Jump to content
Sign in to follow this  
nepali_dude

Xss

Recommended Posts

Cross Site Scripting('XSS') By Example

 

Table of Contents

1.Why this was written.

2.The objective.

3.The hack.

4.The dangers of the results.

5.The solution.

6.Resources

 

1. Why this was written

To me cross site scripting is, apart from perhaps social engineering, the biggest threat to online communities these days. Many sites, including the undisclosed site that is used here, are vulnerable to cross site scripting. The undisclosed site shall hereby be known as victim.com. I have also, as a second goal, written this paper to alert victim.com about their security holes and how they can fix them. As I look now, the site has 109,000,000+ users and it amazes me that this flaw has not been found before. I will also be looking to create a mock up, with no resemblance to the original site, of course, that I will be releasing to the security community hackthissite.org if they want it or on my own site if they do not. By the time you are reading this, victim.com will probably have already fixed the security holes I highlight in this paper. I will be submitting this to victim.com with a week to go before I release this paper to the Internet and all of its occupants. I will only release the name of victim.com with their permission and it would be nice to have a small section, or even just a comment in the source code, stating that the site has benefited from my help

 

2. The objective

In this example, our victim site allows you to create 'mini' communities that have their own rules, ranks, chat boards, and can have competitions and such. These communities get a small place that they can place HTML to make their community look better, and more fit the theme. For example, a community that loves dogs might use HTML to put pictures of dogs everywhere. I would also like to note at this time that this is most likely a multibug, as there are other places that you can put HTML for others to view and I suspect the site has a single security function or class.

We will attempt to exploit their letting you use HTML so that we can inject javascript. If we can inject javascript, we can in fact take control of user accounts and either use javascript to automatically manipulate the user accounts, such as forcing the user to join the community whether they want to or not if they so much as look at the front page, or stealing the 'points' of the user by making them buy an expensive item from the user. This could also be used to redirect users to porn websites or websites that places virii, spyware, adware, or other malicious content on the user's computer.

 

3. The hack

Ok so we know we can use HTML, but they say that they don't allow javascript so let's see how true that is. We start with the simple stuff first, so that means we start with the script tag.

 

<script>alert('0wned')

 

The resulting HTML

 

-blocked-alert('XSS')-blocked-

 

Hmm so they actually do block script tags! What a surprise! Ok so next what if we can put a link that will link to some javascript?

 

Click Here

 

The resulting HTML

 

-blocked-Click Here

 

Ahh k so they filter that too. I see that they erased the entire tag though so what if we put the javascript in an image?

 

”javascript:alert('0wned')”

 

But wait... An error message! src tags are limited to ending in certain values! (Note: this error message has been modified to protect the identity of the original site.

 

Sorry! src embedded files may only end in:

 

.mp3

.jpeg

.gif

.bmp

.midi

.wav

.jpg

.mid

.png

 

You may not use any form of the tag to embed files that end in

 

”javascript:alert(0wned from the url: ”javascript:alert(0wned

 

Even if you didn't use 'img src', this still applies to all tags that have 'src' in them. For example, 'background src'.

 

What about if we used a comment to bypass this filter?

 

”javascript:alert('0wned.gif')”

 

The resulting HTML

 

-blocked-

 

Ok, so now is where we begin the REAL filter evasion. What if we use CaPs to try and bypass filters that look only for same case strings?

 

”jAvAsCrIpT:alert('0wned.gif')”

 

The resulting HTML

 

-blocked-

 

Ok, what if we injected hex? You need a tool to do this. I recommend burp proxy, a proxy that runs on localhost:8080 that will let you view, block, and alter requests.

 

”%6a%41%76%41%73%43%72%49%70%54:alert('o

 

The resulting HTML

 

-blocked-

 

Uh oh they still got us... Let's change tacks. Let's use a DIV

 

 

The resulting HTML

 

-blocked-

 

Hmm so far it seems that it looks for any tag with 'javascript' in it. What if we break it up?

 

 

Don't ask me why but this IS valid javascript/HTML in IE. I am using firefox so I have to switch to IE to test this. The resulting HTML

 

immediately upon seeing this I switched to IE and guess what? A message box entitled '0wned' popped up! So next step: simple, obvious cookie grabber

 

 

The resulting HTML

 

Let's try using eval to get past this.

 

 

The resulting HTML:

 

Ok so they change document AND eval so that it renders javascript useless while at the same time not affecting the look of a valid document.. Ok, what if we converted this to HTML hex, since it is in a CSS statement?

 

 

The resulting HTML

 

Guess what? We have the cookie! I have tried and it works. Now you can simply use your knowledge of javascript to do anything you want. Since I have also found another way to do this, I will go ahead and disclose it.

 

 

The resulting HTML

 

 

4. The dangers of the results

Here you can see that once injected, javascript can steal a user's cookies which means that the attacker can 'log in' as the user by masquerading those cookies as the attacker's own. Especially if an admin got their cookies stolen, this is a huge danger to the site. It cannot compromise the server, but it can compromise any user account that can be lured into viewing that page. Also functions such as document.forms[x].submit() can force the user to change settings or perform actions they do not want to. An attacker that really wanted full control could even use AJAX to mimick ANY action that the user could perform.

 

5. The solution

Simple. Simply alter the filter to convert such HTML hex back into ascii, and continue applying normal filters. Also put extra filters on CSS so that CSS can't be a source of problems in the future, EX make sure only certain CSS tags are used. Better yet, create your own style markup language to disallow unwanted tags. Another, GREAT solution is to force you users to use a web browser other than Internet Explorer. Please notice that these XSS exploits work ONLY in IE.

 

6. Resources

http://centricle.com/tools/ascii-hex/

http://ha.ckers.org/xss.html

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.