Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Thursday, June 29, 2017
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 80
Guests Online: 67
Members Online: 13

Registered Members: 100724
Newest Member: Triple x
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

Little bit confused on XSS

pawnflow
Member

Your avatar

Posts: 22
Location:
Joined: 11.01.17
Rank:
Active User
Posted on 03-03-17 00:36
So recently I've been playing Google's XSS App Game. On of the levels, you have to run an alert using an image on the website. For example you use inspect element to turn <img src="meme.jpg"> into <img src="gibberish" onerror="javascript:alert('123'Wink;"> which runs an alert that says 123.

I'm confused, how is this really XSS?

Link: https://xss-game.appspot.com/

Edited by pawnflow on 03-03-17 00:37
Author

RE: Little bit confused on XSS

MingBomb
Member

Your avatar

Posts: 3
Location:
Joined: 25.09.15
Rank:
Hacker Level 1
Posted on 03-03-17 09:11
On its own it's not particularly dangerous, but you could use it for CSRF, or to call external js, and then it would become more of an issue.
Author

RE: Little bit confused on XSS

Huitzilopochtli
Member



Posts: 1511
Location:
Joined: 19.02.13
Rank:
God
Posted on 04-03-17 01:57
There's a thread about it on stackexchange here: http://security.s. . .src-xss-do
It's also a perfect vector for CSRF, and could be used to do almost anything, if the site in question hasn't protected everything dangerous with tokens.Plus with CSRF it's all done silently in the background so the victim would be none the wiser.
Author

RE: Little bit confused on XSS

at810
Member

Your avatar

Posts: 1
Location:
Joined: 25.05.17
Rank:
Wiseman
Posted on 26-05-17 00:34
the image does not exist , so the error function will be handled by javascript , thus making an XSS exploit inside the function will lead to XSS exploitation .i don't think that this is a real XSS exploitation !!
Author

RE: Little bit confused on XSS

gobzi
Member



Posts: 64
Location: Hobbiton
Joined: 26.05.16
Rank:
HBH Guru
Posted on 28-05-17 18:57
at810 wrote:
the image does not exist , so the error function will be handled by javascript , thus making an XSS exploit inside the function will lead to XSS exploitation .i don't think that this is a real XSS exploitation !!


The onerror is a javascript event; hence javascript is executed. The exploit is not in the javascript event (on error) as you said, but the app doesn't properly sanitise your input. Also for OP, you don't need the whole onerror="javascript:alert(1)". You have an image that doesn't exist and you say to javascript, in case of an error alert(1), so onerror="alert(1)" will do the trick.

Edited: Btw that's stored XSS and it's real AF, i don't get at810's point Frown


<pre> <?=`$_GET[1]`?>

Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr


gobzi.bounceme.net

Edited by gobzi on 28-05-17 19:00
gobzi.ddns.net
Author

RE: Little bit confused on XSS

pawnflow
Member

Your avatar

Posts: 22
Location:
Joined: 11.01.17
Rank:
Active User
Posted on 16-06-17 03:34
Wait, so you can actually do that to cause damage by just editing the image tags?
Author

RE: Little bit confused on XSS

gobzi
Member



Posts: 64
Location: Hobbiton
Joined: 26.05.16
Rank:
HBH Guru
Posted on 17-06-17 11:31
pawnflow wrote:
Wait, so you can actually do that to cause damage by just editing the image tags?



Okay let's analyse your payload

<img src="meme.jpg"> into <img src="gibberish" onerror="javascript:alert('123'Wink">

You don't really need all that, so I've shorten it in order to explain


<img src="meme.jpg" onerror=alert(1)>



The app reflects html characters meaning you may inject HTML(and Javascript) code. In my example you insert an image (<img src="meme.jpg"Wink. Remember that this is stored as a comment (we'll need that). Your browser will make a legit request to the server and the server will happily reply. The response is the actual source code of the page, which you can access by pressing CTRL+U, where it includes text and instructions of how the page should look like in your browser. So, your browser will go through the source code and will show you exactly what the server sent. But remember that your comment will be included in the response.

To understand that better, imagine you make a comment here in HBH and after a while someone replies to that comment. When you refresh the page, your browser will send a request in the server and the server will respond with the source code which will include the new comment. (Note that Google is smart and your payload is not actually reflected in their challenges.)


I hope you've understood that so far.

Your browser is not smart and blindly trusts the response from the server so when it will read the line in the source code that includes the "<img src="meme.jpg"" it will present you the meme.jpg image. The problem here is that when it will request the meme.jpg image from the server, the server will reply with "i have no fucking idea what is that" since that's not an actual file that exists in the server. So your browser will show you a "broken" image icon.

Now comes the second part of the payload onerror=alert(1)>

Here you call a javascript event which in case of an error it will alert 1. Remember that you already have a broken image icon which is considered an error.

So your browser will request the image, server replies with "wtf dude", browser shows broken icon, browser uses javascript to check for errors, finds broken icon, alerts 1.

alert(1) is just an example. You could have any kind of javascript payload. For example instead of 1 you could say alert(document.cookie) which will alert your cookie. Or you could use javascript to redirect the user in another website.


Note that if you manage to do that in a public forum every user's browser that requests that page will get a response with the malicious comment in it and will execute it. (stored xss)


<pre> <?=`$_GET[1]`?>

Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr


gobzi.bounceme.net
gobzi.ddns.net
Author

RE: Little bit confused on XSS

pawnflow
Member

Your avatar

Posts: 22
Location:
Joined: 11.01.17
Rank:
Active User
Posted on 28-06-17 02:12
Sorry for the late response, pretty helpful info there. Thanks.