I hope you have already heard about Cross Site Scripting know as XSS. I have focussed on finding an XSS hole and bypassing a filter to see how to XSS attack.XSS is a web application vulnerability that occurs due to improper or no filtration of user's input . It enables the malicious attackers to inject client-side script into web pages.
<script>alert('XSS')</script> in Search fields and hoping for a box to popup saying XSS. But its not always the way to find a XSS bug.
This example will make you everything clear.
Okay, go to this URL
Lets Replace 'Overview' with any keyword . Say 'test'
and hit enter
Now check the source code of page and search for keyword 'test' by using Ctrl+F
and we can find that in the code.
Carefully, see where it got inserted in the source code
Now lets replace the 'test' with </title><h1>XSS</h1> and see what happens
Note:<h1> It is the html heading tag </h1>
We can see the keyword 'XSS' displayed on the webpage.
Lets again see the page source
We entered </title> to complete the title tag ( <title>) and <h1>XSS</h1> is the actually html tag we wanted to see on the page.
I hope it was a simple part and is clear to you.
Now Lets try to execute a javascript code <script>alert('XSS')</script>. A popup message box saying XSS should appear on the webpage.
Lets go to this URL
But Nothing Happens !!!
Now check the source code again
See the slashes ( \ ) automatically inserted before the single quotes ( ' ) ,we entered. Obviously,due to this our code didn't execute.This is a kind of filter that we need to bypass .
Here we will be using a javascript built in function called String.FromCharCode() that is used to encode/decode strings. Now both these codes
Note: 88 and 83 are ASCII values for X and S respectively. Visit this http://www.asciitable.com for more.
Finally, try this
Yes, it worked.
I hope you liked this demo :)
This tutorial is for educational purpose and make the people aware of such a threat.I recommend readers if they abide by the blog's Disclaimer then they can proceed reading this post otherwise leave this page immediately.You might have tried finding an XSS hole by inserting a script like this
<script>alert('XSS')</script> in Search fields and hoping for a box to popup saying XSS. But its not always the way to find a XSS bug.
This example will make you everything clear.
Okay, go to this URL
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=Overview
Lets Replace 'Overview' with any keyword . Say 'test'
and hit enter
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=test
Now check the source code of page and search for keyword 'test' by using Ctrl+F
and we can find that in the code.
Note:Click on the images to zoom them.
Carefully, see where it got inserted in the source code
<title>Chitkara Educational Trust > test</title>
Now lets replace the 'test' with </title><h1>XSS</h1> and see what happens
Note:<h1> It is the html heading tag </h1>
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><h1>XSS</h1>
We can see the keyword 'XSS' displayed on the webpage.
Lets again see the page source
We entered </title> to complete the title tag ( <title>) and <h1>XSS</h1> is the actually html tag we wanted to see on the page.
I hope it was a simple part and is clear to you.
Now Lets try to execute a javascript code <script>alert('XSS')</script>. A popup message box saying XSS should appear on the webpage.
Lets go to this URL
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><script>alert('XSS')</script>
But Nothing Happens !!!
Now check the source code again
See the slashes ( \ ) automatically inserted before the single quotes ( ' ) ,we entered. Obviously,due to this our code didn't execute.This is a kind of filter that we need to bypass .
Here we will be using a javascript built in function called String.FromCharCode() that is used to encode/decode strings. Now both these codes
<script>alert('XSS')</script> and <script>alert(String.fromCharCode(88, 83, 83))</script>has the same function but we can see that there are no quotes in the second code.
Note: 88 and 83 are ASCII values for X and S respectively. Visit this http://www.asciitable.com for more.
Finally, try this
http://www.chitkara.edu.in/chitkara/esl.php?page=overview.php&sitetitle=</title><script>alert(String.fromCharCode(88, 83, 83))</script>
Yes, it worked.
I hope you liked this demo :)
By Aneesh M. Makker , an ethical hacking enthusiast from engineering department of Punjabi University.
Link to facebook profile .
How to XSS attack and BYPASSING A FILTER
Reviewed by Satyajit (Admins,a.k.a Satosys)
on
Sunday, October 03, 2010
Rating:
10 comments:
great job man. plz Also write on stealing cookies using XSS
Step by step, clearly got it. thanx guyz
Thanx frnz , keep visiting :)
Very useful :p
Great detailed guide, This is my first visit to your blog, I have suggestion to make, can You kindly increase the Font size by few pixels, Its very small in wide screen
Thanks Ramkumar :)
thanks but wt bro shud be next step.........the main step....XSS takes place on many sites bt .....this is only the half part.........wt shud be done after gting site vulnerable....can we get into .....if yes then how ?????? waiting......
These kind of XSS holes can be exploited to inject iframes or steal sessions. Silmply they are giving you the chance to inject client side scripts. Now its upto you how you proceed. Moreover such posts are meant to aware you about vulnerabilities and fixing them ,not for hacking purposes. :)
nice tutorial aneesh, would have been better with introduction and more explanation. also please create proper links, i had to typein all the URLS bcoz f security, ofcourse u can crack this.
Thanks for this tutorial .