Follow us on Twitter!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 35
Guests Online: 28
Members Online: 7

Registered Members: 82903
Newest Member: Piriformis
Latest Articles

XSS

Arrow Image XSS



Hey everyone.

I'm sure most people know what xss is. So, this article is meant for those that don't.


I've known for a while what xss is. I've known what it was used for. But, I never really understood it.
Anyway, xss, or cross site scripting, is used to steal cookies. Why steal cookies you ask. Simple really, cookies usually contain
sensitive data, ex. usernames, passwords, personal info. And, sessions.

A session is exactly as it sounds. It's a unique # the server uses to identify someone. When someone logs in, the server will generate
a random # and save it as a cookie on that users comp. Then, when the user browses the site, rather than having to login again on each
page, the server will look for the seesion #, and check to see who it matches. When that user logs out, the session is destroyed.
So, if you could obtain that users session #, you could trick the server into thinking you were that person. However, if you try to use
that users session # after he/she has logged out, it will be invalid.

So, lets see about the other stuff on cookies, say username and passwords. Most of the time the password will be encrypted. Mayby the username to.
So, your first step is figuring out what type of encryption it uses. Some probable ones are:
md5
sha1
base64
des
It's not too hard to tell these apart. MD5 has 32 chars, SHA1 has 40, and sometimes different lengths. I don't know much about DES, except that I hate it.
Base64 often ends with a "=". And, it is the only one out of the four that is decryptable. The others you have to bruteforce, or dictionary attack.
But, the good thing about them, they don't expire unless the user changes his/her pass.

So, you know why you want cookies, now how do you get them? Well, as alot of people don't know what cookies are, or what they do. You could probably
just ask for them. If this doesn't work, don't give up hope, there are other ways. When you goto sites, you've probably seen search boxes, places to login,
register an acct. ect. These are all possible targets.

To test them, you could try a few things. Such as
Code

<script>alert("xss")</script>




You are trying to see if javascript is filtered, if you hit enter or w/e, and a msg box pops up, you know it is not. However, if nothing happens, don't loose hope.
They've filtered the most common way. This is usually expected. Hmm. What other ways are there? Mayby this will work..
Code

<img src="x.gif" onerror="alert('xss')">




And there's many more, I leave the task of finding ways of injecting js to you.

Now, if a msg box poped up, time to move on to the next step. How could we use this to get cookies? Well, usually, searches and other stuff, you GET, which means
variables are passed in the url. So, if you look up at the url, you may see thing similiar to
Code

http://site.com/index.php?query=this+is+my+search
http://site.com/index.php?a=register&type=free
http://site.com/index.php?a=view&page=register




So, if you see a site that has something like that, good. You can now start on your cookie stealer. I'm not going to show how to make a cookie stealer, it's not hard to find
out how to. Just do a quick search. Also, if you look at the third example, you may notice that it could be vulnerable to rfi, or remote file include.

Well, thats about all I can tell you. You just need to learn how to make a cookie logger. (It'll probably at most, take an hour. But, more than likely, only a few minutes.)
Also, the thing I never understood until recently, aren't all sites vulnerable to xss. I mean, look what happens if you type this in the url bar of any site.
Code

javascript:alert(document.cookie)




And there you go, you got your cookie for any site. No need in all that fancy xss stuff. Well, I'm sorry I was such a tard.
Though that will show YOU your cookie, it wont show you anyone elses. Now, you could have someone type that in the url bar, except with code that send you their cookie.
Except, theres no way for you to spread that. You need to be able to make it clickable. And unfortunately, that wont work. However, if you can get the website to proccess js for you, you can make that into a link.

I hope you guys like my article. Sorry if I didn't cover or explain some things, but I myself am still a n00b in xss.
Please leave me comments. :D

--Adlez

Comments

I-O-W-Aon November 23 2006 - 12:44:29
Nice Artical Adlez
mozzeron November 23 2006 - 12:56:55
Errmm... there are loads of articles on XSS, I fail to see how one more is a good thing
h4xguyon November 23 2006 - 14:30:11
Yay adlez you finnally wrote one yesterday lol
spywareon November 23 2006 - 18:58:21
I thought it was a good read.
rain_zoneon November 23 2006 - 19:41:24
I've learned more from this article. Good job...
h4xguyon November 23 2006 - 21:00:03
:ninja::ninja::happy:AngryFrownShockSadFrownFrown:wow::wow::wow::love::matey: ^ | thats my opinion of the article Pfft
PHPhreakon November 24 2006 - 07:01:40
I really liked that. Nice article, it was easy and gave a good example I may have to steal Grin.
Uber0non November 24 2006 - 17:27:53
Easy to read and good basic info. Well done! :happy:
only_samuraion November 24 2006 - 22:52:49
nicely done. well writen.
adlezon November 25 2006 - 00:28:49
Thanks Everyone, glad you liked it. Grin
shaddowon February 20 2007 - 15:54:07
Outstanding article, I am not the best at XSS, but now i have the best understanding that i ever had, 100%, great job, keep them comming!!
navinkumarvermaon May 17 2008 - 05:34:21
great article for beginners to start with. wel done!
kingasmkon May 28 2011 - 10:24:35
Great article Grin
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.