(I was originally going to send this to 2600 magazine, but decided to post it here.
So some sentences might seem odd if they reference to HTS. But I think I fixed all of them)
Fun with Cross-Site Scripting
This little article is all about Cross-Site Scripting, commonly known as XSS. XSS can be done in many different methods.
I will cover a few here and give you the knowledge and experience to find your own XSS holes.
Firstly, what is XSS? XSS is really a varied term. There is no one single thing to describe it as.
The best I can tell you is that it is when, by a number of methods, you manage to inject code into another's page.
This can be done in many ways. Some are permanent and others temporary. Some are permanent/temporary but only affect you.
This might all be a little confusing at first, but let me give you an example to help you better understand XSS.
Let's say that Bob owns a website. He made it himself. While he might be very experienced with various web-based languages like:
PHP, HTML, and Perl, he knows nothing about security.
Let's say that his site allows people to send messages to other users.
When the recipient of the message reads the message, all they are doing is reading what the other user typed.
But the browser is also reading it. The message becomes part of the HTML. So how can we exploit this.
For one, we can try to add our own HTML to the page. Let's say you send a message to Bob with this in it:
<marquee> Hello! </marquee>
If Bob hasn't made a filter to remove or alter the < > characters, then the code will be embedded in the page.
Then the browser will read it just like it would read any other code. Thus resulting in a cool little scrolling message for Bob to see.
This can also work on a site that allows you to make comments.
Doesn't sound too bad does it. But that is just one of the many possibilities. We aren't just limited to HTML.
Like this for example:
This can be very bad on certain sites. Let's say that on Bob's site, the users have passwords and that the pass's hash are stored in the cookies of that site.
If we could just manage to snag another user's cookie, then we could run the hash through JTR or Cain and get their password.
That's easy, just script yourself a cookie stealer and use java<b></b>script redirects to send the user to your cookie-stealer.
Now XSS is sounding pretty cool, huh? That is just the basics. There are many other ways to do this.
Let's say that there is a site that records the user's cookie info in a log.
(This method is commonly used to see what refferer they came from.)
If the webmaster checks the log through an FTP server then he is fine. But if he has the log on a page on his site that is admin-only, then there is a fatal flaw with that.
First, let's think of how this works. When you visit the site, it checks your cookies and writes the information to the log.
And since the log is in the source of one of his pages, then it is only a simple matter of changing the value of the cookie to inject whatever code you want.
The same method works for a log that records useragents (browser names).
To easily edit your cookies and useragent, get Firefox and download the Add 'n Edit Cookies and Useragent Switcher extension.
Alternatively, you can use java<b></b>script injection to change the cookie and I think the useragent is somewhere in the registry.
You can go to my site at mutantsrus.com to try this for yourself.
Here is an example of java<b></b>script that you can use on my site:
Now you know three common XSS holes. But that was just for starters. I myself have found a couple of methods of XSS.
My personal fave is in a site that allows you to vote on things, then stores the votes in a log.
Usually this is done with a PHP script. All you have to do is change the vote either in the URL or in the source.
To change the source you can use java<b></b>script injection or download the Webmaster's Toolbar extension for Firefox.
A good example of this is here on HTS. I figured this out and thought for sure it would work. But alas, they had thought of that and had it filtered.
But had they not, it would have worked and I could have stolen the admin's cookies.
But the point was to get in the Hall of Fame, not steal accounts.
As with the cookie and useragent exploits, this requires that the votes be stored in some kind of database that is viewed by admin or any other members for that matter.
I also found a site called sanity.com.au. It allows you to search through movies and music. The site is overall fairly well-protected, but there is a tiny XSS hole.
And as of right now, that hole has not been fixed.
Of course, I have no intention of telling them about this hole.
It isn't dangerous as there isn't much you can execute on the page. When searching for music and movies, the search terms are stored in the URL as with many other PHP search scripts.
The flaw is that it shows your search terms on the page too.
Now you are thinking, "Sweet, let me write up some code to show my fave avatar scrolling around the screen with some fancy blinking text or something.
Wrong. The search terms only get displayed without being filterd when there are results for that search.
If no results are found, you get transferred to error.asp.
This page does filter the code. So you are limited to code that is entirely made up of words from a single DVD or CD name. Ouch! Bummer.
Well, let's see what we can do. First I will tell you that <, >, don't affect the search.
So searching for <marquee> will show results for anything with the word marquee in its name. Try searching for any normal word.
Do you see where it says what word you searched for? Good. That's where the flaw is. Now search for <marquee>, and look in that same spot.
Yay! the comma is scrolling! Now let's see if we can make some other words scroll.
Look at the titles of the movies and music that contain the word marquee.
Now look at all of the other words.
Pick one of the titles and choose some words from that title only. I chose the word "moon".
