repeated in HBH's archives.

So first off lets say we are working with a search page on a website. Most commonly you would try <h1>asdf</h1> to see if it allowed tags. Now more and more websites are catching up on the XSS exploit, and are stripping tags in their search pages and other input forms. However there is ways and things that the programmer of the site may have forgotten about. The majority of explotis in big websites that think they have their security good, will be in the minor little things that they forget about.

So now that you have tried the old normal html tags in the search, and your attempt fails, think for a second. Is there other search options, that don't exactly give you your very own text input normally like a select box? Well you could always use some Javascript to edit that value to make it close the option in the html and therefore breaking you out of the select box and allowing you to enter html.

Here is an example of above before a user edits it with javascript.

<form>
<select>
<option value="red">red</option>
</select>
</form>

Now after the user injects the form with ">red</option></select><h1>insert html tags here</h1>:

<form>
<select>
<option value="asdf">red</option>
</select><h1>insert html tags here</h1>
</form>

Now another way you can do the samething as above but a little different is if the search text box keeps your search keywords in the box after clicking search then you have another chance to input html. Look the source and see how many quotes they use for the value of the textbox and then enter that and the closing bracket and voila! Once again you have html input.

So here is the example of the source before the input:

<input type="text" value="">

And after injecting in the text box with asdf"><h1>insert html tags here</h1>

<input type="text" value="asdf"><h1>insert html tags here</h1>

In conclusion, you want to look for things that the programmer may have forgotten to secure such as a username availability page or what not.

This article is for educational purposes only. HBH and the author are not responsible for any actions learned through this article.

- Chislam

Comments

Uber0non October 08 2006 - 20:58:18
This was a nice article ^^ specially liked the textbox thing (never thought of that one before) Wink Thanks!
contactV13on October 09 2006 - 03:26:47
I've used them before. :happy:
SwiftNomadon October 09 2006 - 03:29:17
This was an ok Artical. Next time give a little more detail. Show examples.
chislamon October 09 2006 - 20:42:48
I updated it with examples Grin
thk-geoon October 10 2006 - 07:07:52
What do you mean forgot? i use em all the time Pfft
chislamon October 10 2006 - 11:27:48
well as in people forgetting i mean the people who coded the site and they forget about the little things that can actually hurt them.
Arto_8000on October 11 2006 - 22:53:20
Well the most common way to use them is with picture and event attach to it ... [ img ]' onmousemove='window.history.go(-1)[ /img ]. This let you run javascript code easily and is harder to detect because you're not using any html tag. Also if you can add html tag like this its probably because you could already add them without any bbcode tag or something else.
chislamon October 12 2006 - 01:12:52
well this article is stuff more related to breaking out of text boxes and what not.
digitalchameleonon May 16 2007 - 08:30:49
A little short, but really helpful.
YndiHaldaon September 13 2007 - 03:47:39
I dont really understand this example, the injection is made from the query string no? I don't see how the form is being changed... Also Arto, the trouble with that is most forum software uses htmlentities and double quotes on the html attributes so you cant break out of an img tag attribute because if you use a " its replaced with the html quote entity. I'd really like to see some up to date attack methods
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.