iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (2)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
XSS for noobs
  • chroniccommand
    Posts: 1,389
    ------------------------------------
    Paper name: XSS for noobs
    Author: Chroniccommand
    Poison ; iExploit ; HaxMe ; xPC
    ------------------------------------
    Table of Contents:
    0x01..Introduction..........
    0x02..What is XSS..........
    0x03..Where/How to fix it
    0x04..Works cited..........

    [align=center]---Break---[/align]

    0x01 [Introduction]
    I'm writing this paper to explain Cross Site Scripting(XSS) as fully as I can. Many guides lack some aspects of XSS but I'll try and explain some things such as where the problem lies, how to fix it, exploit it etc..

    [align=center]---Break---[/align]

    0x02 [What is XSS]
    XSS stands for Cross Site Scripting. Don't get it confused with CSS which stands for Cascading Style Sheets(Used for styling web pages). Cross site scripting is a web app exploitation technique that is very popular. It is estimated that 68%+ webpages have this vulnerability. XSS can be very destructive and can be used for things such as cookie attacks, defaces etc.

    There are two main types of XSS:
    [list=1]
    [*]Non-Persistent(Reflected)[/*:m]
    [*]Persistent[/*:m][/list:o]

    Non-Persistent is pretty self explanatory. This means the attack is executed on the web client. This attack is pretty popular. It can be used for cookie stealing etc..
    The attacker can insert a script that visits their cookie stealer page. The attacker creates a page(probably on a free host) that will log cookies into a logfile with the IP etc. Then they get the victim to click on the link that has the XSS vulnerability. Once the victim clicks the link the attackers page uses PHP and javascript(used in the XSS) to log the cookies. Here is an example of a simple non-persistent script that will make the word "Poison" come up in a box.

    <SCRIPT>alert(\"Poison\");</SCRIPT>

    This is of course just one simple example. Some servers may have an IDS or something similar to help prevent XSS attacks. I will provide a link later on that has tons of XSS queries for attackers to use. A popular method of masking the XSS query is encoding.

    Persistent XSS is a bit of a different story. This one is a lot more destructive. Persistent XSS is stored on the web server so everybody who visits that page will have the XSS query executed on their machine. This means an attacker can make malicious scripts execute including a cookie stealer. A good example of a persistent XSS attack would be a guestbook that doesn't sanitize user input.

    XSS, both persistent and non-persistent is vulnerable because of not validating user input. In the next section I will show a vulnerable PHP code that takes user input and just echos it back. This is of course very insecure as tags are not stripped so malicious attackers can easily preform an XSS attack. I'll show an example of non-persistent dealing with echo $userinput; and an example dealing with a guestbook through SQL.

    [align=center]---Break---[/align]

    0x03 [Where/How to fix it]

    The problem lies within vulnerable PHP code. I will show you non-persistent first.
    Take this for example:
    UserInput.php

    <?php
    if(isset($_GET['input']))
    {
    $userinput = $_GET['input'];
    echo $userinput;
    }
    ?>
    <html>
    <head>
    <title>Non-Persistent XSS</title>
    </head>
    <body>
    <form name=\"input\" method=\"get\">
    Text: <input type=\"text\" name=\"input\" />
    <input type=\"submit\" value=\"Submit\" />
    </form> 
    </body>
    </html>

    Can you find where the problem lies? It's in

    echo $userinput;


    The reason is, it's just taking input from a user and spitting it back out. No tag stripping is done or anything to prevent XSS. So you get an XSS hole. Now how do we fix it? Simple. We use some extra PHP functions.

    <?php
    if(isset($_GET['input']))
    {
    $userinput = $_GET['input'];
    echo strip_tags(trim($userinput));
    }
    ?>
    <html>
    <head>
    <title>Non-Persistent XSS</title>
    </head>
    <body>
    <form name=\"input\" method=\"get\">
    Text: <input type=\"text\" name=\"input\" />
    <input type=\"submit\" value=\"Submit\" />
    </form> 
    </body>
    </html>

    This is a quick and easy fix. We strip tags from the user input and trim so the user can't craft any malicious scripts. The PHP page strips it from them and just returns back the value. So no hole occurs. There are more advanced techniques to get through this but this suffices quite enough.

    And now, Persistent XSS. This one is the more damaging one. This code will take user input, insert it to an SQL database and echo that value. This will not strip any tags or trim anything, so the raw input goes into the SQL database without sanitizing and gets called out, without sanitizing. This source is taken right from Damn Vulnerable Web App(Download link is below)


    <?php

    if(isset($_POST['btnSign']))
    {

       $message = trim($_POST['mtxMessage']);
       $name    = trim($_POST['txtName']);
       
       // Sanitize message input
       $message = stripslashes($message);
       $message = mysql_real_escape_string($message);
       
       // Sanitize name input
       $name = mysql_real_escape_string($name);
      
       $query = \"INSERT INTO guestbook (comment,name) VALUES ('$message','$name');\";
       
       $result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' );
       
    }

    ?>

    See what happens? We trim but don't properly sanitize the user input. The user input is stored in the table "guestbook". Here is the high application security page for stored XSS used by DVWA

    <?php

    if(isset($_POST['btnSign']))
    {

       $message = trim($_POST['mtxMessage']);
       $name    = trim($_POST['txtName']);
       
       // Sanitize message input
       $message = stripslashes($message);
       $message = mysql_real_escape_string($message);
       $message = htmlspecialchars($message);
       
       // Sanitize name input
       $name = stripslashes($name);
       $name = mysql_real_escape_string($name); 
       $name = htmlspecialchars($name);
      
       $query = \"INSERT INTO guestbook (comment,name) VALUES ('$message','$name');\";
       
       $result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' );
       
    }

    ?>


    This is more secure but still not the most secure option. A bit of a more secure option would be to use 

    strip_tags()



    [align=center]---Break---[/align]

    0x04 [Works cited]
    Works cited:
    http://en.wikipedia.org/wiki/Cross-site_scripting
    http://www.dvwa.co.uk/
    http://ha.ckers.org/xss.html


    I hope this was simple to understand and helped you.

    --chroniccommand
  • Hardcore-Gabber
    Posts: 118
    Just finde a site that is vuln to XSS .. will test with this Tut ..

    Thanks for making this tut ..
  • Xin
    Posts: 3,251
    Nice to see your getting into the XSS stuff, would class this more of a [Paper] / [Article] / [Tutorial] than [Research] though
    Xin
Add a Comment