Now add that to the search by putting a space between the <marquee> and the word/words you just chose. For more fun you can use punctuation marks like !.
Now start the search. W00t! Now we made our OWN text scroll across THEIR page.
I tried other methods for inserting the code into the search such as > and --, but to no avail. Feel free to try anything you like.
If you find a way to use words other than the words in the titles, then please send me a message, I'd love to hear about it.
I will also post anything else I discover on my site. For now this is what I use:
I posted this on Sla.ckers and was informed of another flaw on sanity.com.au. Just add %22 before the search term on the advanced search to use any code you feel like.
Here is a PoC for the new exploit: (Paste into notepad and remove spacing.)
(Broken into four lines!)
Here is a hole that is very similar to that one, but is not restrictive. Same concept: Search that writes to the source. This one can be used execute any code that you want. I didn't find this one, this was on sla.ckers.
Here are my renditions of the exploit:
You would think that that sort of XSS hole wouldn't be very common, seeing as that should be the first thing a webmaster would filter. But, alas, it is often exploitable. Even on large sites such as this one.
(Broken into three lines!)
Obviously,I could have been more elaborate with that one, but I don't feel like it right now.
Another exploit that I discoverd is on Blogthings. They host a number of quizzes such as "What Superhero are You?" or "What Day of the Week are You?". I happened to find one that is vulnerable to XSS. Go here:
Voila! Feel free to inject whatever you like. Contact me if you make any particularly funny hacks.
Now for something that I think is awesome, but rarely ever works. On certain sites you can register a name with HTML or java<b></b>script in it. Usually this will be filtered, but it happens.
If it doesn't get filtered and the site has the near-univeral welcome message, then it will run your code on that page.
This works on Realistic Mission 8 on HTS. Thanks to Agentsteal for finding this. They fixed it, but all the old accounts we made on it still work. For a good example of XSS, login on Real 8 with this info
*Note: This must all be on one line when you type it and must have exact spacing.
You might notice that the tags aren't closed, this is becuase the script filtered the >, but not the <. Plus, the > is rarely ever needed. This was one of my creations, which is clear by the scrolling logo.
Cool, huh? Now what else is there. Lot's of stuff. A member here on HTS known as Agentsteal (mentioned earlier) is infamous for the many XSS holes he has found on the site (along with exploiting the hashing algorithm.).
Most of these were fixed by the admin, but serve as great examples. In Realistic 11, Agentsteal found two XSS holes. One involves the mod page.
When performing an SQL query, you can inject code. Just adding a ' before the code allowed the code to run. This wasn't a very dangerous XSS hole, but it was somewhat entertaining.
The other involved searching for a user. The users are stord by ID numbers. If you were to change the ending part of the URL that says something like id=2132, to something like id=<marquee> then go to that page, you will see an account called aclu_bomber.
For some reason it is editable.
If you click the edit account button, you will see an error message saying that that ID doesn't exist.
But because it displays the ID number, it loads the code. Thus the error message is scrolling.
He also found one on Realistic 14. This mission makes fun of Yahoo. It is called Yuppers. It allows you to search for a chat room on the People page.. In that box you can type </script> followed by the code you want to run and it works.
Although image and link tags didn't work all that well.
Now you might think that there aren't any other ways to use XSS. But you would be terribly wrong. There is one way of injecting code that sparked quite a lot of commotion not long ago. The exploit involved a flaw in the local news page on the [REMOVED] News website.
It searched for your area by zip code. A few clever Russian hackers over at Security Lab, found a way to exploit this. This is what the URL normally looks like:
This read the code from sc.js and added to the page's source. Thus they faked an entire article about the President appointing a nine year old as chairperson.
This wasn't permanent, but if you discreetly gave the link to someone, it would definitely fool them.
So they fooled a couple hundred or thousand people in to thinking that a nine year was appointed chairperson. Not harmful, but really funny.
And it was good enough to make it into the definition of XSS on Wikipedia.
While browsing on Sla.ckers, I found an XSS hole very similar to the cbsnews exploit. The way it was put in the URL was a little different, but they both loaded information from an external file.
This exploit features the classic
"This site has been hacked!" message, along with a funny Stalone-related pun. Anagram genious still hasn't fixed this, so enjoy.
(Credit to Spikeman)
Now you know a little more about XSS and how to find a hole. So go surf the web for any personally-owned sites (Or if you feel particulary froggy you can try some bigger sites) and try some stuff.
Be warned though.
If you decide to do anything permanent or harmful, be prepared to face the consequences.
Or just hide yourself really well. May I suggest a proxy and an IP hider.
That is all for now. If you have any questions, comments, complaints, or just want to talk, then go to my site at mutantsrus.com. The chat is down right now, I have to reconfigure it all.
I have to chmod all the files to the right permissions. But you can still leave a message on the CBox. Or PM me here on HTS.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 13 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.