Advanced XSS Knowledge

<|-[_______________________________________________________________________]-|>
--
-[Advanced XSS Knowledge]-
-Written by novaca! Ne-
--
<|-[_______________________________________________________________________]-|>

# Author: novaca! Ne
# Date: 23.03.2010

. °.
Contact: novacaine@no-trace.cc °
Website: www. novacaine. biz.
°
Artwork by: Vincenzo.
°
Greetz fly out :.
°
Vincenzo, J0hn. X3r, fred777 ,.
H0yt3r, Easy Laster, td0s, °
Lorenz Z, Montaxx, maoshe, Palme.
And free-hack.com °
. °.

. °.
Index: °
-(I]> Introduction.
°
-(II]> What exactly is XSS? .
°
-(III]> How to execute XSS commands.
°
-(IV]> Bypass techniques.
°
-(V]> What can we do with XSS? .
°
-(VI]> How to fix XSS leakages.
°
-(VII]> Cheat Sheets.
°.

<~ -.,~~~~~~~~~~~~~~~~~~~~~~~~~~,. -~>
|-(I]> Introduction
<~ -.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,. -~>
$ Dear reader, I wrote this Whitepaper to sum up everything I know about XSS.
$ It was written to share knowledge, knowleshocould be free and aviable
$ For everyone.
$ You can post and copy this Whitepaper as much as you want, but respect
$ Author's copyrights.

<~ -.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,. -~>
|-(II]> What exactly is XSS?
<~ -., ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,. -~>
$ "XSS" is a short form for: "Cross Site Scripting" as you can see by the name, XSS
$ Deals with scripting. To be more exact: Javascript (in rare cases you can even
$ Inject php code). It's about injecting (almost) every Javascript (and html/css)
$ Command/script in a website.
$ XSS flaws comes up everytime a website doesn' t filter the attackers input.
$ In other words:
$ The attacker can inject his malicious script into a website, and the browser just
$ Run's the code or script.

$ There are 3 types of XSS, I'm going to talk about the 2 most used:
$ Reflected XSS Attack:
$ When a attacker inject his malicious script into a searchquery, a searchbox,
$ Or the end of an url, it's called Reflected XSS Attack. It's like throwing a ball
$ Against a wall and receive him back.

$ Stored XSS Attack:
$ Is when an injected XSS script is stored permanent on a website, for example in
$ A guestbook or bulletin board. Stored XSS hit's everyone who just reaches
$ Site with the malicious code.

$ DOM based XSS:
$ This is a rare used method, perhaps I'm going to write another Whitepaper about
$ DOM based XSS attack.

<~ -., ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ,. -~>
|-(III]> How to execute XSS commads
<~ -., ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~,. -~>
$ Actually, injecting a XSS script is very easy. To check if the target website is
$ Vulnerable, just look out for a searchbox or something.
$ Let's say this is how a simple, unsecured searchfunction looks like:

Content of index.html

<Html>
<Head>
<Title> Google </title>
</Head>
<Body>

<Form method = "get" action = "search. php">
Google:
<Input type = "text" name = "search" size = "20"/>
<Input type = "submit" value = "Submit"/>
</Form>

</Body>
</Html>

Content of google. php

<? Php echo $ _ GET [search];?>

# I'm going to use this script as an example for the rest of this paper #

$ Let's say this script is stored on a webspace, when I type in:
$123
$ Then it leads me to the url:

Http://site.ru/google.php? Search = 123

$ And shows me

123

$ But now, let's try to inject a simple javascript alertmessage:

<Script> alert ("turtles"); </script>

$ And send it.
$ You can replace "turtles" with any other word you want, and even use ''instead
$ Of "for example:

<Script> alert ('000000'); </script>

$ But I'm keep using "turtles" as example for the rest of this paper.
$ The target website let's us know if it's vulnerable when it prints a popup containing

$ | ==========|||=========|
$ | Turtles | or | 1234 |
$ | ==========|||=========|

$ Instead of the called code, we can even inject every simple html tags e.g .:

<H1> <font color = "#00FF00"> I like turtles </font>

$ And send it.
$ Also, you can paste the code at the end of the url, and visit the site like:

Www.site.ru/google.php? Search = <script> alert ('turtles '); </script>

$ Or

Www.site.ru/google.php? Search =

# It's like the attacker is determining the content of the website .#

$ But even if this doesn't work, there's no reason to worry: that means the website
$ Uses filter techniques to avoid XSS flaws. But there are also ways
$ Bypass those filters. How this works, you're going to read in the next chapter.

<~ -.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,. -~>
|-(IV]> Bypass techniqu