Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.It will be helpful for understanding XSS , if you have the following prerequisite:
- Basic Knowledge in HTTP client-Server Architecure(Reference )
- [optional]Basic Knowledge about server side programming(php,asp,jsp)
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance "?search=" or ".php?q=" . 1337 target specific sites instead of using google search. If you are going to test your own site, you have to check every page in your site for the vulnerability.
Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.
Test 1 :
Once we found the input field, let us try to put some string inside the field, for instance let me input "BTS". It will display the result .
Now right click on the page and select view source. search for the string "BTS" which we entered in the input field. Note the location where the input is placed.
Now we are going to check whether the server sanitize our input or not. In order to do this , let us input the <script> tag inside the input field.
View the source of the page . Find the location where input displayed place in previous test.
Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this <script>. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .
Step 3: Exploiting the vulnerability
Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS . By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.
Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.
The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.
Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest. The server embedd the input with the html file and return the file(HTTPResponse) to browser. When the browser executes the HTML file, it also execute the embedded script. This kind of XSS vulnerability frequently occur in search fields.
Let us consider a project hosting website. To find our favorite project, we will just input the related-word in the search box . When searching is finished, it will display a message like this "search results for yourword " . If the server fail to sanitize the input properly, it will results in execution of injected script.
In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser. The browser then executes the code .
In addition to these types, there is also third type of attack called DOM Based XSS attack, i will explain about this attack in later posts.
What can an attacker do with this Vulnerability?
- Stealing the Identity and Confidential Data(credit card details).
- Bypassing restriction in websites.
- Session Hijacking(Stealing session)
- Malware Attack
- Website Defacement
- Denial of Service attacks(Dos)
Bypassing the XSS Filters : Advanced XSS Tutorials for Web application Pen Testing
Hi friends, last time, i explained what is XSS and how an attacker can inject malicious script in your site. As i promised earlier, i am writing this advanced XSS tutorial for you(still more articles will come).
Sometimes, website owner use XSS filters(WAF) to protect against XSS vulnerability.
For eg: if you put the <scirpt>alert("hi")</script> , the Filter will escape the "(quote) character , so the script will become
<script>alert(>xss detected<)</script>Now this script won't work. Likewise Filters use different type of filtering method to give protection against the XSS. In this case, we can use some tricks to bypass the filter. Here i am going to cover that only.
1.Bypassing magic_quotes_gpcThe magic_quotes_gpc=ON is a PHP setting(configured in PHP.ini File) , it escapes the every ' (single-quote), " (double quote) and \ with a backslash automatically.
<scirpt>alert("hi");</script> will be filtered as <script>alert(\hi\)</script>.so the script won't work now.
This is well known filtering method, but we can easily bypass this filter by using ASCII characters instead.
For Eg: alert("hi"); can be converted to
String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)so the script will become <script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>. In this case there is no "(quotes) or '(single quotes) or / so the filter can't filter this thing. Yes, it will successfully run the script.
How to convert to ASCII values?
There are some online sites that converts to ASCII character. But i suggest you to use Hackbar Mozilla addon .
After installing hackbar add on ,press F9. It will open the small box above the url bar. click the XSS->String.fromCharCode()
Now it will popup small window. enter the code for instance alert("Hi"). click ok button. Now we got the output.
copy the code into the <script></script> inside and insert in the vulnerable sites
hxxp://vulnerable-site/search?q=<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>
2.HEX Encodingwe can encode our whole script into HEX code so that it can't be filtered.
For example: <script>alert("Hi");</script> can be convert to HEX as:
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3eNow put the code in the vulnerable site request.
hxxp://vulnerable-site/search?q=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3eConverting to HEX:
This site will convert to hex code: http://centricle.com/tools/ascii-hex/
3.Bypassing using ObfuscationSome website admin put the script,alert in restricted word list. so whenever you input this keywords, the filter will remove it and will give error message like "you are not allowed to search this". This can bypassed by changing the case of the keywords(namely Obfuscation).
This bypass technique rarely works but giving trial is worth.
4. Closing TagSometimes putting "> at the beginning of the code will work.
This will end the previous opened tag and open our script tag.
Conclusion:From above article, it is clear that XSS filters alone not going to protect a site from the XSS attacks. If you really want to make your site more secure, then ask PenTesters to test your application or test yourself.