XSS tutorial by w0rd

1.) Many websites allow users to input data for various reasons. For example, a website with a guestbook allows users to input data into a comment field so that they may sign the it. Other examples include search engines, social websites (Like Myspace), E-commerce websites and forums. There are three types of Cross Site Scripting vulnerabilities (XSS), but I will only be covering two of them: Non-persistent Persistent (Also known as stored) Non-persistent XSS vulnerabilities are more common, and are usually sent via an obfuscated link which redirects you to a script on a different server, steals your cookie(s) and then redirects you back before you even know what is happening. Persistent XSS vulnerabilities are usually found in Social networking websites, blogs and guestbooks. They are the most dangerous of the different types because a user is not required to click on a link or visit a different website, the code is automatically executed when the page loads because it is stored on the server. ==========================NON-PERSISTENT XSS========================= 2.) In this section of the tutorial I will be using a live website that provides a search engine for free sound files. (http://www.freesound.org/searchText.php) When you come across a website, you must first check to see if it’s vulnerable to cross site scripting. Lets see what the page displays when we search „XSS“. As you can see, the search engine displayed our input (AKA keyword) in the search box and also offered an alternative word to search. One of the easiest ways to check and see if a website is vulnerable to XSS is by adding text formatting tags like bold or italics. So for the next search let’s enter <b><i>XSS</b></i> Nope, our search results did not yield anything that we wanted. So, Lets examine the source code and see what’s going on.

[php]
<form action="http://www.freesound.org/searchText.php" method="post"><input id="searchBox" type="text" name="search" size="55" value="<b/><i>XSS</i>" /> <input type="submit" name="submit" value="submit" />[/php]

It appears they have some protection against XSS, as you can see our bold and itallic tags were converted into their HTML values.

[php]"[/php]

and

[php]"" = [/php]

Let’s try again, this time we’ll try to „break out“ of the search box. The search box code is:

[php]
<input id="searchBox" type="text" name="search" size="55" value="" />[/php]

Where

[php]value=""[/php]

is where our input is placed. If we searched „Hello World!“ It would read:

[php]
<input id="searchBox" type="text" name="search" size="55" value="Hello world!" />[/php]

So what happens when we search „>XSS (the double quote included) ? Aha! Now something is not right on the page. „XSS“ is outside the search box, so let’s take a look at the code this time:

[php]
<input id="searchBox" type="text" name="search" value="" />XSS" size="55" />[/php]

So what happened? Well, When we searched „XSS, our quotation mark ended the value field, which caused the code to read:

[php]
<input id="searchBox" type="text" name="search" size="55" value="" />
:O
<img alt="" src="http://img651.imageshack.us/img651/2168/xss3.jpg" border="0" />
What’s happening is when the web application produces the output page based on our input; it inserts our data into the page without filtering it first. So if we enter our own HTML or javascript, the webpage will execute it reading our code as part of the webpage.

Now that we’ve found a vulnerable website, you may be asking, what can we do with this? If this was a persistent Cross Site Scripting vulnerability, we could deface the page. But being that it’s not, the most common use is stealing people’s cookie(s) by sending them a link that looks something like:

http://www.freesound.org/searchText.php?search="><script type="text/javascript">// < ![CDATA[
// < ![CDATA[
(Insert evil code here)
// ]]></script>I’m not going to go into cookie stealing in this tutorial, that’s for another time. =============================PERSISTENT XSS================================== 4.)I do not have a live website to show you a persistent XSS vulnerability, but I’m still going to discuss them. XSS can affect ANY form on a webpage that allows user input. In this scenario, I’m creating a profile on a social networking site.
<img alt="" src="http://img691.imageshack.us/img691/8505/xss4.jpg" border="0" />

From looking at the picture you can see that I had to input data into many different places to make my L337 profile. Let’s go to my account settings and see what forms are available to check for vulnerabilities.
<img alt="" src="http://img138.imageshack.us/img138/1585/xss5.jpg" border="0" />

In this section, we have 4 places that we can check for XSS vulnerabilities.(Technically more if you know how to edit forms with javascript or have the right add-ons and can edit website content in real-time.)

1. Occupation
2. Zip
3. Here For
4. Interests

Let’s add some html code to make all of the fields italicized and then save the changes.
<img alt="" src="http://img852.imageshack.us/img852/3130/xss6.jpg" border="0" />

It appears that 3 out of 4 of our inputs are displayed on the profile page, and ALL of them are un-sanitized.
<img alt="" src="http://img824.imageshack.us/img824/862/xss7.jpg" border="0" />

This time I’m going to add some javascript to make a pop-up box into my "Interests" section and see what happens..
<img alt="" src="http://img828.imageshack.us/img828/3308/xss8.jpg" border="0" />

<img alt="" src="http://img684.imageshack.us/img684/949/xss9.jpg" border="0" />

As you can see, the javascript code was parsed, and anyone who views my profile page will see that pop-up.

Since we have found a Persistent XSS vulnerability, we can do whatever our minds can think of. Some possibilities are:

1. Stealing everyone’s cookies who views our profile
2. Redirecting someone who views our profile to a different website
3. Defacing the page with basic javascript like document.write
4. Etc..

If instead of adding javascript that makes a pop-up alert, I add

[php]
< .script type="text/javascript">// < ![CDATA[
// < ![CDATA[
document.location="http://www.meatspin.com"
// ]]>
[/php]
it will redirect the unsuspecting victim to meatspin.com (NSFW!!!) 5.)Many people don’t think XSS is a big deal, but when it gives you the power to steal a client’s cookies or deface a webpage, you come to find out that it can be a lot more dangerous than generally accepted to be. I hope you enjoyed this tutorial and learned something interesting!