Why hackers seek for XSS vulnerabilities?
Well, hackers seek this particolare attack in order to execute a script that may influence the server, gain them access to forbiden directories, stealing details from users like bank accounts, creditcard numbers, ID's etc.
There are 3 kinds of XSS - Reflected, Stored and DOM based.
In order to test for XSS there are 2 familiar ways: Manually and Automatically.
Manually-
look for feilds that take inputs and start injecting what ever you like. Than after injecting
press 'right click' on the Mouse anywhere in the page and look for the string you injected in the source code option.
Example - http://www.somesite.com/index.php?id=myinjection
Source Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-gb" xml:lang="en-gb">
<head>
...
<input name="id" id="id" type="text" maxlength="128" title="Search for keywords" value="myinjection"...></input>
...
End of page Code
What we did was basically asking the server if there is a page - /index.php with the parameter id and the valuemyinjection.
Because the developer of the site left this parameter with no input validation, an attacker can try to erase the
original input, say - id=123 and write id=myinjection.
The Browser won't mind and it will return the answer with your parameter.
Now comes the harder part... Try and fool the browser to think we are injecting legal input while we are not.
This part requires a little HTML familiarity...
If you look closley at the Source Code you'll see that it starts with this tag <input>, and after a few statments it closes like this </input>.
Our injection is in 'id' parameter inside value="myinjection", So in order to inject we need to "step out" of the quotation mark into the page itself!
In order to do that we need to inject a qoutation mark, so the browser will read it and close the value. Than we can write into the page our own javascript so the browser will do what we ask him to and not what the developer ment for it to do.
So the first injection will be : id=myinjection"
Source Code: value="myinjection""
Now what ever that will be written after the qoutation mark will inject the page, because our quotation mark closed the parameter's value in the code.
Now lets inject our own Javascript: id=myinjection"</input><script>alert(123)</script><!--
Source Code:
<input name="id" id="id" type="text" value="myinjection"</input><script>alert(123)</script><!--"...</input>... (green color stands for HTML Remarks - browser ignores it)
Let's explain what happend here:
In order to "step out" of the script we closed the <input> tag and immediately opened a <script> tag so we can check if we can execute a script through this parameter... Than we operated the Alert() method which pops the regular alert we all familiar with. (erase the URL field and write "javascript:alert(123)" and you'll see what i mean)
Than we closed the </script> like this so the browser will read the Alert method correctly and added this <!--
which is a Remark sign. After this mark the browser ignores all data untill you add this -->
It's like start and stop for developers to write remarks nears the code so other developers can understand the logic.
<!--this is a remark for you to see that i used yadayadyady on this line of code -->
*It is important to understand that there are alot more ways to do it manually: like using differente tags or
encoding (change the language from ASCII to Hex or Base64 - read about Encoding)
more info - [url]ha.ckers.org/xss.html[/url]
this URL is the XSS cheat sheet which shows all the examples and even a dictionary for Encoding.
example for Encoding:
Hello - ASCII
%48%65%6C%6C%6F - Hex code
SGVsbG8= - Base64
you can also do it manually by Googling for an ASCII table
The server may read all those 3 options the same like one that speaks 3 different languages but reading the same word.
If you succedded injecting, after hitting Enter the server should return the page and the browser will popup an alert window with the string 123 in it. if you want to input word string - alert("my hack"), and if it dosen't work. don't stop! try javascript:alert("my hack") or add ; which means "end of statment".
if still.. Let me know and i'll help you through it!
Automatically-
Their are tools that can be used to scan sites and get a true/false answer whether there are vulnerable parameters that we can start injecting into them, but than we need to start manual again.
So i recommend to start learning a bit HTML and jump into manual testing.
search for a site and start inputing strings into parameters.
I will explain about tools like Proxy server, Scanners and more on the next lessons
Cheers
Ce@ser
No comments:
Post a Comment