What is XSS?
XSS stands for Cross Site Scripting. Sometimes it is called CSS however that is often confused with Cascading Style Sheets so XSS is the preferred term.
Different kinds of XSS
There are 3 traditional types of XSS attacks, however if you are inventive and understand all the workings behind XSS and the server then their are nearly limitless potentials.
1. DOM-Based Attack
A DOM-Based attack is a more advanced attack where the attackers payload (malicious script) is executed as a result of modifying the DOM Environment in the slave's browser by the original client side script, this causes the client side code to run in an unexpected manner.
2. Persistent XSS Attack
A persistent XSS attack is a method in which the attackers payload is permanent to the servers code and will remain there for every user to see until a server admin removes it.
3. Non-Persistent XSS Attack
A non-persistent XSS attack is a method in which the attackers payload is not permanent, meaning it doesn't effect the servers internal code. An example of this would be a link that has a Non-Persistent attack embedded into it.
How do we find a vulnerable server?
To find a server in which to do an XSS attack there are two main methods. You can use a Google search dork in which we google for common exploitations in servers. The other method is to read the actual .php code of the website (I will get into this later).
Here are some good examples of google dorks for an XSS attack.
inurl:com_feedpostold/feedpost.php?url= inurl:/products/orkutclone/scrapbook.php?id= inurl:/products/classified/headersearch.php?sid= inurl:/poll/default.asp?catid= inurl:/search_results.php?search=Search&k= inurl:/preaspjobboard//Employee/emp_login.asp?msg1= inurl:pages/match_report.php?mid= pages/match_report.php?mid= inurl:/notice.php?msg= /notice.php?msg= inurl:/gen_confirm.php?errmsg= /gen_confirm.php?errmsg= inurl:/index.php?option=com_easygb&Itemid= inurl:/2wayvideochat/index.php?r= inurl:/view.php?PID= /view.php?PID= inurl:/Property-Cpanel.html?pid= /Property-Cpanel.html?pid= inurl:/showproperty.php?id= /showproperty.php?id= inurl:/vehicle/buy_do_search/?order_direction= inurl:/elms/subscribe.php?course_id= /elms/subscribe.php?course_id= inurl:/winners.php?year=2008&type= /winners.php? inurl:/schoolmv2/html/studentmain.php?*******= inurl:/site_search.php?sfunction= /site_search.php?sfunction= inurl:/search.php?search_keywords= /search.php?search_keywords= inurl:/hexjector.php?site= /hexjector.php?site= inurl:/news.php?id= /news.php?id= inurl:/index.php?view=help&faq=1&ref= inurl:"contentPage.php?id=" inurl:"displayResource.php?id=" inurl:/index.php? inurl:/info.asp?
Testing XSS vulnerable
To test whether or not the site you have found is vulnerable we need to attempt to inject some code into its server.
You can inject code in multiple ways. If there is a search bar you may inject the code right into there. You can inject the code into the url, for example, "http://www.slave.net/newthread.php?fid=CODE GOES HERE". Or if you are attacking a forum you can try to inject the code into the body of a thread, this will execute the script when someone opens the thread.
Here is the base test that I use to test for vulnerabilities. Insert it into the website you are attacking.
Assuming you have found a XSS vulnerable site you can now attack it.
For eg. if you input the following above string, everyone will get an alert when they view the page saying "Hi! Abh ROCKS!"
<script>alert("Hi! Abh ROCKS!")</script>
<script>window.location = "http://users11.jabry.com/"</script>
Vulnerabilities by examining php code
Because I have never seen a tutorial on this kind of XSS attacking I figured I would share it as well. We can read the php code to find other unfiltered variables to exploit or to diagnose what kind of filtration is being used on a specific variable so we may bypass it.
If we look at the Hackforums newthread.php url for example it shows "newthread.php?fid=" the world that comes after the "?" and before the "=" is the variable that is being modified. And just because that is the only variable it shows doesn't mean its the only variable that we can alter.
I will be talking about diagnosing and bypassing 3 main types of filtration, after that you will have to take what you have learned and apply it to other filter systems.
-Bypassing filters using data URIs
Lets imagine we have an imaginary page http://localhost/page.php?name=John . The php code for this page looks like this.
This would be our result attack:
Bypass a basic str_replace() filter
Now imagine we are at the same page but the code has changed and now has a basic str_replace() filter in place on the variable of name. The php code fir this page is as follows.
and voila we have successively bypassed the filter and injected our code.
Bypassing a htmlentities() filter
A lot of websites are using htmlentities() function against XSS but it's only efficient against double quotes.
What html entities does is it converts the HTML string into HTML entities. This converts all "<" to "<" and ">" to ">" meaning the resulted text wont be handled as a script. However we can easily bypass by writing our script without the use of < > or ".
The php code for this is.
The resulted attack is:
http://localhost/page.php?img= .' onerror='alert("XSS")
Bypass XSS filters using data URIs
This is not a very well known vulnerability however you can bypass almost any filter with it. data URI's are generally used for images to keep them as text in a HTML document. I noticed that sometimes you can use it to bypass XSS filter htmlspecialchars(). The vulnerable page is designed to show a URI image from the following URL.
The php code is.
I hope you enjoyed the tutorial, if anyone has any questions feel free to ask. I apologize if i got any information incorrect i'm still new at this.
Please comment and keep alive :)