Kr3w's Cross-Site Scripting Tutorial ##
## Site:
www.thedefaced.org ##
##
www.thedefaced.us ##
##
www.thedefaced.info ##
##
www.thedefaced.biz ##
############################################
I. What is XSS (Cross-Site Scripting)II. How does XSS affect the web todayIII. How important is XSS and its vulnerabilitiesIV. Different types of XSSV. Finding XSS holes in websitesVI. XSS - ExplainedVII. HRS - HTTP Response SplittingVIII. ReferencesPart I. What is XSS (Cross-Site Scripting)?XSS,
short for what is known as Cross-Site Scripting is the process of
injecting JavaScript (mainly) and also HTML into a webpage for
important feedback. This feedback may contain many things; one, most
commonly being the user's cookie. Now, for everybody reading this, I
assume that you know what a cookie is and how it is used on webpage,
but if not, I will explain it anyways.A cookie is
the variable that web-browsers use to store your login credentials.
Without a cookie, you cannot "stay logged in" on your favorite
websites. This is important because if somebody were to obtain your
cookie, he/she could easily spoof your login information without any
need of knowing your password. Some cookies are pretty basic, like the
PHPSESSID, which is just your session on a PHP powered page. If the
website only used the PHPSESSID cookie to authenticate its users,
somebody can steal the cookie via an XSS vulnerability and spoof
whoever's cookie the attacker possesses.
Part II. How does XSS affect the web today?XSS
is, in my opinion, the most common and dangerous exploit that exists on
the internet today. It is dangerous because it is common (and useful),
and it is common because it is most overlooked. Most WebPages today are
user-interactive, which basically means that the website allows the
user to interact with its content. Some of this interactivity may
include search fields (most commonly), login forms, comment fields,
feedback forms etc..I would say that nearly 90% of the
websites that are on the internet today suffer from XSS flaws. Even
some of the more popular government sites suffer from XSS flaws. This
shows lack of responsibility, lack of security, and most importantly
being the lack of security. When internet warfare is at an all-time
new, the governments and their domains cannot afford to be compromised
so easily.Part III. How important is XSS and its vulnerabilities?The
reason XSS is so important, is like I explained above. It is so common,
that virtually any website that is user-interactive is vulnerable. The
problem with this is that internet crime is also at an all time high
along with internet warfare. The importance of XSS flaws is greatly
underestimated. Most websites today look past all the XSS flaws and see
them as nothing too important to cleanse. The problem with this is the
fact that any attacker with half a brain can compromise pretty much any
website he/she wishes.Part IV. Different types of XSS.There are many ways to prove that XSS flaws exist, the most common (for me at least) are these 2:a) Basic XSS (user-form reflect back XSS).b) HTTP Response Splitting.1. Basic XSSa
.
This is something simple, like a search field that allows HTML input.
When the user searches for something and the input is reflected on the
following page, this may show signs of XSS possibilities. Now, when a
user searches for something like <h1>test</h1>, if the page
returned contains a large heading that reads "test", the field is
vulnerable to HTML injection. If the user were to search for
<script>alert(1)</script>, and the returning page contained
and alert box that read "1", the field is also vulnerable to XSS
Injection.2. HTTP Response Splittinga
.
This has something to do with the headers that your browser uses to
communicate to the server with. If the webpage allows you to modify
them via post or get vars, and reflects the information back, you can
easily modify these headers to your needs in order to cross-site script
the page. Most commonly, the header's that are XSS'able are the
User-Agent: headers. Most pages don't sanitize the user agent when
reflecting back the user's browser properties (most commonly on a 404
page.)Part V. Finding XSS holes in websites.The
easiest way to find XSS holes in websites is manually. I'm sure you can
write a script to do it for you, but that takes the fun out of it.When searching for holes, you might want to check these fields:a) Search Fieldb) Comment Fieldsc) Feedback Formsd) Login Formse) Error PagesThose are just some of the common pages that contain XSS flaws in websites. Granted, some might be sanitized (although rare).To
see if they are vulnerable, I use simple syntax for both HTML and
JavaScript. "<h1>a</h1>" and
"<script>alert(1)</script>". I know if the following page
has either a large heading that reads "a" or an alert box that says
"1", the field is vulnerable.If you're looking through
PHP source code or any source code, and you see GET or POST vars that
are un-sanitized, then you also know that they are vulnerable. Some
examples of both Stripped and Un-stripped PHP: Code:
Un-Stripped
/*
Un-Stripped PHP
*/
$var = $_GET['var'];
echo $var;
//Vulnerable
$var1 = $_POST['var1'];
echo $var1;
//Vulnerable
echo $_SERVER['HTTP_USER_AGENT'];
//Vulnerable
?>
Stripped
/*
Stripped PHP
*/
$var = strip_tags($_GET['var']);
echo $var;
//Not Vulnerable
$var1 = htmlentities($_POST['var1']);
echo $var1;
//Not Vulnerable
echo htmlspecialchars($_SERVER['HTTP_USER_AGENT']);
//Not Vulnerable
?>