» »Unlabelled » XSS Understanding the POI (Point of Injection)
Friday, 24 January 2014

XSS Understanding the POI (Point of Injection)

After Understanding basics of XSS here we are on our next tutorial on XSS where we will discuss POI. This is the most important part while finding and exploiting XSS. I will try to make it as simple and short as I can, so that you can understand better.

In our Basics to XSS we have already discussed about different types of XSS so I guess I do not need to discuss all that over again.

In this tutorial we will just concentrate on how to find and Exploit XSS vulnerability.

The first thing you should keep in mind that POI is all about where it goes. There are different kind of INPUTs a web application take from user. What you need to check is that is the input properly sanitized before using it into the source code.

A Input can go:
• Straight into HTML
• Into Javascript / VbScript block
• As tag attribute
• And some other rare, strange places…

We are going to discuss the following most common XSS found and I will show you how to exploit them.
• HTML – Normal
• HTML – Attribute without quotes
• HTML – Attribute with single quotes
• HTML – In Javascript Blocks

As we know input can be in any form like POST, GET , Cookie, Environment Etc…So we will just use input as GET to make it more the whole thing more n00b friendly.
URL : http://website.com/vuln.php?search=hello
According to the above URL search is used to take an input using GET method from the user.
Now what we first need to do is, check the source code to know which scenario are we dealing with.

If its shown openly outside the tags then its scenario 1 (HTML - Normal)
Example :
The string you searched for hello
Where hello is our input. In such cases injecting "<script>alert(0);</script> "

If its shown inside HTML attributes without quotes then its scenario 2 (HTML – Attribute without quotes)
Example :
<input type=text name=search type=input value=hello >
Where hello is our input. In such cases Injecting "hello onmouseover=alert(0 )" will give an alert or you can close the tags and inject your script like this "hello><script>alert(0);</script>"

If its shown inside HTML attributes with single quotes then its scenario 3 (HTML – Attribute with Single quotes)
Example :
<input type=’text’ name=’search’ type=’input’ value=’hello’ >
Where hello is our input. In such cases Injecting "hello’> <script>alert(0);</script>" will give an alert.

If its shown inside Javascript tags then its scenario 4 (HTML – In Javascript Blocks)
Example :
<script> var search=’hello’</script>
Where hello is our input. In such cases Injecting "’; alert(0);’" will give an alert.

Now after all examples what we have concluded is that having basic knowledge of javascript and HTML will give you a boost in understanding and mastering the whole concept.

We just need to balance out the code to execute our script.

Note: There are some DOM, Flash based and other injections not discussed in this tutorial, but will be discussed soon.
Next
This is the most recent post.
Previous
Older Post

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)